TS Gateway is a Windows Server 2008 role which provides secure access to corporate desktops and applications for Internet users. Mobile workforces rely heavily on TS Gateway for remote access needs. To ensure 100% availability there are three methods we recommend which can help achieve this goal for TS Gateway:
Load balancing device (HW implementation): A third-party load balancer like F5 Networks BIG-IP, as one example, can be used to load-balance SSL traffic to TS Gateway servers.
SW load balancing (Ex: Microsoft NLB): This is the low cost and optimal solution for load balancing the TS Gateway traffic.
DNS Round Robin (DNSRR): DNS round robin can be used to balance the load on TS Gateway servers. One disadvantage with DNSRR is that it cannot act as a fail-over cluster. Therefore, if one server fails, clients might continue to attempt connection to the failed server.
In this article, we will focus on configuring TS Gateway high availability mode using NLB.
About Microsoft NLB:
The Network Load Balancing (NLB) role is available in Windows Server 2008. Every TS Gateway server member in the farm must install and configure NLB to form a fail-over load balancing server cluster. NLB distributes traffic between different TS Gateway server farm members. When a server in the cluster fails, NLB automatically removes the failed server from the cluster. The NLB cluster has a virtual IP address which is used by the clients to connect to the TS Gateway farm. Figure 1 below illustrates load-balancing TS Gateway using NLB. To further understand the Microsoft NLB deployment, click the following link: http://technet.microsoft.com/en-us/library/cc754833.aspx.
Figure 1. TS Gateway load balancing
A TS client establishes an RPC/HTTPS connection to TS Gateway. Every RPC/HTTPS connection internally consists of two SSL channels to TS Gateway representing RPC_IN_DATA/RPC_OUT_DATA channels. In a farm environment, a situation could occur where the RPC_IN_DATA/RPC_OUT_DATA channels end up on two different TS Gateway servers. Normally to address this problem NLB requires IP affinity. However TS Gateway if configured as a farm ensures that the RPC_IN_DATA and RPC_OUT_DATA channels are routed to the same TS Gateway server. See Recommendations about NLB parameters for TS Gateway farm scenario to know more information on different scenarios, IP affinity, and NLB.
1. Launch “TS Gateway Manager” from Start->Administrative Tools -> Terminal Services.
2. In the right pane click on Properties, go to Server Farm tab and enter FQDN name of all the servers which will be members of the farm, including local host.
3. Repeat the above steps on each TS Gateway server in the farm.
Setting up Microsoft NLB for TS Gateway farm:
1. Install the Network Load Balancing feature using Server Manager on all the TS Gateway servers in the farm. To install the NLB feature:
a. Open Server Manager, select Features in the left pane, right-click Features, click Add Features, and select Network Load Balancing in the available features. Click Next, and then click Install.
b. Open an elevated command prompt and run the command “servermanagercmd –install nlb”
2. NLB cluster can be configured using NLB manager. Launch NLB manager from Start-> Administrative Tools.
3. Right-click Network Load Balancing Clusters, and then click New Cluster
4. In Host, enter the name of the host, and then click Connect.
5. Select the network interface that you want to use with the cluster and click Next. The interface hosts the cluster virtual IP address and receives the client traffic to load balance. (Note: NLB does not support DHCP, so here you will see a warning message about DHCP. Click OK. )
6. In the Host Parameters page, select a Priority (Unique host identifier). The cluster node with the lowest priority handles the traffic that is not covered by port rules. If there is a single network adapter which is used both for communication between cluster nodes and external network traffic, then the dedicated IP address parameter is needed. The dedicated IP address is used for the communication between the cluster nodes (Ex: By TS Gateway farm services). This address should be a static IP address. Make sure the network adapter is configured with this address.
7. To specify the dedicated IP address, click Add and enter the IP address and subnet mask. Keep the remaining settings in the Host Parameters page as default.
8. Click Next to see the Cluster IP Addresses page. Click Add and enter the IP address for the cluster. This is the IP address which is used by the clients to connect to the TS Gateway farm.
9. Click Next to see the Cluster Parameters screen. Enter the public DNS name of the TS Gateway farm as Full Internet Name ( Ex: TSGatewayFarm.contoso.com )
10. Set Cluster operation mode to either unicast or multicast. Recommendations about the cluster operation mode are discussed at the end of this post.
11. Click Next to see the Port Rules page.
12. Click Edit to change the default port rules. Specify the port range as 443 to 443 if TS Gateway is an SSL end point. If you are using HTTPS-HTTP bridging with ISA in front, specify 80 to 80 as the port range. Only the incoming traffic to the range of ports specified in the port rules is load balanced.
13. In Protocols specify TCP.
14. In Filtering mode select Multiple host, which specifies that multiple nodes in the cluster will handle the network traffic for the port rule.
15. Set the Affinity to Single. Recommendations about the IP Affinity setting are discussed at the end of this post.
16. Click Finish to create the cluster.
17. To add more TS Gateway servers to the cluster, right-click the new cluster and then click Add Host to Cluster. Configure the host parameters (including host priority and dedicated IP addresses) for the additional hosts by following the same instructions that you used to configure the initial host. All the cluster parameters remain the same for the new hosts.
Cluster operation mode (multicast / unicast): If the gateway servers have multiple network adapters, use unicast cluster operation mode. It is a requirement that the TS Gateway farm can communicate between gateway servers. So if you have only a single NIC on gateway servers, then multicast should be used to enable communication between gateway servers in the cluster.
IP Affinity: In most cases, especially when clients originate from many different locations on the internet, like their homes, set the IP affinity to Single. There is one scenario where the IP affinity must be set to None: if many of the TS Gateway clients are behind NAT devices causing all connections to end up with the same IP and hence the same TS Gateway server, then IP affinity set to Single on NLB will load one server more than another (for example, all remote workers in a branch behind a NAT with a single external IP). In this scenario IP affinity should be set to None.
It is recommended to configure TS Gateway for a farm scenario, no matter what affinity is used. This allows users to connect in the situation where the 2 SSL connections (RPC_IN_DATA, RPC_OUT_DATA channels) originate from different client IP addresses. For example, suppose a client is trying to connect from within an organization having two proxies to the Internet (or a proxy having two Internet IP addresses) which are used randomly. In this scenario, If TS Gateway farm is not configured then the connection might fail for any NLB IP Affinity setting because SSL connections (RPC_IN_DATA, RPC_OUT_DATA) from the client may go to different TS Gateway servers.
1. To know how MSIT used TS Gateway as a scalable remote access solution, see http://technet.microsoft.com/en-us/library/cc304366.aspx
3. TS Gateway step-by-step guide: