26 February 2015

How to enable Internet (WAN) access to a Microsoft Windows 2012 R2 Remote Desktop Services farm without using a TS Gateway

This small guide will help you to enable Internet access to a Windows 2012 R2 Remote Desktop Services farm without using a TS Gateway.

Install and configure the Active Directory domain (including TS broker and RDS hosts) in a split-DNS layout. 
You need to allow the FQDN name rdshost1.domain.com to be resolved internally with the local address and publicly with the WAN IP.

On your firewall enable a one-to-one NAT rule for port 3389 from the public address to the RDS host private IP (one dedicated rule each RDS host).

Be sure the DNS name on public DNS and internal DNS match with the NAT rules.

At this point if you try to test your environment connecting to the firewall public IP, you should notice some strange behavior.
In some conditions your client will try to connect to the farm (broker redirected host) using the LAN IP instead of the WAN IP address of the server.

In order to fix this strange way of working please follow the steps above.

Add a secondary vNIC (if VMware) or secondary IP address on physical NIC to the every RDS host.

To avoid Windows detecting IP address conflicts when starting the networking service, in VMware attach the vNIC on a dedicated vSwitch.

Disable every additional protocol and leave only IPv4 configured with the same IP address as the corresponding WAN

Disable all IPv6 bindings and delete the teredo tunnel interfaces.

To remove the virtual adapters go to Device Manager, View menu, select Show Hidden Devices.

Drill down to network adapters and tight click the object to uninstall.

Create a new GPO with the following settings and link it to the OU containing the RDS Hosts.

Set up the collection as usual installing the RDS host role on each node and the Broker service on a dedicated server.

Now you can test the RDS farm connecting to one of the public addresses (WAN IP)
In order to verify the connection, open some concurrent Remote Desktop Connection session pointing to the hosts FQDN (or load balancer address)
Check your local pc active RDP sessions with the following command: 

netstat -an | find /i "3389"

Each connection should display the public IP address of the firewall as destination address.

No comments:

Post a Comment