Deploying F5 With Microsoft Remote Desktop Services

3y ago
50 Views
2 Downloads
981.13 KB
29 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Azalea Piercy
Transcription

Important: This guide has been archived. While the content in this guide is still valid for the products andversions listed in the document, it is no longer being updated and may refer to F5 or third party products orversions that have reached end-of-life or end-of-support.Deployment GuideFor a list of current guides, see ng F5 with Microsoft Remote Desktop ServicesIMPORTANT: This guide has been archived. There are two newer deployment guides and downloadable iApp templates available forRemote Desktop Services, one for the Remote Desktop Gateway Servers, and one for Remote Desktop Session Host.See downloads.f5.com for the iApp templates, or the Deployment Guide index at osoft to find the associated deployment guides.Welcome to the F5 deployment guide for Microsoft Remote Desktop Services included in Windows Server 2012 and Windows Server2008 R2. This document provides guidance on configuring the BIG-IP Local Traffic Manager (LTM) and Access Policy Manager (APM) fordirecting traffic and maintaining persistence to Microsoft Remote Desktop Services.Remote Desktop Services enables users to remotely access full Windows desktops, or individual Windows-based applications, onRemote Desktop Session Host computers. In an environment using BIG-IP LTM system, a farm of Remote Desktop Session Host servershas incoming connections distributed in a balanced manner across the members of the farm. Additionally, BIG-IP LTM can offload SSLprocessing for the Gateway role in Remote Desktop Services.To provide feedback on this deployment guide or other F5 solution documents, contact us at solutionsfeedback@f5.com.Visit the Microsoft page of F5’s online developer community, DevCentral, for Microsoft forums, solutions, blogs and more:http://devcentral.f5.com/Microsoft/.Products and versionsProductVersionBIG-IP LTM10.1 and later in the 10.x branch,11.0, 11.0.1, 11.1, 11.2, 11.3, 11.4. 11.4.1, 11.5, 11.5.1, 11.6BIG-IP APM11.0, 11.0.1, 11.1, 11.2, 11.3, 11.4, 11.4.1. 11.5, 11.5.1, 11.6Microsoft Windows Server Remote Desktop ServicesDeployment Guide version2012 R2, 2012, 2008 R23.7 (see Document Revision History on page 29)Important: Make sure you are using the most recent version of this deployment guide, available soft-remote-desktop-services-dg.pdf

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesContentsPrerequisites and configuration notes 3Configuration example 3Scenario 1: Configuring the BIG-IP LTM for Remote Desktop Access with RD Session Host5Supporting RemoteFX for Remote Desktop Session Host (optional)6Scenario 2: Configuring the BIG-IP LTM for Remote Desktop Access with RD Gateway8Supporting RemoteFX for Remote Desktop Gateway (optional)11Scenario 3: Configuring the BIG-IP LTM for the Remote Desktop Connection Broker service14Scenario 4: Adding Remote Desktop Web Access to BIG-IP LTM16Scenario 5: Publishing Remote Desktop Resources using BIG-IP APM19Prerequisites and configuration notes 19Configuring the BIG-IP APM 19Creating the profiles 21Configuring the virtual server 21Optional: Using a combined virtual server for RD Gateway and RD Web Access22Troubleshooting 23Appendix A: Configuring WMI monitoring of the RDS servers24Appendix B: Using X-Forwarded-For to log the client IP address in IIS 7.0, 7.5, and 8 (optional)26Appendix C: Configuring DNS and NTP settings on the BIG-IP system28Configuring the DNS settings 28Configuring the NTP settings 28Document Revision History 292

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesThis guide has been archived. For a list of current guides, see sites and configuration noteshh T he BIG-IP LTM system must be running version 10.1 or later. We recommend using BIG-IP version 11.4 or later. For moreinformation on the BIG-IP system, see http://www.f5.com/products/bigip/.hh Y ou must be using Windows Server 2008 R2 or 2012 or 2012 R2 Remote Desktop Services. If you are using a previous versionsee the Deployment Guide index at: uides.html.hh For more information on Microsoft Windows Server, including Windows Remote Desktop Services, see one of the following links:»» Windows Server 2012: technet.microsoft.com/library/hh831447»» Windows Server 2008 R2: 10%29.aspxhh Y ou should be familiar with both the BIG-IP LTM system and Windows Server Remote Desktop (RD) Services. For moreinformation on configuring these products, consult the appropriate documentation.hh T he BIG-IP LTM offers the ability to mix IPv4 and IPv6 addressing; for instance, you might want to use IPv6 addressing on yourinternal networks even though connections from clients on the Internet use IPv4.hh A lthough our examples and diagrams show external users connecting to the BIG-IP system in a routed configuration, the stepsdescribed in this document are equally valid for a one-armed configuration, and both topologies may be used simultaneously.hh T he third-party Web site information in this guide is provided to help you find the technical information you need. The URLs aresubject to change without notice.hh B e sure to see Appendix A: Configuring WMI monitoring of the RDS servers on page 24 and Appendix B: Using X-ForwardedFor to log the client IP address in IIS 7.0, 7.5, and 8 (optional) on page 26 for optional configuration procedures.hh T here is now an iApp template developed by F5 for Remote Desktop Session Host, which greatly simplifies the configuration.For details, see te-Desktop-Session-Host-iApp.ashx.Configuration exampleThis deployment guide details four configuration scenarios: cenario 1: Configuring the BIG-IP LTM for Remote Desktop Access with RD Session Host on page 5SIn this scenario, we configure a BIG-IP LTM for use with Remote Desktop Access. Users connect through the BIG-IP LTM toan RD Session Host server farm using the Remote Desktop Protocol (RDP), with an RD Connection Broker server managingpersistence. The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routingtokens. This is the path labeled 1 in the following diagram. cenario 2: Configuring the BIG-IP LTM for Remote Desktop Access with RD Gateway on page 8SIn this scenario, we extend and modify the deployment to add a farm of RD Gateway Servers. While still using the RemoteDesktop Connection client, users' RDP sessions are now encapsulated in HTTPS, which is more likely to be allowed throughfirewalls. When the HTTPS sessions arrive at the BIG-IP, they are decrypted and passed to a farm of RD Gateway servers usingHTTP. The RD Gateway Servers remove the HTTP, and forward the RDP sessions to the destination Remote Desktop serverspecified by the client. This is the path labeled 2 in the following diagram. Optionally, you can deploy a virtual server to act asa reverse proxy in a perimeter or DMZ network. This virtual server forwards Remote Desktop Gateway HTTP traffic to a virtualserver on the internal BIG-IP, which then forwards the RDP sessions to the destination Remote Desktop server. The reverse proxyvirtual server is secured by an iRule that allows clients to connect to only the published Remote Desktop Services. PublishingRemote Desktop Gateway in this manner simplifies deployment and precludes exposing required services in the DMZ network. cenario 3: Configuring the BIG-IP LTM for the Remote Desktop Connection Broker service on page 14SIf you have configured high availability for RD Connection Broker (available in Windows Server 2012 and 2012 R2 only), BIG-IPLTM load balances requests from the Remote Desktop Gateway servers to the Connection Broker service between all membersof the RD Connection Broker farm. cenario 4: Adding Remote Desktop Web Access to BIG-IP LTM on page 16SIn this scenario, we extend the deployment again to include RD Web Access Servers and RemoteApp. Users browse to a webpage via HTTPS; their sessions are decrypted on the BIG-IP LTM and passed to a farm of RD Web Access servers over HTTP. Byselecting applications that have been published on that page, users initiate new connections to individual RemoteApp resources,while still using the BIG-IP LTM and RD Gateway Server farm to encapsulate their connection in HTTPS. This is the path labeled 3 inthe following diagram.3

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesExternal Remote Desktop Services ClientsInternetBIG-IPLocal Traffic ManagerRemote Desktop GatewayReverse ProxyFirewallBIG-IPLocal Traffic ManagerInternal Remote DesktopServices Clients3124Figure 1: Logical configuration example cenario 5: Publishing Remote Desktop Resources using BIG-IP APM on page 19SRD ConnectionRD SessionRD Gateway RD Web AccessIn thisBrokerscenario, the BIG-IPPolicy Managerallows you to securely publish Remote Desktop connections and programs,Hosts AccessServersServerswhich users can access using links on an APM Webtop. This can eliminate the need to locate a Remote Desktop Web Access serverMicrosoft Windows Server Remote Desktop Servicesin the DMZ or perimeter network.External Remote Desktop Services ClientsBIG-IP Local Traffic Manager Access Policy ManagerRemote Desktop Session HostsFigure 2: BIG-IP APM logical configuration example4

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesScenario 1: Configuring the BIG-IP LTM for Remote Desktop Access with RD Session HostIn this scenario, we show you how to configure the BIG-IP LTM for use with Remote Desktop Access and Remote Desktop ConnectionBroker. For a description of this scenario, see Configuration example on page 3.There is now an iApp template developed by F5 for this scenario, which greatly simplifies the configuration. For details, emote-Desktop-Session-Host-iApp.ashx.Prerequisites and configuration notesThe following are prerequisites and notes specific to this scenario. These notes apply to the Remote Desktop Services configuration.hh I nstall the Remote Desktop Session Host role on at least one server; for load balancing connections, you need at least twoservers. See the Microsoft document Installing Remote Desktop Session Host Step-by-Step guide available 3275(WS.10).aspx (for Windows Server 2008 R2).hh I nstall the Remote Desktop Connection Broker role on at least one server according to the Microsoft y/dd883258%28WS.10%29.aspx (for Windows Server 2008 R2). Make sure the serversare part of a RD Connection Broker farm.hh The following are requirements for the RD Connection Broker farm:»» RD Connection Broker role is installed»» Members should not participate in Connection Broker load balancing (Windows 2008 R2).»» Members should use token redirection.»» T he farm may be configured in standard or high availability mode (Windows 2012 or 2012 R2 only). See Scenario 3:Configuring the BIG-IP LTM for the Remote Desktop Connection Broker service on page 14 for more information.Configuration table for scenario 1The table on the following page contains a list of BIG-IP LTM configuration objects along with any non-default settings you should configureas a part of this deployment scenario. Unless otherwise specified, settings not mentioned in the table can be configured as applicable foryour configuration. For specific instructions on configuring individual objects, see the online help or product manuals.BIG-IP LTM ObjectNon-default settings/NotesNameType a unique nameTypeTCPInterval30 (recommended)91 (recommended)TimeoutSend String(use the string for yourversion of Windows Server1Health Monitor1(Main tab-- Local Traffic-- Monitors)Window Server 2012 \x00\x08\x00\x0b\x00\x00\x00Window Server 2012, 2008 \x00\x08\x00\x03\x00\x00\x00Receive String1(use the string for yourversion of Windows Server)Window Server 2012 \x0f\x08\x00\x08\x00\x00\x00Window Server 02\x07\x08\x00\x02\x00\x00\x00Window Server 2008 \x01\x08\x00\x02\x00\x00\x001If you are using BIG-IP version 11.5.x, see Troubleshooting on page 235

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesBIG-IP LTM ObjectNon-default settings/NotesNameType a unique nameHealth MonitorSelect the monitor you created abovePool (Main tab-- LocalSlow Ramp Time1300Traffic -- Pools)Load Balancing MethodChoose a load balancing method. We recommend Least Connections (Member)AddressType the IP Address of the RD Session Host nodes. This can be an IPv4 or IPv6 address.Service Port3389 Click Add, and repeat Address and Port for all nodesNameType a unique nameParent ProfileUse tcp-wan-optimized ortcp-lan-optimized depending on where your clients are located.ProfilesNagle's Algorithm(Main tab-- Local Traffic-- Profiles)If you selected tcp-wan-optimized: Clear the Nagle's Algorithm box to disableNagle's Algorithm.NameType a unique namePersistence(Profiles-- Persistence)Persistence TypeMicrosoft Remote DesktopHas Session DirectoryIf you are using Remote Desktop Connection Broker, check theHas Session Directory box.NameType a unique name.AddressType the IP Address for the virtual serverTCP(Profiles-- Protocol)Service PortVirtual Server(Main tab-- Local Traffic-- Virtual Servers)Protocol Profile (client)33891Select the TCP profile you created aboveProtocol Profile (server) 1Select the TCP profile you created aboveSNAT Pool 2Auto Map (optional; see footnote 3)Default PoolSelect the pool you created aboveDefault Persistence ProfileSelect the Persistence profile you created1You must select Advanced from the Configuration list for these options to appear2 If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools.Supporting RemoteFX for Remote Desktop Session Host (optional)If you are using Microsoft RemoteFX for Remote Desktop Services, use the following table to configure additional BIG-IP LTM objects for theRemote Desktop Session Host servers.BIG-IP LTM ObjectNon-default settings/NotesUDP MonitorHealth Monitor(Main tab-- Local Traffic-- Monitors)NameType a unique nameTypeUDPInterval30 (recommended)Timeout91 (recommended)Gateway ICMP MonitorNameType a unique nameTypeGateway ICMPInterval30 (recommended)Timeout91 (recommended)6

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesBIG-IP LTM ObjectNon-default settings/NotesType a unique nameNameSelect both monitors you created above (ensure Availability Requirement is set to All (the default)Health MonitorPool (Main tab-- LocalSlow Ramp Time300Traffic -- Pools)Load Balancing MethodChoose a load balancing method. We recommend Least Connections (Member)AddressType the IP Address of a Remote Desktop Session HostService Port3389 Click Add, and repeat Address and Port for all Remote Desktop Session Host devicesProfiles(Main tab-- Local Traffic-- Profiles)1Persistence(Profiles-- Persistence)NameType a unique namePersistence TypeSource Address AffinityMatch Across ServicesEnabledRemote Desktop Session Host virtual serverVirtual Servers(Main tab-- Local Traffic-- Virtual Servers)12NameType a unique name.AddressType the same IP Address you used for the Session Host virtual server in the table on the previous page.Service Port3389SNAT Pool 2Auto Map (optional; see footnote 2)Default PoolSelect the Remote Desktop Session Host pool you created aboveDefault Persistence ProfileSelect the MSRDP Persistence profile you created using the guidance from the table on the previous page.Fallback Persistence ProfileSelect the Source Address persistence profile you created above.You must select Advanced from the Configuration list for these options to appear If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools.Modifying the Session Host virtual server to use the Persistence profile you createdThe final task is to modify the Session Host virtual server you configured (using the guidance on the previous page) to use the persistenceprofile you just created for RemoteFX as a fallback method.To modify the virtual server1.Expand Local Traffic and then click Virtual Servers.2.Click the name of the TCP Session Host virtual server you created using the guidance from the table on page 5.3.On the Menu bar, click Resources.4.From the Fallback Persistence Profile list, select the name of the Source Address Affinity persistence profile you just created.5.Click Update.This completes the configuration for scenario 1.7

DEPLOYMENT GUIDEMicrosoft Remote Desktop ServicesScenario 2: Configuring the BIG-IP LTM for Remote Desktop Access with RD GatewayThe Remote Desktop Gateway allows authorized users to tunnel RDP connections over HTTPS, using the standard Remote Desktop client.Benefits of Gateway servers include: Remote access without the use of a VPN solution; The ability to connect from remote networks that do not allow RDP connections (TCP port 3389) through their firewalls; Comprehensive control over user access policies; Publication of a single name and address to the public networks, rather than one for each internal RD Session Host resource.In the deployment described in scenario 1, users on the Internet connect to a BIG-IP virtual server for RD Session Host functionality overTCP port 3389. In typical configurations, the RD Session Host virtual server will therefore have a public IP address on an Internet-facing sideof the BIG-IP LTM.In the following scenario, however, where you introduce an RD Gateway server farm and corresponding BIG-IP virtual server, you may wantto allow clients to connect only through an RD Gateway server farm using HTTPS. If that is the case, you can create a BIG-IP virtual serveron an internal network to receive Remote Desktop Gateway traffic forwarded from the perimeter or DMZ network. The new RD Gatewayvirtual server you create must be on a public-facing IP address and accessible on TCP port 443.Prerequisites and configuration notesThe following are prerequisites and notes specific to this scenario. These notes apply to the Remote Desktop Services configuration.hh I nstall the Remote Desktop Gateway role on at least one server; for load-balancing connections, you need at least two servers.See the Deploying Remote Desktop Gateway Step-by-Step Guide WS.10%29.aspxhh Install the Remote Desktop Session Host role, as described in Scenario 1.hh Install the Remote Desktop Connection Broker role on at least one server, as described in Scenario 1.hh C reate an RD Gateway Server Farm and add all members of farm (must match those in the BIG-IP LTM pool). Enable HTTPS HTTP Bridging. For the SSL Certificate any setting will work, the BIG-IP LTM does SSL processinghh E ach user's Remote Desktop Connection client needs to be configured to use an RD Gateway Server. The configured ServerName must correspond to the fully-qualified DNS name that is associated with the Client SSL profile that you create on the BIGIP LTM. Additionally, the certificate associated with that name and profile must be trusted by the client computer, and the clientcomputer must be able to resolve the DNS name to the IP address assigned to the BIG-IP virtual server.Instructions for the variou

Scenario 5: Publishing Remote Desktop Resources using BIG-IP APM on page 19 . In this scenario, the BIG-IP Access Policy Manager allows you to securely publish Remote Desktop connections and programs, which users can access using links on an APM Webtop. This can eliminate the need to locate a Remote Desktop Web Access server

Related Documents:

o Microsoft Outlook 2000 o Microsoft Outlook 2002 o Microsoft Outlook 2003 o Microsoft Outlook 2007 o Microsoft Outlook 2010 o Microsoft Outlook 2013 o Microsoft Outlook 98 o Microsoft PowerPoint 2000 o Microsoft PowerPoint 2002 – Normal User o Microsoft PowerPoint 2002 – Power User o Microsoft PowerPoint 2002 – Whole Test

Business Ready Enhancement Plan for Microsoft Dynamics Customer FAQ Updated January 2011 The Business Ready Enhancement Plan for Microsoft Dynamics is a maintenance plan available to customers of Microsoft Dynamics AX, Microsoft C5, Microsoft Dynamics CRM, Microsoft Dynamics GP, Microsoft Dynamics NAV, Microsoft Dynamics SL, Microsoft Dynamics POS, and Microsoft Dynamics RMS, and

Microsoft, Microsoft Dynamics, logo systemu Microsoft Dynamics, Microsoft BizTalk Server, program Microsoft Excel, Microsoft.NET Framework, program Microsoft Outlook, Microsoft SharePoint Foundation 2010, Microsoft SharePoint Ser

Citrix.com Deployment Guide Deploying Microsoft SharePoint 2016 with NetScaler 8 Deploying Microsoft SharePoint 2016 with NetScaler Deployment Guide After clicking OK, you will see the Basic Settings screen for the LB vserver. Here, you may change settings such as the session persi

Deploying F5 with Microsoft Dynamics CRM 2011 and 2013. . authentication and secure remote access to your Dynamics CRM environment. Products and versions. Product. Version BIG-IP LTM, APM, AFM: 11.3 - 13.0 Microsoft Dynamics CRM: 2011 (Update Rollup 15), 2013, 2013 SP1 iApp version:

System Center 2012: Transform The Datacenter Immersion Configuring and Deploying Microsoft’s Private Cloud Practical Approaches to Deploying SharePoint on Windows Server 2012 and Windows Azure Microsoft Licensing Fundamentals Microsoft Private Cloud Licensing Windows Server 2012: Virtual Desktop Infrastructure TechNet Virtual Labs

Deploying the BIG-IP System with Microsoft SharePoint 2016. Welcome to the F5 deployment guide for Microsoft SharePoint . This document contains guidance on configuring the BIG-IP system version 11.4 and later for Microsoft

VIZIO Universal Remote Control. With this Universal Remote, juggling multiple remote controls is a thing of the past! Your new remote controls up to 3 devices, including the most popular brands of TV, Blu-Ray, DVD, DVR, Cable, and more. Note: Some functions from your original remote may not be controlled by this remote. Use the original remote, if