The main purpose of the connection broker, formerly "session broker", is to reconnect a user to his existing session. Since Windows 2008, the connection broker has a load-balancing mechanism. HAProxy also provides this persistence feature with added security by acting as a reverse proxy to break the TCP connection between the client and the server.

Configuring RDS without a connection broker

It is possible to load-balance terminal services without relying on a connection broker component. In this case, HAProxy performs the persistence and session resumption using the mstshash cookie stored in a stick-table.

peers hapee
  peers hapee1 192.168.1.1:3389
  peers hapee2 192.168.1.2:3389


frontend ft_rdp
  mode tcp
  bind 192.168.13.128:3389 name rdp
  timeout client 1h
  log global
  option tcplog
  tcp-request inspect-delay 2s
  tcp-request content accept if RDP_COOKIE
  default_backend bk_rdp

backend bk_rdp
  mode tcp
  balance leastconn
  timeout server 1h
  timeout connect 4s
  log global
  option tcplog
  stick-table type string len 32 size 10k expire 8h peers hapee
  stick on rdp_cookie(mstshash)
  option tcp-check
  tcp-check connect port 3389 ssl
  default-server inter 3s rise 2 fall 3
  server srv01 192.168.13.13:3389 weight 10 check
  server srv02 192.168.13.14:3389 weight 10 check

It is possible to read the content from the stick table to know which user has been assigned to which server:

hapee-lb-cmd <<<"show table bk_rdp"
# table: bk_rdp, type: string, size:10240, used:5
0x21c7eac: key=Administrator use=0 exp=83332288 server_id=1
0x21c7eac: key=test-001 use=0 exp=83332288 server_id=2

Note

RDP clients do not behave the same way when sending mstshash cookie. See below.