Remote Desktop Gateway and RD Web high availability for RDS in Windows Server 2012

What is RD Gateway

Remote Desktop Gateway is a solution to provide Virtual Desktop services to external users in order to be able to access to internal resources, which enables enhanced security and improved performance to the usual RDS services.

RD Gateway is able to secure the communication with the clients through a SSL tunnel and even is able to use either HTTP or UDP as a transport layer.

In addition, RD Gateway is able to publish the users applications through the RD Web which is a portal where a logged user can access to the list of their applications and launch them.

How RD Gateway works

In order to secure the Remote Desktop communications, the clients that initializes the communication needs to establish a Secure channel with RD Gateway via an SSL tunnel. Then, RD Gateway needs to ensure that the client is a valid Remote Desktop user and then, this initializes the RDP connection with the backends which deliver the internal resources. RD Gateway then acts as a RD proxy between the client and the internal resources.

RD Gateway creates 2 SSL tunnels, one for incoming and another for outgoing traffic from and to the client, and once they’re established the data channels are created using the selected transport (either HTTPS or UDP), as it’s shown below.

High available RD Gateway scenario

The problem of this architecture occurs when the RD Gateway service goes down, then all the Virtual Desktop and internal services will be inaccessible from external users. Hence, to ensure the high availability of the RD Gateway solution we’ve designed the following high available and scalable solution.

This is the architecture that we’re describing in this article in order to achieve high availability and enhanced security for RD Gateway.

RD Gateway virtual service configuration

Once the Zevenet solution has been installed or deployed in your preferred environment (hardware appliance, virtual, bare metal, cloud or containers) then we can apply the following instructions to create a virtual service for RD Gateway.

Firstly, it’s needed to create a virtual interface dedicated to the RD Gateway service entering to the panel Network | Virtual Interface | Create Virtual Interface as it’s shown below.

Then, create a new Local Service Farm using the virtual interface previously created of type L4xNAT in the section LSLB | Farms | Create Farm, for example, with the name RDGatewayVS.

Once the farm is created, it’s required to change the advanced global settings and select ALL protocol types, in order to support both HTTPS and UDP transports modes of RD Gateway as it’s shown below.

Then, configure the service algorithm (priority, weight or least connections) according to your needs, client persistence by source IP, advanced backend health checks with 30 seconds between checks and the custom check as it’s shown below:

check_http -S -H HOST -u /RDWeb/Page -t10 -c 10 -w 10

Finally, add the RD Gateways IP addresses as backends.

Now, you can configure the virtual service IP address in the clients in order to make use of the RD Gateway high availability architecture.

Enhanced RD Gateway security

RD Gateway solution is designed to publish applications to external users, so the security is a key issue. Although this solution is provided of encrypted data channel, it lacks of DoS protection, web scrapping, malicious hosts and other threats.

For this reason, the IPDS tab can be used to protect the RD Gateway services with improved security.

Enjoy your high available RD Gateway with enhanced security.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles