Monday, May 6, 2013

Access Terminal Server Farm behind firewall WITHOUT RD GATEWAY!!!

In my last post I showed how easy it is to setup an RDS (terminal services) Farm.  You also will find out just how well it works... on your internal network.  The problem I quickly discovered is what seemingly almost every other person discovered when they setup a RDS Farm... accessing it from outside is not as simple as using an RDP client and logging into one of the terminal servers.  The behavior you will get is that it may or may not connect you.  When it does connect you to a RDS server it connects you exactly to the one you specified and other times it will not connect you.  This may lead you to believe that the Broker is not doing its job, but in fact it is.  If you look at the log files for the broker sessions on the Broker server at: EventViewer > Applications and Services Logs > Microsoft > TerminalServices-RemoteConnectionManager > Operational > TerminaServices-SessionBroker you will see that the broker is indeed doing its job and passing you to the RDS server it believes is less utilized based on load and connections.

Great... so you know its not the broker so what is it?  Well... you are outside the network and your Broker as well as your RDS servers are all addressed for your internal network.  Quick logic tells you to simply create a NAT rule on your firewall for all your RDS servers.  Unfortunately that won't work because your Broker is still telling your RDP client to go to another server whose IP address is  on your internal network.  When you are outside your network your RDP client is not going to find that internal network.

I cannot tell you how many things I have tried based on logic and what other users posted in forums.  The one trend you will see with 98% of the answers to solve this problem is to use the RD Gateway.  I agree that is the best solution especially because its more secure.  I would even suggest to anyone to do this.  However, on the network I work on we have over 20,000 devices on our network and a lot of them are Mac OS X devices.  The Microsoft RDP client for Mac OS X does not work with TS Gateway.  I know there are other RDP clients out there for the Mac OS that do work with TS Gateways but the good ones cost some coin so we wanted to avoid that if possible.

So here we go... To make your RDS Farm work for users outside your network you need to configure a NAT rule for each terminal server on your firewall.  They have to be separate outside IP's that you own and can put in your firewall and NAT'd to the internal IP of an RDS server.  So these will be a one-to-one NAT not a one-to-many... if you do a one-to-many you will basically create a loop for your broker.

Next, on each RDS server add a second NIC. (Easy for me because I run all VM's on VMware).  For our environment we created a new Vlan for these NIC's to be sure they did not talk to the firewall and have ARP freak out over a conflicted IP address because of those NAT rules we just created.  Address each of the second NIC's with the outside IP address that corresponds to the NAT rule you created.  (i.e. Use the outside IP from the rule for TS01's because thats NAT'd to the internal IP of the same hostname).

Next be sure to go into each RDS servers and add that second address and NIC to be used in the Farm.  Open up Server Manager and go to: Roles > Remote Desktop Services > RD Session Host Configuration: SERVERNAME.  Under the "edit settings" section open up "Member of farm in RD Connection Broker".  The window where it says "Select IP Addresses to be used for reconnection" you should now see that second network adapter with that outside IP you gave it.  Select it and "OK" your way out.  Be sure to do this on each RDS server only.  YOU DON'T NEED TO DO THIS STEP ON THE BROKER!!!


Thats it!  Now your RDS servers are sending the login requests to your broker with each of its IP addresses,  and in turn your broker will send the RDP client your connecting from two IP addresses for the RDS server in the farm it wants you to connect to, the internal IP and the external IP!

See the diagram below for the visual representation.


I will note that the IP's in the diagram are not my own but used for the purposes of visualizing the solution.

Some notes:

- You do not need to add any additional DNS entries to your internal DNS servers for the RDS servers or farm name that contain the outside IP addresses.
- For us we made the Vlan the second nics are connected to a "dead" Vlan.  Meaning nothing routes or from it.  We had to do this so that all the ESXi hosts on our network could Vmotion the RDS server VM's to each other and have them still communicate on those second NICs.
- Nothing on the firewall is routed to those second NICs, nor should there be.  You don't want a direct connection to the second NIC of your RDS servers from outside if you can help it.  (I read a post where someone solved this problem by doing just that).  That's why we NAT the outside IP to the internal IP of each server.
- Don't believe any post that talks about using a Microsoft Loop Back adapter on the RDS servers... it does not work.
- Don't even begin to think you can simply edit the local "hosts" file on these servers to accomplish this task.  It won't work.

There you go.  This was a 3 day long, brain-bending problem for me.  In the end it was one of the most gratifying solutions I have done in IT!

Cheers!
Posted by at
Labels:

13 comments:

  1. UnknownJune 26, 2013 at 7:49 AM

    Nice post. Did you try to use this solution together with NLB?

    ReplyDelete
    Replies
    1. J.D.June 26, 2013 at 8:44 AM

      I did not have a need for NLB so I don't know how it will work with this solution. If you go forward with it let me know the results!

      Delete
    2. UnknownJune 26, 2013 at 11:34 AM

      It works fine too. I use NLB to provide users one common IP address. I wonder what would happen with the speed of your solution when we will have a higher number of VLANs. As far as I know broker sends all selected addresses to the client and it can take a while to check all of them. I mean to decide whether they are available or not.

      Delete
    3. WolfAugust 21, 2013 at 11:26 AM

      Trent, did you then only use one NAT rule? outside IP->Internal NLB IP or you still have more than 1 NAT rule, one for each internal IP but just gave your users the outside IP that maps to the NLB Internal IP?

      Delete
  2. UnknownApril 16, 2014 at 2:36 AM

    Terminal Server runs on Windows Server 2003, Windows 2000 Server and Windows NT 4 Terminal Server. Client devices connecting to a Terminal Server can be Windows workstations, Macintosh or Linux machines, mobile devices and dumb terminals.


    Windows Thin Client & Citrix Thin Client

    ReplyDelete
  3. UnknownJune 2, 2014 at 4:25 AM

    J.D., I was working on this same issue today and came across your blog. Following the steps resolved my external access, however, now my clients when hitting the servers from the inside (where that external IP is not routable) they are unable to get to any machine other than the session broker Terminal Server. Any ideas? The other comments make it sound like it should try each, but that doesn't seem to be happening in practice.

    ReplyDelete
  4. J.D.June 2, 2014 at 11:13 AM

    It sounds like you need to make sure you have your internal DNS entries setup correctly. In order for round robin to work internally create an internal dns record on your zone for each of the internal IP's of the terminal servers. Hope this helps. Good Luck!

    ReplyDelete
  5. UnknownSeptember 24, 2014 at 6:04 AM

    I have this setup running now (2) but need more terminal servers. Do you think it would work to add say 2 more servers to it. Or should i go ahead and start a gateway server up and move over to that solution?

    ReplyDelete
  6. SwarupDecember 2, 2016 at 10:12 PM

    Gateway Firewall solutions Hyderabad, India | Cloudace
    Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Services, IT Security, Storage solutionsGateway Firewall solutions Hyderabad,


    ReplyDelete
  7. UnknownMay 7, 2017 at 1:39 AM

    Any change that I can view the images; all images are now a big exclamation mark.
    Thanks.

    ReplyDelete
  8. itamcsupportdubaiAugust 9, 2019 at 12:23 AM

    That’s a nice blog , this blog helps you, please check this URL and solve your Firewall related problem.
    Firewall solutions Dubai

    ReplyDelete
  9. sonaminfoApril 9, 2022 at 4:53 AM

    InfoseedComputers are the trustworthy suppliers of all sorts of accounting software in Dubai, UAE, Bahrain, Sharjah, Abu Dhabi and, all other Middle East. Our main objective is to organize, strategize and implement solutions to your business with Tally ERP 9, Intuit QuickBooks, Sage 50 US, Sage 50 UK, Sage 100, Sage 300, Hubspot CRM, Email Hosting etc. Infoseedcomputers provides you up to a 35% discount on a QuickBooks subscription. We are best-authorized seller of intuiting with great customer support.

    Our Services include QuickBooks Online | QuickBooks Hosting | QuickBooks | QuickBooks Enterprise | Quickbooks Pro | QuickBooks Premier | Email Hosting | Sage | QuickBooks E-Invoicing Software | Hubsport CRM | VAT Calculator

    QuickBooks online is a most powerful QuickBooks yet. It delivers robust, easy-to-use, advanced functionality that scales with your business. To know more contact us Email: info@infoseedcomputers.com Call / Whatsapp +971564427403

    ReplyDelete
  10. sonaminfoApril 19, 2022 at 5:21 AM

    We are leading Authorised QuickBooks Hosting / QuickBooks Cloud Hosting in Dubai, Sharjah, Abu Dhabi, UAE, Oman, Qatar, Doha, Kuwait, Muscat, Bahrain, Saudi Arabia, South Africa, Nigeria serving full Middle East.
    Our Services include
    - QuickBooks Online
    - QuickBooks Hosting
    - QuickBooks Arabic
    - QuickBooks Setup
    - QuickBooks Training
    - QuickBooks Installation
    - QuickBooks Support
    - QuickBooks Consultant
    - QuickBooks Provider
    - QuickBooks Distributor.
    QuickBooks Hosting at its Highest Quality
    Easy, Secure, Mobile and Customizable
    We offer the highest quality cloud solution for QuickBooks desktop applications. We provide hosted applications for micro, small, mid-sized businesses and accounting firms running QuickBooks. Move your QuickBooks to the cloud today.
    Enable your team by working together – securely, easily and anywhere. No, seriously. Any device, any location and dual monitors are supported!a
    For more information and pricing Visit:
    QuickBooks Hosting | Cloud Hosting | Anytime Anywhere Dubai UAE
    QuickBooks Enterprise Hosting | QuickBooks Cloud Hosting | QuickBooks Remote
    Call / Whatsapp: +971 56 574 2574

    ReplyDelete

Subscribe to: Post Comments (Atom)