4 Replies Latest reply on Aug 9, 2018 8:06 AM by prpatel0

    ESG remote desktop Token Redirection

    prpatel0 Lurker



      I'm trying to configure my ESG so that it can accept the RDP session cookies during logins. My clients connect through RDP into a specific open VIP (public IP) from an outside network. The 2 networks aren't connected. I have my connection broker configured to allow RDP cookies redirection instead of IP redirection. However, i don't believe i have the ESG set up correctly.


      What options on the ESG should i have to enable cookies. Do i need to create a specific Application Rule?

        • 1. Re: ESG remote desktop Token Redirection
          lhoffer Hot Shot
          vExpertVMware Employees

          The ESG will just pass along cookies set by the client or backend server unless you've written an app rule to modify/remove them.  Typically the only unique setting used for an RDP solution would just require that "MSRDP" is set as the persistence method in the Application Profile as pictured below to ensure that the same RDP session always gets sent to the same pool member:



          As far as app rules, there are some recommended rules documented in the Application Rule Examples section of the admin guide specific to RDP, but they're just to help prevent DOS attacks on your RDP infrastructure and won't affect the behavior around cookies.

          • 2. Re: ESG remote desktop Token Redirection
            prpatel0 Lurker

            I still don't think this is working how we want.


            I don't want the ESG to load balance my pool. I'd rather want traffic to go through and have my RDP connection broker route traffic. How sure are we that RDP tokens are being passed through our ESG? I would think that we would need to enable Tokens in order for it to work.


            For example, if i select MSRDP then it'll always send me to the same pool. But when i tested the same Domain User's login from another network, it shot me to a new pool member. I want any disconnected session to connect back to the same pool member (no matter where the source location is) which should be done by RDP connection broker on our servers.


            I'm getting some of the same errors I would get when token's aren't being handled by the load balancer.


            Sorry if i'm not explaining this right.

            • 3. Re: ESG remote desktop Token Redirection
              lhoffer Hot Shot
              VMware EmployeesvExpert

              Are you talking about a single connection broker behind the ESG (in which case ESG doesn't load balance at all but simply routes traffic to it)?  If not, the "pool" from the ESG's perspective would just be your connection broker servers and the ESG will use the cookie set as the RDS session token for persistence to send traffic to the same connection broker, but it's then up to the connection brokers to ensure that pre-existing sessions are sent to the correct underlying RDS host.


              That said, you can confirm that persistence is working correctly by running the "show service load balancer table" command in the ESG CLI and can view the actual payload to ensure the token is being passed along and forwarded to the correct connection broker by doing a packet capture on the ESG as detailed towards the bottom of the Load Balancer Troubleshooting Using the CLI page in the admin guide (basically just uses TCP dump syntax with underscores instead of spaces).

              • 4. Re: ESG remote desktop Token Redirection
                prpatel0 Lurker

                This is my setup at the moment.


                1. Client is on the outside of our network, then connects in through the VIP.

                2. The ESG is configured as a load balancer pool. The pool includes 3 Terminals servers which are configured as Session host servers.

                3. There is a single server as a connection broker (CB) which users do not log into.

                4. When the connection is made to a Session host servers, it should query the CB then send a cookie back to the user so it remembers the connection.

                5. Issue starts when the client who initially connected to TS1, then disconnects, then connects back to TS2. TS2 should query the CB then send the cookie back to the client and redirect them to TS1. However, this doesn't happen. I believe it's because the cookie isn't being passed through correctly. Or that the ESG load balancer is ignoring the cookie and load balancing itself.


                I am not sending all traffic to the CB itself. Meaning, the load balancing pool does NOT have the Connection broker as a pool member. The pool members are only the Session host servers. I did this because i didn't think the CB actually redirects the initial connection to the CB Farm. It looks like when a connection is made to a member of the CB farm it'll then ask the CB if the session should stay in the session or be redirected to another server.



                Scenario 2: All connections are made directly to the CB.


                If only 1 NAT rule is created for the CB then there is only a pipe open to the CB. When the connection broker redirects to a Session host server then how will the client make the connection if there isn't a NAT rule (or open pipe) to the session host servers. I just don't see how we can have a direct connection to the CB.




                Side Note

                When I type in a value in "Expire in (Second)" then press save. This is done when i have MSRDP set for persistence. Then i go back to the settings it shows that the the field is empty. Is that normal or should the setting still be there? I'm doing this in Vcloud director.