To fill the gap with an adequate load balancing solution for terminal services, the Software Company
2X now released their LoadBalancer version 4.02 (formally known as WTSGateway Pro).
Understanding 2X LoadBalancer
The previous name “WTSGateway” had its reason and is the easiest way to understand how the 2X LoadBalancer works. Let’s start with the first two Gateway modes, regular Gateway and SSL Gateway that the 2X LoadBalancer offers.
Regular Gateway mode
In the regular Gateway mode, every standard Microsoft RDP client or 2X Client connects to the 2X LoadBalancer IP Address/DNS where the LoadBalancer acts in the first place as a Gateway. As with any Gateway, all Clients connect through the Gateway (the reason why the RDP port on the 2X Server needs to be changed or disabled) to the configured target Servers. At that point the LoadBalancing part comes in the play.
In a simple deployment the 2X LoadBalancer acts in a DNS Round Robin style but with the advantage that failing servers are ignored. Within this deployment there is neither any software on the terminal servers nor a DNS reconfiguration needed.
To enhance the load balancing solution you have to install the 2X LoadBalancing Agent on ervey terminal server in the farm. The agent enables resource based (CPU, RAM, Sessions) load balancing for each server that is in the farm. The Agent is responsible to send the current server load and is the basis for the 2X LoadBalancer to choose one of the configured servers for the next incoming session. The current load values can be viewed in the LoadBalancer monitor but more on the monitor later on.
SSL Gateway mode
The 2X LoadBalancer offers RDP over SSL and therefore easy Firewall transversal across the internet using standard SSL encryption. To use the RDP over SSL feature you have to use the 2X Client that is available for all Windows 32bit platforms.
The SSL part is actually a great feature but at the same time a bit controversially. Great thing’s first. It’s extremely easy to enable the SSL Gateway and you don’t have to worry about the certificates nor does the client need any certificate to be installed! Many people struggle with the way certificates work but 2X made it really “dummy proof”. Reading the last lines will probably get some people suspicious but will be explained later.
To activate SSL, just click on “Create a new certificate” and the “Create cert” Window will come up front. Fill out the “2-Digit country code” and the “Save file to” fields and you are ready to generate the certificate!
2X generates a Private Key and a CA root certificate that resists in the same file. Mainly 2X uses the certificate part only to encrypt RDP and gives them the capability to use port 443 SSL.
This gives 2X the advantage that no certificate needs to be installed on the client side. Now wait a minute, what’s with the Common Name (CN)? The 2X Client is developed to not verify the CN name or if the root CA certificate is in the Trusted CA store of the client. This makes the Client vulnerable against man in the middle attacks but on the other hand its very easy and fast to deploy.
Make sure you have considered the man in the middle risk before using the SSL Gateway mode. Also you can use a private or public certificate but will be a waste of time and money, since the 2X Client will act the same way. This behavior is by design.
The only thing that needs to be done on the 2X client is to enable the SSL Gateway option. In addition, the SSL connection is also working via a proxy server.
In the Gateway mode every connection is going through the 2X LoadBalancer and is therefore a single point of failure. Is high availability needed, then Microsoft network load balancing (NLB) can be used to combine two or more 2X LoadBalancer.
The concurrent connection through the LoadBalancer is not unlimited and once the latency gets to high, a second 2X Server is needed.
Direct connection mode
The third mode is “direct connection” and is only available with the 2X Client. In this mode the 2X LoadBalancer acts more like a broker. The Client first connects to the LoadBalancer just to retrieve the last busy server to connect to. Once the Client has the information – the client connects directly to the server. This mode can also be used when connecting through a Firewall with Network Address Translation (NAT) configured. This is the reason why the 2X LoadBalancer configuration field is called “Alternate Address”
The advantage of the direct connection mode is that the LoadBalancer needs only minimum hardware resources and in case of a failure only new connection will fail to connect.
Disconnect / Reconnect
The 2X LoadBalancer supports reconnections to disconnected session when the Client has still the same IP Address. In Gateway mode 2X also supports reconnect only depending on the username regardless if the IP has changed; just make sure you use the right username in the RDP client before you start the reconnection!
When using an Alternate Addresses, then a reconnection is not supported.
LoadBalancer Logging & Monitoring
The latest version of the LoadBalancer comes with a Monitor that shows the current load of each configured server that has the 2X Agend installed. The recourse usage of CPU, Memory, Total session and disconnected session is constantly refreshed to show the current load.
Another nice feature is the capability to send alerts (E-mails or traps) when a defined threshold is reached for each resource; a real resource monitor with an alerting system.
The LoadBalancer logging keeps track of connection made through the LoadBalancer with detailed information about the Client IP, Connection time an date, target server and so on. Only thing missing is the way how the client did connect like using SSL or direct connection with or without using NAT.
Using the ICA Client
The 2X LoadBalancer supports ICA connections but its ICA or RDP and not both at the same time. ICA works only on port 1494 what means no session reliability (port 2598) support is available when connecting through 2X. The question is, does ICA make sense with 2X LoadBalancer? As a reminder, Citrix Access Essentials (CAE) is licensed based on named users and would become quite expensive. The Citrix Presentation Server standard edition would be an option to use load balancing from 2X.
A Load Balancing comparison
Now how does the 2X LoadBalancer perform against the Microsoft solutions to load balance RDP sessions. I created therefore a chart and gave rates for different load balancing options. It's my own opinion but if you have used for instance WNLB you have a frame of reference.
The following table shows a comparison between Windows Network load balancing (WNLB), DNS Round Robin, the session directory service in combination with NLB and the 2X LoadBalancer. There are five criteria’s reconnect, resource load balancing, price value, failover and easy setup. 10 points or 20% is the maximum for each criteria.
The 2X LoadBalancer SSL / NAT support and the resource Monitor are extra features outside the load balancing and is therefore just marked with a plus. When evaluating 2X LoadBalancer these feature and its value should be considered.
Summary
The 2X LoadBalancer is a fast and easy to deploy solution for load balancing RDP/ICA sessions. The RDP over SSL support is simple to configure, no client configuration and no need to buy a public certificate but you have to think about the security risk. The new resource Monitor rounds up the product with an E-mail alerting system where custom thresholds can be set.
Advantages
- Fast and easy deployment
- SSL and NAT support for easy firewall transversal
- No need to buy a public certificate
- Session reconnect support with username
- Resource based load balancing
- Server resource Monitor with E-Mail alerting
Disadvantages
- SSL Support only with the 2X Client
- No java Client to use with SSL Gateway or direct mode
- Security risk when using the SSL Gateway mode
References
2X LoadBalancer product page
http://www.2x.com/loadbalancer/
2X LoadBalancer 30-Day Trial
http://www.2x.com/loadbalancer/download.htm
Windows Server 2003 R2 Pricing
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/pricing.mspx
Overview of the Session Directory Technology in Terminal Services
Q301926
Using Terminal Server with Windows Load Balancing Service
Q243523
We are currently using a 1024 bit ssl encryption on are intranet and moodle. This is causing a lot of issues with login speeds over the wireless network. Is there anyway we can speed it up would LoadBalancer help?
ReplyDelete