Configuring Remote Desktop with HAProxy

The main purpose of the connection broker, formerly "session broker", is to reconnect a user to his existing session. Since Windows 2008, the connection broker has a load-balancing mechanism. HAProxy also provides this persistence feature with added security by acting as a reverse proxy to break the TCP connection between the client and the server.

Configuring RDS without a connection broker

It is possible to load-balance terminal services without relying on a connection broker component. In this case, HAProxy performs the persistence and session resumption using the mstshash cookie stored in a stick-table.

peers hapee
    peer hapee1 192.168.1.1:3389
    peer hapee2 192.168.1.2:3389


frontend ft_rdp
    mode tcp
    bind 192.168.13.128:3389 name rdp
    timeout client 1h
    log global
    option tcplog
    tcp-request inspect-delay 2s
    tcp-request content accept if RDP_COOKIE
    default_backend bk_rdp

backend bk_rdp
    mode tcp
    balance leastconn
    timeout server 1h
    timeout connect 4s
    log global
    option tcplog
    stick-table type string len 32 size 10k expire 8h peers hapee
    stick on rdp_cookie(mstshash)
    option tcp-check
    tcp-check connect port 3389 ssl
    default-server inter 3s rise 2 fall 3
    server srv01 192.168.13.13:3389 weight 10 check
    server srv02 192.168.13.14:3389 weight 10 check

It is possible to read the content from the stick table to know which user has been assigned to which server:

$ hapee-lb-cmd <<<"show table bk_rdp"

# table: bk_rdp, type: string, size:10240, used:5
0x21c7eac: key=Administrator use=0 exp=83332288 server_id=1
0x21c7eac: key=test-001 use=0 exp=83332288 server_id=2

Note

RDP clients do not behave the same way when sending mstshash cookie. See below.

Interoperability issues with mstshash cookie

The mstshash cookie contains user's login information in various possible forms:

USER
DOMAINUSER
USER@DOMAIN

Moreover, RDP client implementations do not have the same behavior when sending the cookie information:

Certain Windows RDP client (mstsc.exe) truncates the user cookie to 9 characters
Linux rdesktop and xfreerdp limit the cookie to 127 characters
ProperJavaRDP and Elusiva's "Open Source Java RDP" fork both truncate the user cookie to 9 characters

HAProxy can modify the cookie before storing and matching it in the stick-table. For example, you can use the following rule to modify the cookie for a domain "DOM":

# Proxy section
    # ACL which determines whether the domain DOM is included at the beginning of the cookie
    acl domain_included rdp_cookie(mstshash),bytes(0,3) -m str -i DOM
    # applies to DOMUSER
    stick on rdp_cookie(mstshash),word(2,) if domain_included
    # applies to both USER and USER@DOM
    stick on rdp_cookie(mstshash),bytes(0,5) if ! domain_included

Warning

This rule does not work if your DOMAIN name is greater than 8 characters.

HAProxy Enterprise 1.8r2 Documentation

Searching HAProxy Enterprise 1.8r2

Configuring RDS without a connection broker