multiple Remote Desktop Gateways - How to balance? UDP involved
we've got 2 Remote Desktop Gateways in our DMZ, which are currently balanced by HAProxy. It works fine, but HAProxy doesn't allow for UDP. RD Gateways can use UDP to enhance performance. What would be the best way to have both gateways load balanced WITH UDP enabled?
What does Microsoft recommend?
Ok, a blatant copy / paste from the MS docs (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha), screwing up the layout:
Step 3: Configure load balancing for the RD Web and RD Gateway servers
If you are using Azure infrastructure, you can create an external Azure load balancer; if not, you can set up a separate hardware or software load balancer. Load balancing is key so that traffic will be evenly distributed the long-lived connections from Remote Desktop clients, through the RD Gateway, to the servers that users will be running their workloads.
If your previous server running RD Web and RD Gateway was already set up behind an external load balancer, skip ahead to step 4, select the existing backend pool, and add the new server to the pool.
- Create an Azure Load Balancer:
- In the Azure portal click Browse > Load balancers > Add.
- Enter a name, for example WebGwLB.
- Select Public for the Scheme, Public IP address, and a Public IP address. You can select an existing Public IP address or create a new one.
- Select the appropriate Subscription, Resource Group, and Location.
- Click Create.
- Create a probe to monitor which servers are alive:
- In the Azure portal click Browse > Load Balancers., the load balancer you just created, e.g. WebGwLB, and Settings
- Click Probes > Add.
- Enter a name, for example, HTTPS, for the probe. Select TCP as the Protocol, and enter 443 for the Port, then click OK.
- Create the HTTPS and UDP load balancing rules:
- In Settings, click Load balancing rules.
- Select Add for the HTTPS rule.
- Enter a name for the rule, for example, HTTPS, and select TCP for the Protocol. Enter 443 * for both Port and Backend port, and click OK.
- In Load balancing rules, click Add for the UDP rule.
- Enter a name for the rule, for example, UDP, and select UDP for the Protocol. Enter 3391 for both Port and Backend port, and click OK.
- Create the backend pool for the RD Web and RD Gateway servers:
- In Settings, click Backend address pools > Add.
- Enter a name (for example, WebGwBackendPool), then click Add a virtual machine.
- Choose an availability set (for example, WebGwAvSet), and then click OK.
- Click Choose the virtual machines, select each virtual machine, and then click Select > OK > OK.
So that's that, Azure balancers and some other appliances I have seen support UDP balancing, but pfSense doesn't. I know the pfSense internal balancer (not HAProxy) can do UDP, but ONLY for DNS traffic. If I remember correctly in previous versions the protocol selection actually showed TCP and UDP, but now it shows TCP and DNS.
So would there be another way using pfSense to do that? I'm sure we all think pfSense does at least what others do right? ;-)
Probably not in this case.