Load balancing Windows Terminal Server – HAProxy and RDP Cookies
by Nick Chalk
When you have users depending on Windows Terminal Services for their main desktop, it’s a good idea to have more than one Terminal Server. RDP, however, is not an easy protocol to load balance; sessions are long-lived and need to be persistent to a particular server, and users may connect from different source addresses during one session.
The current development version of HAProxy has made an important step forward in making this possible. Thanks to work by Exceliance, it now supports RDP Cookies, offering a solution to the persistence problem.
We have been testing the latest development release of HAProxy, 1.4-dev4, on a loadbalancer.org Enterprise R16 device. The real servers were two Windows Server 2008 machines, with identical test users set up on both.
We settled upon the following HAProxy configuration:
defaults
clitimeout 1h
srvtimeout 1h
listen VIP1 192.168.0.10:3389
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
balance rdp-cookie
option tcpka
option tcplog
server Win2k8-1 192.168.0.11:3389 weight 1 check inter 2000 rise 2 fall 3
server Win2k8-2 192.168.0.12:3389 weight 1 check inter 2000 rise 2 fall 3
option redispatch
Note that this is only a fragment of the haproxy.cfg file, showing the relevant options.
The load balancer’s Virtual IP is set to 192.168.0.10, listening on port 3389 for RDP. The two real servers are on 192.168.0.11 and 192.168.0.12, in the same subnet as the Virtual IP.
The two new configuration directives are persist rdp-cookie and balance rdp-cookie. These instruct HAProxy to inspect the incoming RDP connection for a cookie; if one is found, it is used to persistently direct the connection to the correct real server. The two tcp-request lines help to ensure that HAProxy sees the cookie on the initial request.
The only other tweak needed is to increase the clitimeout and srvtimeout values to one hour. In testing, this was found to be necessary to keep idle RDP sessions established.
Testing involved making multiple connections with different usernames, from varying IP addresses, using both Windows XP Professional and Linux clients. Sessions were disconnected and reconnected, and real servers removed from the cluster and re-inserted.
We found that, once a user had established a session with a particular real server, that user consistently reconnected to the correct server if it was available. When we removed and re-inserted servers, existing sessions were unaffected. After a simulated server failure, users could start a session on the remaining server.
When a failed server was brought back on-line, users that had been connected to that server would reconnect to it again - even if they had started a new session on the other server in the meantime. This may not be what you want, and requires further testing.
With client and server time-outs set to one hour, we were able to leave idle sessions running for 16 hours without problems.
For more information on the new configuration options, see the development version of HAProxy’s Configuration Manual.
November 9th, 2009 at 1:11 pm
It is great news that HAProxy now supports RDP Cookies! Now all it really needs for full functionality is some kind of CPU idle feedback method from the real servers. Enabling HAProxy to distribute new clients to the least loaded servers, this has been talked about on the HAProxy mailing list quite a lot so no doubt it will be on the way soon.
We have a Windows feedback service installer that responds to telnet on port 6666 with the CPU idle figure (0-100), I’d be happy to get the programmer to open source it under the GPL if anyone wants to use it?
January 17th, 2010 at 5:42 am
Hi Malcom
It is Terry from New Zealand, (It’s been a few years since we last talked).
I think it might be of interest to evaluate using this type of perpetual trial model (1Mb) and then pay as you grow for your excellent VSA product.
It would gain traction with certain cloud providers.
http://jariangibson.com/2009/09/18/netscaler-vpx-express-is-a-must-for-all-xenserver-environments/
http://jariangibson.com/2009/12/01/choosing-a-netscaler-hardware-appliance-or-virtual-appliance/
Regards
Terry Vercoe
January 17th, 2010 at 8:42 pm
Terry,
Yes long time no talk.. I’ve just got back from a cruise round New Zealand with the family (It was fantastic).
At the moment XEN proprietary or open source has very little traction with paying customers. But yes long term we are planning a whole host of virtualized load balancers like our current VMWare appliance (similar idea to Netscalers) i.e. an exact copy of our hardware OS/Software Stack runing on XEN/Microsoft etc. We have an Amazon EC2 platform close to release which relies heavily on HAProxy (as a lot of the layer 4 technology won’t work in the Amazon cloud). We also have several projects with ISPs integrating our load balancer to their various control panels.
Long term I think it would be great for the market if Google and Amazon came together to offer an open source cloud standard that would provide a platform with enough users to make commercial development of products a worthwhile effort; production cost wise (we’ve only had 3 serious XEN enquires but loads of VMWare sales…).
Our EC2 cloud development has taken over almost a year and that starts getting expensive! Maybe we should look at outsourcing all of our development to India?