1. Home
  2. Knowledge Base
  3. Howto's
  4. Remote Desktop Gateway and RD Web high availability for RDS in Windows Server 2012

Remote Desktop Gateway and RD Web high availability for RDS in Windows Server 2012

What is RD Gateway

Remote Desktop Gateway is a solution to provide Virtual Desktop services to external users to be able to access internal resources, which enables enhanced security and improved performance to the usual RDS services.

RD Gateway can secure communication with the clients through an SSL tunnel and even can use either HTTP or UDP as a transport layer.

In addition, RD Gateway can publish the user’s applications through the RD Web which is a portal where a logged user can access to the list of their applications and launch them.

How RD Gateway works

To secure the Remote Desktop communications, the clients that initialize the communication need to establish a Secure channel with RD Gateway via an SSL tunnel. Then, RD Gateway needs to ensure that the client is a valid Remote Desktop user and then, this initializes the RDP connection with the backends which deliver the internal resources. RD Gateway then acts as an RD proxy between the client and the internal resources.

RD Gateway creates 2 SSL tunnels, one for incoming and another for outgoing traffic from and to the client, and once they’re established the data channels are created using the selected transport (either HTTPS or UDP), as shown below.

High available RD Gateway scenario

The problem of this architecture occurs when the RD Gateway service goes down, then all the Virtual Desktop and internal services will be inaccessible to external users. Hence, to ensure the high availability of the RD Gateway solution we’ve designed the following highly available and scalable solution.

This is the architecture that we’re describing in this article to achieve high availability and enhanced security for RD Gateway.

RD Gateway virtual service configuration

Once the SKUDONET solution has been installed or deployed in your preferred environment (hardware appliance, virtual, bare metal, cloud or containers) then we can apply the following instructions to create a virtual service for RD Gateway.

Firstly, it needed to create a virtual interface dedicated to the RD Gateway service by entering the panel Network | Virtual Interface | Create Virtual Interface as it’s shown below.

Then, create a new Local Service Farm using the virtual interface previously created of type L4xNAT in the section LSLB | Farms | Create Farm, for example, with the name RDGatewayVS.

Once the farm is created, it’s required to change the advanced global settings and select ALL protocol types, to support both HTTPS and UDP transport modes of RD Gateway as shown below.

Then, configure the service algorithm (priority, weight or least connections) according to your needs, client persistence by source IP, advanced backend health checks with 30 seconds between checks and the custom check as shown below:

check_http -S -H HOST -u /RDWeb/Page -t10 -c 10 -w 10

Finally, add the RD Gateways IP addresses as backends in the already created farm.

Now, you can configure the virtual service IP address in the clients to make use of the RD Gateway high availability architecture.

Enhanced RD Gateway Security

RD Gateway solution is designed to publish applications to external users, so security is a key issue. Although this solution provides of encrypted data channel, it lacks DoS protection, web scrapping, malicious hosts and other threats.

For this reason, the IPDS tab can be used to protect the RD Gateway services with improved security.

Enjoy your highly available RD Gateway with enhanced security.

Was this article helpful?

Related Articles

Download Skudonet ADC Load Balancer
Community Edition

Source Code

A versatile and installable ADC system designed for diverse vendor hardware.

DOWNLOAD SOURCE

Installable ISO 

Load Balancing as a Service alongside an ADC orchestration toolkit.

DOWNLOAD ISO
Download Community Edition

Download Community Edition

“We manage the information you provide with the sole aim of assisting with your requests or queries in regards to our products or services; applying the computer and security procedures to ensure its protection. Your data can be rectified or removed upon request but won’t be offered to any third parties, unless we are legally required to do so.” Responsible: SKUDONET SL - info@skudonet.com