Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

load balance MSRDP traffic

I just need a basic iRule to dirct incoming requests from 3 vip's to 2 pools. I've done this before with HTTP traffic but not rdp, I'm hoping to re-use an existing iRule, modified of course for MSRDP traffic -

when HTTP_REQUEST {
# Check requested host header (set to lowercase)
switch [string tolower [HTTP::host]] {
"VIP1" {
pool TS_2008_Test_Pool
}
"VIP2" {
pool Pool_Review
}
"VIP3" {
pool Pool_Review
}
}
}

TIA,

Phillip
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
If you are using RDP then I believe you can replace HTTP_REQUEST with CLIENT_ACCEPTED.

However, are the 3 virtual address the same address on different ports?

#CB
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Phillip,

I don't believe there is a concept of hostname in RDP. This doc from MS (Click here # section 2.2 Message Syntax) seems to support that.

I think the client just resolves the hostname to an IP address and tries to establish a TCP connection with that IP address.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
@CB - Yes, I am looking for the correct "CLIENT_ACCEPTED" syntax, the 3 vips internally have 3 unique IP's but all respond on port 3389.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
What is the condition to which pool it will choose?
#CB

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The condition would be the vip the client enters to initiate their RDP session.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
If you have 3 VIPS then I am assuming you mean each vip connection will either go to pool 1 or 2, where Pool 1 and 2 are the same pools in each seperate VIP, correct? If that is the case then you will need something to tell you which pool (pool1 or 2) to choose from.

#CB
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
When the client brings up mstsc.exe they will enter "new.vip.com", or "old.vip.com", or "reallyold.vip.com". new.vip.com needs to route to Pool1, old.vip.com and reallyold.vip.com need to route to Pool2.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
As Aaron had stated RDP doesn't insert hostnames in any of it's headers - just Ip address. So what you are asking is from I can tell not possible.

#CB
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
If new.vip.com, old.vip.com and reallyold.vip.com each resolve to unique IP addresses, you could configure whichever pool you want on each virtual server. But like CB said, I don't think it's possible to determine which hostname the client used to resolve to the virtual server IP address.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
How about something like this -

when CLIENT_ACCEPTED {
TCP::collect 25
}
when CLIENT_DATA {
if { [TCP::payload 25] contains "legacy" } {
pool Pool_Review
} else {
pool TS_2008_Test_Pool
}
TCP::release
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Phillip,

I don't think that will work, as the TCP won't contain the hostname. To test this, try capturing a tcpdump on your client using Wireshark while you connect using RDP to a remote host. You can try testing by IP address, hostname or using a fake hostname set in your hosts file for the remote host. I don't think you'll see the hostname or the hosts file entry in the TCP packets your client sends to the remote host. This is because RDP doesn't have a concept of host header like HTTP does. The client just resolves the hostname to an IP address and then attempts to establish the RDP connection with that IP address.

This means you'll need to have separate IP:port combinations for each RDP pool. If you don't want to require clients to specify the port when using mstsc, you'll need to have separate VIPs each defined on port 3389 for each pool.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hmm, ok. What then, is the proper way to balance RDP traffic in the F5 where I *don't* know an IP range the client is coming from and RDP does not give me header info to query against to route traffic?

Phillip
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Do each of the hostnames (new.vip.com, old.vip.com and reallyold.vip.com) resolve to separate IP addresses? Or can you change DNS so they do? You could then configure three separate VIPs pointing to which ever pool you want used for each hostname.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The 3 vip's externally resolve to the same IP, internally they resolve to 3 diff. IP's. Yes, I can configure the vips on the F5 to statically point to the appropriate pool, but that seems like such a lame way to use the F5.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
That may be, but in this case it is a protocol limitation, not a limitation on the BIG-IP. If you control the clients, you could always force the initial username request to pass your unique vipID and distribute traffic that way. User will punch in correct credentials once the login shows up.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I guess I'm also still wondering in what scenario this iRule would work?, what all is in the TCP payload that could be inspected?

when CLIENT_ACCEPTED {
TCP::collect 25
}
when CLIENT_DATA {
if { [TCP::payload 25] contains "legacy" } {
pool Pool_Review
} else {
pool TS_2008_Test_Pool
}
TCP::release
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
@citizen_elah, could you explain "force the initial username request to pass your unique vipID" please.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
sure. One of the few things available in the clear is the username or routing token for session mapping. If session directory is enabled, this presents as msts=.... where the value can be extracted into an IP:port. Without session directory, the user credentials are available as mstshash=...... If the clients are on controlled builds, you can force them (or request them) to use old, reallyold, or new as the username so you can balance accordingly. Here's an old thread that approaches this from the persistence angle, but could be modified to switch pools as necessary:

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=25271 Click here

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I am so lost now..., what and where is "session directory"?, what does "username" have to do with any of this?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The RDP Client username field could be used as a workaround to your problem. If you can't guarantee client compliance however, it's probably best not to rely on this. Session directory is a Windows Terminal Services feature that assists in getting wayward rdp sessions back to the original server so a user doesn't orphan multiple sessions in a ts farm due to faulty persistence schemes.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
We have GPO's that takes care of wayward/orphand sessions. All of our clients TS into us and only use IE for a custom app., so no need to persist sessions etc. I have also now learned that the 3 external vip's will resolve to the same IP, is there something in the TCP payload that can be inspected?, can I use something else in the flow of traffic to query on, such as a cookie?

also, I have a "firepass" device, can that be used in some way to tag the traffic?
0