How to configure RD gateway without exposing the VIP to the internet
This article will go over the process of setting up RD Web Virtual Service while utilizing RD Gateway without exposing the RD Gateway Real Servers to the internet.
In this configuration the RD Web and RD Gateway servers were protected using the Edge Security Pack for user authentication and session management. In this scenario we use SAML for the client side facing frontend authentication with Kerberos Constrain Delegation configured for the backend server side authentication.
Application: Remote Desktop Service (RDS)
- Cannot add non-local real server when using UDP: the option has been enabled globally, but it only seems to work for TCP VSs - due to this, a connection cannot be made to the built-in Remote Terminal (which also disables ESP)
|Steps to Reproduce:|
In order to implement a working solution the following steps were taken.
2. Once the virtual service has been set up with 2 sub vs's and content rules, ensure that you have added the RD web Servers to the ESP enabled RD Web Sub Virtual Service.
NOTE: Please remember to change the Match string to the HOST of your own RD Gateway server.
At the end you should have:
1 x Main Virtual Service with 3 x Sub Virtual Services.
SubVS1 --> RD Web SubVS with ESP enabled (RD Web Servers added) + [default content rule]
SubVS2 --> RPC Data SubVS with no ESP (No Real Servers --> 501 Redirect enabled) + [RPC Data in / RPC data out content rules]
SubVS3 --> RD Gateway SubVS with ESP (RD Gateway servers added) + [Match on RD host content rule]
Please refer to the following screenshot as an example:
On the RD gateway VS there is NO persistence enabled because In this scenario there was an RD session host being used which took care of the persistence/stickiness for the user session in the background.
If you are not using the RD Session Host in your environment then you will likely need to enable persistence on the RD gateway SubVS.
We recommend using Source IP.