Load balancing Remote Desktop Services Web Access & Gateway with KEMP Load Master for Azure

Posted on

Kemp Default Blog Image

Guest post by Freek Berson, Microsoft MVP on RDS

Recently, Kemp Technologies has released their KEMP LoadMaster for Azure which they offer for free! I wrote a quick blog post recently on why this is interesting. In this blog post I want to describe a specific scenario based in a lab I have built in Azure using the KEMP Load Master for Azure and compare that solution to the load balancing options Windows Azure offers in the box.

KEMP Windows Azure

Remote RDS in Azure

The scenario is setting up Remote Desktop Services (or Session-Based VDI) in Azure, which Microsoft has started to support since the change in the PUR in July 2013.

My lab environment contain the following servers

DC01Active Directory Domain Services
SQL01SQL Server 2012
RDS01RD Connection Broker RD Web Access RD Session Host RD Gateway
RDS02RD Connection Broker RD Web Access RD Session Host RD Gateway

All servers are running Windows Server 2012 R2 (preview).

In the environment I have performed a Standard Session-Based Deployment and after finishing this deployment, I added RD Connection Broker High Availability, resulting in a centrally stored database running on the SQL01 which is used by the RD Connection Broker role running on both the RDS01 and the RDS02 in an active-active scenario.

The RD Connection Broker role itself comes with an internal load balancing mechanism to balance the workload on the RD Session Host Servers and allow reconnecting to disconnected sessions. So that creates High Availability for the RD Session Host role. However, as you can see I have also deployed the RD Web Access and RD Gateway on the multiple servers. How are we going to make sure we have load balancing for that too?

These two roles actually need to be published to the outside in order for people to access the RDS environment. They will browse to the RD Web Access page, login, select a Remote App of Full Desktop and they will then connect to an the RD Connection Broker and get redirected to a RD Session Host, all by connecting through the RD Gateway.

Since these two roles need to be contacted from the outside, we need to have a mechanism that allows us to publish these roles to the outside in a load balanced manner.

Load Balancing in Azure today

Today, Azure supports a way to load balance services on multiple machines running in Azure. You can do so by configuring a load balanced set. This works great for most common web sites, however, the load balancing options in Azure are a black box, and you cannot control or setup anything besides a protocol and a port. First of all, you cannot configure Session Affinity (sticky sessions). These services allow users not to be redirected to different servers during a single session. And yes, you can argue that the fact that some services need Session Affinity is their problem, the reality however is that in some scenario’s you simply can’t get away with that. And also, settings like time out and a Weight per destination server cannot be configured.

There is however a new feature that has been added to Azure very recently which is called Windows Azure Traffic Manager. This feature is currently in preview in Windows Azure and allows taking more control over the load balancing. With Windows Azure Traffic Manager you can choose between different load balancing mechanisms like Round Robin, Performance and Failover. No actual service traffic routes through Windows Azure Traffic Manager. In case of Round Robin, the user’s computer calls the cloud service directly and Windows Azure Traffic Manager resolves the DNS entry for the company domain to the IP address of the cloud service. The performance method locates the origin of the traffic and routes it to the closest cloud service. “Closeness” is determined by a network performance. Both scenarios are based on a DNS Time-to-Live (TTL), clients will continue to use a given cloud service until its local DNS cache expires. Therefor there is not real Session Affinity, other than to rely on the DNS TTL (which you could of course set to i.e. 24 hours).

With both methods currently available in Azure (Load Balanced Set & Windows Azure Traffic Manager) we are able to configure basic load balancing, however more advanced features like Weight, true session affinity and load balancing statistics are still missing. This is where KEMP adds extra value.

For the roles we are publishing to the outside in this lab, RD Web Access is perfectly fine without Session Affinity and you could therefore also set this up with the out-of-the-box Azure load balanced set solution. In this case however, we will also load balance RD Web Access with KEMP Load Master for Azure to make use of the additional features we just described.

RD Gateway another story

The story is different for the other role however, RD Gateway. Why is this?

Before Windows Server 2012, RD Gateway only used a single channel. With Windows Server 2012 and going forward, RD Gateway now uses a new method based on two HTTP channels (one for input and one for output). These two channels need to be routed through the same RD Gateway. We therefor need a load balancing mechanism that can either do IP affinity, cookie-based affinity, or SSL ID-based affinity. Because of that the Azure Load Balanced set or Windows Azure Traffic Manager solution is not fully compliant to load balance RD Gateway 2012 R2. Hence, the Use Case for KEMP Load Master for Azure in this scenario.

As said before, KEMP Technologies provides the Load Master for Azure for free by providing an on request download of a .VHD file.

How to get the LoadMaster for Azure

I will quickly run through the process of getting the Load Master in Azure. For more instructions also watch their deployment video.

After downloading the .VHD file, we first of all need to install Windows Azure PowerShell, which you can download from here. Second, browse to this link to get your Publish Profile settings file specific to your Azure subscription.

If that is all in place we need to run the following 3 PowerShell commands to upload the VHD to Azure and create an image.

  1. Run the command below and point to the publish settings file you downloaded earlier:

Import-AzurePublishSettingsFile C:\Download\MySettings.publishsettings

Note that in some cases the following error might occur

VERBOSE: Setting: Windows Azure MSDN – Visual Studio Professional as the default and current subscription. To view other subscriptions use Get-AzureSubscription you may need to explicitly set the current Azure Subscription.

In that case use the Select-AzureSubscription command to set the correct subscription.

  1. Run the following command and point to the .vhd file you downloaded earlier and your environment specific blob storage location.

Add-AzureVhd -LocalFilePath C:\Download\LoadMaster-VLM-7.0-3-Azure\LMAzure.vhd -Destination http://example.blob.core.windows.net/vhds/lmazure.vhd

  1. Run the following command to add a new Image in Azure based on the uploaded .vhd file.

Add-AzureVMImage -ImageName lmazure –MediaLocation


And that’s it! We now have a new image available in Azure which we can use to build a new virtual machine in Azure.

The process of creating the VM from this image is also very straight forward, and fully covered in the KEMP video instruction as well, so I won’t repeat that process here. I’m assuming the VM is running and accessible, so let’s take a closer look at publishing RD Gateway and RD Web Access.

The first step would be to create a Virtual Service, where we specify the Virtual Address, this is the internal address of the KEMP Load Master. Because both RD Web Access and RD Gateway use TCP port 443 that’s the only port we’ll specify for now.

In the Standard Options section we configure the persistence options we need for RD Gateway by selecting Source IP Address.

After saving the configuration of the Virtual Service, it’s time to add the servers we want to load balance (referred to as Real Servers). We specify this as follows:

If the KEMP Load Master is able to access the Real Server successfully you should see the following status for each Real Server.

To make the KEMP Load Master accessible from the outside we create an endpoint on the Load Master VM in Azure, for port 443 with the following properties;

The RDS environment should now be accessible, when we browse to the DNS name of the Load Master VM and add /rdweb. We’re presented with the RD Web Access page, and upon logon with the Full Desktop published.

And when launching the Full Desktop client will access the KEMP Load Master on port 443 which results in a connection to one of the RD Gateway servers based on the load balancing mechanism in KEMP.

We can see connections coming in by looking at the statistics in Load Master.

And we have insight in all kinds of metrics and statistics

Now we’re up and running some final notes

With the environment now up and running we have a RDS environment, with RD Gateway and RD Web Access now load balanced by KEMP Load Master. There is however one last important thing to mention here. As you might now, Remote Desktop Protocol 8.0 also supports UDP where previously only TCP was used. This is part of the improvements Microsoft made on the overall experience of the RDP protocol. In order to use UDP we obviously need to publish the UDP port (port 3391) in Azure and in our Load Balancing configuration. However, the KEMP Load Master does not support load balancing UDP without transparency. According to Kemp Technologies this isn’t possible in Azure yet due to platform limitations. They have however told me they are actively engaging with the Azure teams at Microsoft. So we might see this in the future. In theory it would be possible to publish UDP directly on the end point (RD Gateway servers) however, there is no way to configure the RDP client to send TCP traffic Load Master and UDP traffic directly to RD Gateway. For now, the important take away for this specific scenario is that the protocol improvements that come with using RDP over UDP cannot be used with LoadMaster yet.

And as a last comment, with the setup described in this blog post we obviously have 1 Single Point of Failure left, the LoadMaster itself, since it consist of a single instance. Since this is a free product, some features are obviously not included, that are included in other Virtual Load Balancers that KEMP offers, i.e. High Availability. When designing the load balancer architecture for your production environments, check out the overview of the different Virtual Load Balancers KEMP offers online. I’m engaging with KEMP Technologies to see if we can do some further testing specifically on High Availability and discuss this in an upcoming article.

LoadMaster: easy setup and lots of options

My conclusion, KEMP Load Master brings a lot of flexibility, configuration options and metrics and statistics of your load balanced environment in Azure. On top of that the setup is really easy to perform, especially with the (video) guides KEMP Technologies delivers with it. And since the Load Master for Azure is a free license, (even with free online support!) the only costs you have are the Azure costs for running the Load Master VM. In other words, if you’re looking for a load balancing solution offering more than Windows Azure delivers today, KEMP Load Master for Azure is a great option!

About Freek Berson

Freek works as a Windows Platform Specialist at Wortell and is a Microsoft MVP on RDS.

Go here to Contact Freek or check out his blog at TheMicrosoftPlatform.net. You can also follow him on twitter at @fberson

Posted on

Kemp Technologies

Kemp Technologies