Remote Desktop Services can be a touchy subject for some, but I find the solution to work well. When the need to provide external access arises I will typically use HAProxy to, you never would have guessed it, proxy the traffic to the appropriate places. It has proven to be rock solid in its performance, and offers decent logging when issues arise. Please note that there should be additional security measures taken to secure this, so don’t just drop it in and think you’re done.
A lot of the configuration options are simply taken from the HAProxy documentation. I do suggest taking some time and reading through a lot of the common options to help fine tune your config. Before I drop the my “template” config, let’s do a quick overview of what it contains (though I will have comments in the config). First things first, I set up the built in stats page. This is very useful and I don’t see much reason not to set it up. I then redirect port 80 traffic (http) to port 443 (https/SSL). Next up is to proxy any https/SSL traffic in to the RDS server. Finally, we proxy the RDP traffic through and we’re good to go!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
#Stats Page listen stats bind :9000 mode http timeout client 6h stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth statsadmin:supersecretpassword stats admin if TRUE #RDS HTTP to HTTPS Redirect frontend http_redirect_rds bind <PublicIP>:80 mode http redirect location https://sub.domain.com #RDS HTTPS Proxy frontend front_https_rds bind <PublicIP>:443 mode tcp timeout client 6h log global option tcplog default_backend back_https_rds backend back_https_rds mode tcp timeout server 6h balance roundrobin log global option tcplog option tcp-check server <ServerName> <ServerIP>:443 check #RDS RDP Proxy frontend front_rdp bind <PublicIP>:3389 name rdp mode tcp timeout client 6h timeout client-fin 1m log global option tcplog option logasap tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE default_backend back_rdp maxconn 100000 backend back_rdp mode tcp balance leastconn persist rdp-cookie timeout server 6h timeout connect 5s timeout server-fin 1m log global option tcplog option tcp-check default-server inter 3s rise 2 fall 3 server <ServerName> <InternalBrokerIPAddress>:3389 weight 10 check |