How to configure RD gateway without exposing the VIP to the internet

This article will go over the process of setting up RD Web Virtual Service while utilizing RD Gateway without exposing the RD Gateway Real Servers to the internet.

In this configuration the RD Web and RD Gateway servers were protected using the Edge Security Pack for user authentication and session management. In this scenario we use SAML for the client side facing frontend authentication with Kerberos Constrain Delegation configured for the backend server side authentication.

Product: Loadmaster

Version: Any

Platform: Any

Application: Remote Desktop Service (RDS)

- Cannot add non-local real server when using UDP: the option has been enabled globally, but it only seems to work for TCP VSs - due to this, a connection cannot be made to the built-in Remote Terminal (which also disables ESP)
- Is it possible to make additional VSs (or SubVSs) dependent upon another's SAML cookie.
- How can the web socket connection be handled.

In order to implement a working solution the following steps were taken.

1. Install the RD Web Template and configure the service for ESP as outline in the below documentation:
How to configure ESP for Remote Desktop Web Access – Kemp Support (kemptechnologies.com)
 

2. Once the virtual service has been set up with 2 sub vs's and content rules, ensure that you have added the RD web Servers to the ESP enabled RD Web Sub Virtual Service.

3. Ensure that you have added the 501 redirect on the RPC data Sub Virtual Service and that there are no Real Servers added. This ensures that the 501 redirect is enabled.

 
4. After the RD Web Virtual Service has been configured for ESP an additional Sub Virtual Service must be created in order to handle the RD Gateway Traffic.

The new Sub Virtual Service will need to have a custom content rule created to match on RD Gateway Traffic. In this scenario the content rule matches on the host of the RD Gateway server. The rule will look similar like this:

NOTE: Please remember to change the Match string to the HOST of your own RD Gateway server.

Once the rule has been configured remember to add the RD Gateway Servers to the Gateway SubVS.

Once the custom content rule and the real servers have been added to the RD Gateway Sub Virtual Service you must now enable ESP on the Gateway SubVS and configure the ESP to match the RD Web Sub Virtual Service as outlined in the previous documentation.

At the end you should have:

1 x Main Virtual Service with 3 x Sub Virtual Services.

SubVS1 --> RD Web SubVS with ESP enabled (RD Web Servers added) + [default content rule]

SubVS2 --> RPC Data SubVS with no ESP (No Real Servers --> 501 Redirect enabled) + [RPC Data in / RPC data out content rules]

SubVS3 --> RD Gateway SubVS with ESP (RD Gateway servers added) + [Match on RD host content rule]

Please refer to the following screenshot as an example:

On the RD gateway VS there is NO persistence enabled because In this scenario there was an RD session host being used which took care of the persistence/stickiness for the user session in the background.

If you are not using the RD Session Host in your environment then you will likely need to enable persistence on the RD gateway SubVS.

We recommend using Source IP.

https://support.kemptechnologies.com/hc/en-us/articles/209466686-How-to-configure-ESP-for-Remote-Desktop-Web-Access