RDS not workiing with load balancing.

I have RDS setup with session policy. 2 server wherien server A acting as RD broker and session host both. Server B is only session host server .
Clinet access RDS via RDP directly putting the IP address of Broker server whcih ideally redirects session to load balance between 2 session host servers.

Externally NAT policy is there wherein public users use 10.x.x.1:33899 which redirects to internal NAT IP 192.x.x.x:3389.  wherein 10.x.x.1 is the IP of broker server Server A.

When request goes to Server A it connects , but it never broker redirects connection to server B, it refuses and thows erros as RDP not enabled etc.
random errors as the certificate is not authenticated(though it goes connection via IP address).
Tries putting SSL cert with xxx.abc.com and mapped the same cert to broker as well. now result if users tries with xxx.abc.com:33899.

Please someone tell me if i am missing any setting. No error in event related the same. there are errors, but other errors.

All servers are 2016 servers. TS licenses in in place.
Chris BurchettAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Casey WeaverManaged Services Windows Engineer IIICommented:
Are you not using the gateway role? If you're using this externally as well it would be best to set up the gateway role, add your wildcard certificate, and point everyone at the gateway. The gateway will decide if they are local or external and proxy them accordingly, while keeping the certificate kosher. Certificates in RDs are very important to Windows 7+ machines and Windows Server 2012+ deployments, a client wont connect if there's a certificate mismatch.
Chris BurchettAuthor Commented:
hi Casey, No not using gateway.

but even tried with gateway and same result. Gateway drops connection as well .
Cliff GaliherCommented:
There are quite a few problems with your setup and as a whole makes it unmanageable and won't work as you expect:

1) Don't do non-standard port forwards.  The broker, even when you get it working, doesn't know about the fake port and so will try to redirect (note it does NOT proxy!) and the client will attempt port 3389 and fail.

Use a gateway. Full stop.

2) You cannot simply connect via IP address to the broker and have it load balance.  If you try that, you will always simply connect to the broker.  Since the broker also happens to be a session host in your instance, it may seem like it is partially working; it isn't.

If you had *JUST* a broker and then two different session hosts, you'd see the same behavior. Connecting by IP would connect you to the broker for management.

3) You need to define one or more collections in 2012/2016 (and you said this was all in 2016).

4) When you connect to the broker, you must specify the collection name.  Note that the legacy RDC client *DOES NOT HAVE A GUI FOR THIS!*   If you use rdweb then the RDP files it generates specifies the property.  OR you can save an .rdp file and then edit it in notepad to add the collection property.  Or you can use the modern app and subscribe to a web feed.   But regardless, the point is the broker doesn't know it is supposed to be load balancing (and can load balance for different apps across different servers) so the only way it knows to do that is with the collection name.  If that isn't being passed...no load balancing.

5) Don't mess with certs beyond what the server GUI allows.  Don't mess with DNS.   Don't try to circumvent the system.  It works when implemented properly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Casey WeaverManaged Services Windows Engineer IIICommented:
The best answer for laying out how RDS farms works in 2016, and advice for the original poster to go back and review how they set theirs up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.