RDP farm via NAT not working

I built a 2008 R2 RDP server a while back for use by a small number of users, this server contains all the roles.

It's accessed via NAT. Naturally enough the number of users has grown and I have added a second server.

The load balancing works fine internally on the LAN but users attempting to connect via the web (thru a  NAT) usually cannot connect.

I can see that it must be the configuration of RD Gateway manager but I don't see where I've missed (or added) something

All help gratefully accepted!
eurochangeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
Maybe this would work for you.

put the RDSH servers on their own network segment and assigned them external IP addresses.   It wasn't exactly a clean solution but it worked.  What is the make/model of your router?

Alternatively are you able to set up a Remote Desktop Gateway server?  This would be the recommended way to access the RDSH servers...
eurochangeAuthor Commented:
I have a gateway serveralready , it appears to be handing off sessions to the new server then the client gets an unable to connect error.
Davis McCarnOwnerCommented:
As always, the answer is in the details......
What, exactly (!!!) is the error the client gets?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Randy DownsOWNERCommented:
did you do this?

put the RDSH servers on their own network segment and assigned them external IP addresses
eurochangeAuthor Commented:
The error message is:
Remote desktop can't connect to the remote computer for one of these reasons.
1 remote access to the server is not enabled
2 remote computer is turned off
3 remote computer is not available on the network

The remote gateway server, which is the destination of the NAT I'm connecting to records event ID1149 authentication succeeded
Event ID 800  & event ID 801 RC connection broker succesfully processed the connection request for "USER"  redirection Info Target Name = RDSERVERB target 1p = 192.*.*..* target Netbios=RDSERVERB target FQDM = RDSERVERB.domain disconnected session found =0x0

So it looks to be trying to redirect me but .....
eurochangeAuthor Commented:
put the RDSH servers on their own network segment and assigned them external IP addresses

Not tried this and unlikely to be able to do so anytime soon being live servers
Randy DownsOWNERCommented:
Possible to try a test RDSH servers on their own network segment and assigned them external IP addresses? If it solves the problem it might be worthwhile moving teh live servers.
Davis McCarnOwnerCommented:
eurochangeAuthor Commented:
"Possible to try a test RDSH servers on their own network segment and assigned them external IP addresses? If it solves the problem it might be worthwhile moving teh live servers. "

Still not possible to test these live systems
eurochangeAuthor Commented:
"Did you find this?
https://support.microsoft.com/en-us/kb/2083411"

It works fine on the local LAN so i don't believe this is relevant
SteveCommented:
to confirm:
you have port 443 forwarded from the external internet IP to the gateway server
you do NOT have port 3389 forwarded on your router at all
you have an SSL installed on the gateway server
the gateway server can see the RDS host without a problem (try RDPing to the host from the gateway server)

assuming the above is correct, it should work. have you checked the RDP client being used externally is new enough to know how to deal with the gateway (eg is it an old version on XP?)
eurochangeAuthor Commented:
Hi,

yes, I have port 443 forwarded from the external internet IP to the gateway server
yes, I have an SSL installed on the gateway server
yes, the gateway server can see the RDS host without a problem (try RDPing to the host from the gateway server)

Clients are Win7

"you do NOT have port 3389 forwarded on your router at all"

The gateway server is the original RDS server so 3389 is Nat'd to that, the logs on the new server indicate auth. is occuring on the new server.

It's almost as if there is no network path back to the client??

Client gets messages aboutr securing, then configuring the connection then iniiating the connection at whicjh point it fails after 5-10 secs.
SteveCommented:
close port 3389. that's confusing the RDP client as only port 443 is  used with a gateway.
eurochangeAuthor Commented:
closing port 3389 stopped it working from the web completely!
SteveCommented:
can you connect to the server via https externally? have you tried connecting through the web interface?
eurochangeAuthor Commented:
we closed the web interface down a while ago. www service isn't running
SteveCommented:
that's probably the issue then. as advised above, the gateway proxies rdp connections over port 443.

Take a look at this for more info:

https://technet.microsoft.com/en-gb/library/cc731150.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.