make sure you DO NOT enable Direct Server Return on your endpoint Load Balanced Set:
In November of 2014 support was added for Source IP Affinity (also known as session affinity or client IP affinity) in the Azure Load Balancer. Before that it was not compatible with Remote Desktop Gateway. You could sort of load balance your RDGWs but it required you to put every RDGW server in its own cloud service and the use Azure Traffic Manager to load balance. With this approach you could not put your RDGW servers in the same availability set, so you had no guarantee that your gateways would be distributed across fault and update domains. Boldly, or foolishly, depending on your point of view, I decided to try anyway to use the Azure Load Balancer for RDGW, even though I knew it was not supported. Of course it did not work, but when eventually support was added I ran into problems.
After client IP affinity support was added to the load balancer I reconfigured my endpoints of my RDGW VMs:
Set-AzureLoadBalancedEndpoint –ServiceName <cloud service name> -LBSetName “RDGW HTTPS” -Protocol tcp –LocalPort 443 -ProbeProtocolTCP -ProbePort 443 -LoadBalancerDistribution “sourceIP”
Set-AzureLoadBalancedEndpoint –ServiceName <cloud service name> -LBSetName “RDGW UDP” -Protocol UDP -LocalPort 3391 –ProbeProtocolTCP -ProbePort 443 -LoadBalancerDistribution “sourceIP”
The sourceIP value in the LoadBalancerDistribution parameter is the critical one and it can only be set through PowerShell.
But still no connections… I tried all sorts of things. Since this had never worked I didn’t know if it was failing because of a misconfiguration or something in the Load Balancer. The only difference in setup I could find was that my load balanced endpoints had Direct Server Return enabled. This was something I had decided to try back when I first set it up. There was not much documentation back then about what Direct Server Return actually did. But now there is a description in the portal:
DIRECT SERVER RETURN
Direct server return configures a virtual machine’s endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL Always On Availability Groups in SQL Server. This setting can’t be changed after you create the endpoint.
So, not for RDGW at all…
Unfortunately you cannot disable DSR without deleting and recreating your endpoints. After removing and adding them again I was able to connect through the load balancer.
Since traffic to a particular instance behind the load balancer now is determined by the source IP, all traffic from the same IP goes to the same instance, you might experience an uneven distribution of load. Clients behind a proxy or NAT router will all end up on the same instance.
More information:
- Azure Load Balancer new distribution mode
- Microsoft Azure Desktop Hosting: RD Gateway Farm Deployment Guidance Updated To Support Azure Load Balancer Client IP Affinity
- Set-AzureLoadBalancedEndpoint cmdlet
- Microsoft Azure Desktop Hosting Reference Architecture Guide
BTW I wish the Remote Desktop PG would stop putting all their guides in Word docs, would be so much better on a web page…