Searching HAProxy Enterprise 1.8r2
Configuring Remote Desktop with HAProxy
The main purpose of the connection broker, formerly "session broker", is to reconnect a user to his existing session. Since Windows 2008, the connection broker has a load-balancing mechanism. HAProxy also provides this persistence feature with added security by acting as a reverse proxy to break the TCP connection between the client and the server.
Configuring RDS without a connection broker
It is possible to load-balance terminal services without relying on a connection broker component. In this case, HAProxy performs the persistence and session resumption using the mstshash cookie stored in a stick-table.
peers hapee
peers hapee1 192.168.1.1:3389
peers hapee2 192.168.1.2:3389
frontend ft_rdp
mode tcp
bind 192.168.13.128:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 4s
log global
option tcplog
stick-table type string len 32 size 10k expire 8h peers hapee
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
default-server inter 3s rise 2 fall 3
server srv01 192.168.13.13:3389 weight 10 check
server srv02 192.168.13.14:3389 weight 10 checkIt is possible to read the content from the stick table to know which user has been assigned to which server:
hapee-lb-cmd <<<"show table bk_rdp"
# table: bk_rdp, type: string, size:10240, used:5
0x21c7eac: key=Administrator use=0 exp=83332288 server_id=1
0x21c7eac: key=test-001 use=0 exp=83332288 server_id=2Note
RDP clients do not behave the same way when sending mstshash cookie. See below.
Interoperability issues with mstshash cookie
The mstshash cookie contains user's login information in various possible forms:
USER
DOMAINUSER
Moreover, RDP client implementations do not have the same behavior when sending the cookie information:
Certain Windows RDP client (mstsc.exe) truncates the user cookie to 9 characters
Linux rdesktop and xfreerdp limit the cookie to 127 characters
ProperJavaRDP and Elusiva's "Open Source Java RDP" fork both truncate the user cookie to 9 characters
HAProxy can modify the cookie before storing and matching it in the stick-table. For example, you can use the following rule to modify the cookie for a domain "DOM":
# ACL which determines whether the domain DOM is included at the beginning of the cookie
acl domain_included rdp_cookie(mstshash),bytes(0,3) -m str -i DOM
# applies to DOMUSER
stick on rdp_cookie(mstshash),word(2,) if domain_included
# applies to both USER and USER@DOM
stick on rdp_cookie(mstshash),bytes(0,5) if ! domain_includedWarning
This rule does not work if your DOMAIN name is greater than 8 characters.