How do I set up terminal server session broker?

I currently have a terminal server environment that consists of 1 domain controller and 1 terminal server.
All works well.
Now I have added a second terminal server - identical to the first, and a separate server to act as session broker.

I set everything up as per this guide:

MS session broker setup guide

However, once I put both of the servers into the farm, the main one always takes me on to the main one, and the second one refuses the connection.

I think there may be a complicating factor because the servers have local IPs assigned to their NICs, but we access them via public IP which is then NATed by a pfsense firewall - so I am wondering if when I log in to one of the servers, it is querying the session broker, determining that the other server should handle the logon, then redirecting to the local IP, which the "client" cannot access because they are connecting over the WAN..?

Its the first time I have set this up as well, which doesnt help.

Just wondering if anyone has any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You cannot simply NAT a TS Farm. Microsoft provides the TSGateway role to properly handle external connections.
davids355Author Commented:
OK, I didnt really mean that, the NAT issue might be completely irrelevent - I just mentioned it because I thoguht it might be an issue.

Basically, setting session broker completely aside, our system operates as follows:

1 domain controller.
1 terminal server.

they are on the same local network - 1.2.3.x
all of our users access the terminal server remotely, so they use remote desktop, and the host is a public IP - PFsense then forwards the traffic on 3389 to the local IP of the terminal server.
I just wondered whether that scenario would work with session broker out of the box?

The real issue for me is that session broker is not working, Im not sure if the above would make the setup more complex? Or if I am just doing something wrong?
Cliff GaliherCommented:
If you are forwarding port 3389 then the broker will not work. It cannot tell pfsense to forward traffic to another server. That is why a gateway server is needed, and that doesn't use 3389.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davids355Author Commented:
^^Thanks. Is that something to do with the "connect from anywhere" setting in RDP client? I think I have used that before when configuring RDP over SSL.

Could you point me to a guide or tell me roughly how it should be set up?

Should my dedicated session broker server be configured as gateway server?
Cliff GaliherCommented:
It os very straightforward, but TechNet has everything you need. As far as location, I don't recommend colocating it with RDCB or RDSH. If you can, a DMZ is best.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.