Contents
What is RD Gateway
Remote Desktop Gateway is a solution to provide Virtual Desktop services to external users to be able to access internal resources, which enables enhanced security and improved performance to the usual RDS services.
RD Gateway can secure communication with the clients through an SSL tunnel and even can use either HTTP or UDP as a transport layer.
In addition, RD Gateway can publish the user’s applications through the RD Web which is a portal where a logged user can access to the list of their applications and launch them.
How RD Gateway works
To secure the Remote Desktop communications, the clients that initialize the communication need to establish a Secure channel with RD Gateway via an SSL tunnel. Then, RD Gateway needs to ensure that the client is a valid Remote Desktop user and then, this initializes the RDP connection with the backends which deliver the internal resources. RD Gateway then acts as an RD proxy between the client and the internal resources.
RD Gateway creates 2 SSL tunnels, one for incoming and another for outgoing traffic from and to the client, and once they’re established the data channels are created using the selected transport (either HTTPS or UDP), as shown below.
High available RD Gateway scenario
The problem of this architecture occurs when the RD Gateway service goes down, then all the Virtual Desktop and internal services will be inaccessible to external users. Hence, to ensure the high availability of the RD Gateway solution we’ve designed the following highly available and scalable solution.
This is the architecture that we’re describing in this article to achieve high availability and enhanced security for RD Gateway.
RD Gateway virtual service configuration
Once the SKUDONET solution has been installed or deployed in your preferred environment (hardware appliance, virtual, bare metal, cloud or containers) then we can apply the following instructions to create a virtual service for RD Gateway.
Firstly, it needed to create a virtual interface dedicated to the RD Gateway service by entering the panel Network | Virtual Interface | Create Virtual Interface as it’s shown below.
Then, create a new Local Service Farm using the virtual interface previously created of type L4xNAT in the section LSLB | Farms | Create Farm, for example, with the name RDGatewayVS.
Once the farm is created, it’s required to change the advanced global settings and select ALL protocol types, to support both HTTPS and UDP transport modes of RD Gateway as shown below.
Then, configure the service algorithm (priority, weight or least connections) according to your needs, client persistence by source IP, advanced backend health checks with 30 seconds between checks and the custom check as shown below:
check_http -S -H HOST -u /RDWeb/Page -t10 -c 10 -w 10
Finally, add the RD Gateways IP addresses as backends in the already created farm.
Now, you can configure the virtual service IP address in the clients to make use of the RD Gateway high availability architecture.
Enhanced RD Gateway Security
RD Gateway solution is designed to publish applications to external users, so security is a key issue. Although this solution provides of encrypted data channel, it lacks DoS protection, web scrapping, malicious hosts and other threats.
For this reason, the IPDS tab can be used to protect the RD Gateway services with improved security.
Enjoy your highly available RD Gateway with enhanced security.