Refer to the sections below for details on some common issues seen when load balancing the RDP workload.

Connections Rejected

Windows Server 2012 and 2012 R2 have security requirements on IIS. Therefore, when RDP traffic is reencrypted from the LoadMaster, the server thinks it is a “Man in the Middle” attack and rejects the connection. The following Microsoft article describes this behavior: https://support.microsoft.com/en-us/kb/973917

There are a few ways to work around this issue:

  • Use the same SSL certificate on the LoadMaster and on the RD Gateway server.
  • Configure the RD Gateway server to expect offload and accept connections on port 80 with no encryption. Configure the LoadMaster to offload (with no reencryption).
  • Configure IIS as per the Microsoft article: https://support.microsoft.com/en-us/kb/973917 with the following changes:
  • appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost
  • appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"Allow" /extendedProtection.flags:"Proxy" /commit:apphost
  • appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /+"extendedProtection.[name='HTTP/rdgateway.contoso.com']" /commit:apphost

Load Not Balanced

There is a nine character limit in RDP sessions from Microsoft. Therefore, if an RDP session comes in using the domain first, the LoadMaster persists that client to a server without balancing the load. This behavior is as a result of the routing token character limitation and is not caused by the LoadMaster.

Refer to the following Microsoft article for instructions on how to specify custom routing tokens: IMsRdpClientAdvancedSettings::LoadBalanceInfo property