Hi Guys,
I'm having a bit of trouble figuring out where I'm going wrong on this one.
Environment:
- Root forest with gateway server and a valid certificate
- Child domain with a DC and a session host
- All server are Windows 2008 R2 Enterprise
Everything works perfectly today, but it's not very scalable or robust, so I'm playing around with setting up a farm for session hosts.
I've set up two identical session hosts (TS02 and TS03) and a session broker (BR01) in a new child domain. The session hosts are added to the Session Broker Computers group on BR01, and use the farm name TsFarm01. So far so good. It all works perfectly internally. I'm not using any special mechanism for initial connection, just connecting directly to one of the session hosts. The session hosts are load balanced and sessions are reconnected as expected - internally.
When I try to connect through the gateway server it all fails. My cap and rap policies are correct, so the gateway allows connection to both TS02 and TS03 directly, but if the session broker decides to redirect the session away from the initial server it all fails. I'm using standard self signed certificates on the session hosts, so I have a way of monitoring activity from the client during the connection.
The process goes as following:
- User Test01 has a disconnected session on TS02
- User Test01 logs on externally to TS03 through gateway (best way to ensure failure)
- Gateway logs that cap and rap policies are met, and the user is authorized. (200, 300 TerminalServices-Gateway)
- User gets prompted with TS03 certificate
- Gateway logs that user Test01 is connected to TS03 (302 TerminalServices-Gateway)
- Session broker logs a request from TS03 and identifies the endpoint name TsTarm01 (800, 803 TerminalServices-SessionBroker)
- Session broker logs that a disconnected session for user Test01 exists on TS02 (807 TerminalServices-SessionBroker)
- Session broker logs that it successfully processed the connection request for user Test01 and the target is TS02 (801 TerminalServices-SessionBroker)
- Gateway logs that user is disconnected after 2 seconds and 2801/2433 bytes transfered/received (303 TerminalServices-Gateway)
- Gateway logs that rap (not pap this time) policy is met, and the user Test01 is authorized. (300 TerminalServices-Gateway)
- Gateway logs that user is connected to TS03 (302 TerminalServices-Gateway)
- Gateway logs that user is disconnected after 0 seconds and 7930/14821 bytes transfered/recieved (303 TerminalServices-Gateway)
- Session broker logs that the connection has timed out (814 TerminalServices-SessionBroker)
- RDP client just hangs on connecting to server
As to my understanding, everything is in order for 1 through 10, but I would expect the client to reconnect directly to server TS02 after this.
I actually need to use the DNS name TS01 for the initial connection due to a special way of generating RDP-files to client users. I have a dedicated redirector for this, but experience the same issues so I’m keeping that one out of the mix for now. Also tried DNS round robin, but troubleshooting got a lot worse…
I’m kinda stuck here. Any ideas on what my problem is?