2008 Terminal Server Farm, using MS NLB

  • Thread starter Thread starter Marc
  • Start date Start date
M

Marc

Guest
I installed NLB on a 2008 Terminal Server, created the NLB farm, and added
this Terminal Server. I opened my firewall the same exact way I have for my
2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being ALLOWED
at the firewall, but does not connect to the ts farm. From within the same
network, I can RDP to the farm's internal IP Address, but not from external
IP. Am I missing a setting on the server or somewhere else. Currently there
is only 1 2008 Terminal Server in the farm.
 
Re: 2008 Terminal Server Farm, using MS NLB

The load balancing is not a proxy. you will need to open ports for your
terminal servers as well. LB just gets the connection to the server, after
that it's direct tot he server. Also this is a highly highly insecure
method of granting external access to your terminal servers. you are
exposing your internal network to the internet. Software from Provision
Networks (yes I'm an employee) or Citrix can alleviate this. It's best to
spend a bit of money up front rather than expose your network for no reason
whatsoever.

Jeff Pitsch
Microsoft MVP - Terminal Services


"Marc" <Marc@discussions.microsoft.com> wrote in message
news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com...
> I installed NLB on a 2008 Terminal Server, created the NLB farm, and added
> this Terminal Server. I opened my firewall the same exact way I have for
> my
> 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being
> ALLOWED
> at the firewall, but does not connect to the ts farm. From within the
> same
> network, I can RDP to the farm's internal IP Address, but not from
> external
> IP. Am I missing a setting on the server or somewhere else. Currently
> there
> is only 1 2008 Terminal Server in the farm.
 
Re: 2008 Terminal Server Farm, using MS NLB

I currently run a 2003 TS Farm setup the exact same way. Port are open to
the Ts's also, but that is not needed for MS NLB. I believe my issue maybe
with the drivers for the NIC, it doesn't seem to like using 2 IP Address for
the NLB NIC with the deafault 2008 drivers. As far as "The load balancing is
not a proxy", I understand that, but I still have to allow traffic through
3389. Since when is NAT'ing a server port throught a firewall "highly,
highly insecure"?

"Jeff Pitsch" wrote:

> The load balancing is not a proxy. you will need to open ports for your
> terminal servers as well. LB just gets the connection to the server, after
> that it's direct tot he server. Also this is a highly highly insecure
> method of granting external access to your terminal servers. you are
> exposing your internal network to the internet. Software from Provision
> Networks (yes I'm an employee) or Citrix can alleviate this. It's best to
> spend a bit of money up front rather than expose your network for no reason
> whatsoever.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
>
> "Marc" <Marc@discussions.microsoft.com> wrote in message
> news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com...
> > I installed NLB on a 2008 Terminal Server, created the NLB farm, and added
> > this Terminal Server. I opened my firewall the same exact way I have for
> > my
> > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being
> > ALLOWED
> > at the firewall, but does not connect to the ts farm. From within the
> > same
> > network, I can RDP to the farm's internal IP Address, but not from
> > external
> > IP. Am I missing a setting on the server or somewhere else. Currently
> > there
> > is only 1 2008 Terminal Server in the farm.
>
>
>
 
Re: 2008 Terminal Server Farm, using MS NLB

When you give direct access to your internal network, that is high highly
insecure. Why do you think VPN's were created? NAT is not a security
measure. scanning and hacking 3389 is extraordinarily easy to do. that is
why Microsoft has finally come out with their TS gateway, Citrix has had one
for years as well as Provision networks. Those are security measures to
protect your network, NAT is not. In other words, these products only give
access to the DMZ not your internal network at all.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Marc" <Marc@discussions.microsoft.com> wrote in message
news:EBD73C86-1141-439C-ACA1-1A5993F67C89@microsoft.com...
>I currently run a 2003 TS Farm setup the exact same way. Port are open to
> the Ts's also, but that is not needed for MS NLB. I believe my issue
> maybe
> with the drivers for the NIC, it doesn't seem to like using 2 IP Address
> for
> the NLB NIC with the deafault 2008 drivers. As far as "The load balancing
> is
> not a proxy", I understand that, but I still have to allow traffic through
> 3389. Since when is NAT'ing a server port throught a firewall "highly,
> highly insecure"?
>
> "Jeff Pitsch" wrote:
>
>> The load balancing is not a proxy. you will need to open ports for your
>> terminal servers as well. LB just gets the connection to the server,
>> after
>> that it's direct tot he server. Also this is a highly highly insecure
>> method of granting external access to your terminal servers. you are
>> exposing your internal network to the internet. Software from Provision
>> Networks (yes I'm an employee) or Citrix can alleviate this. It's best
>> to
>> spend a bit of money up front rather than expose your network for no
>> reason
>> whatsoever.
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>>
>> "Marc" <Marc@discussions.microsoft.com> wrote in message
>> news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com...
>> > I installed NLB on a 2008 Terminal Server, created the NLB farm, and
>> > added
>> > this Terminal Server. I opened my firewall the same exact way I have
>> > for
>> > my
>> > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being
>> > ALLOWED
>> > at the firewall, but does not connect to the ts farm. From within the
>> > same
>> > network, I can RDP to the farm's internal IP Address, but not from
>> > external
>> > IP. Am I missing a setting on the server or somewhere else. Currently
>> > there
>> > is only 1 2008 Terminal Server in the farm.
>>
>>
>>
 
Re: 2008 Terminal Server Farm, using MS NLB

Thank you for your knowledge. Anyone else that can actually help me with
this issue?

"Jeff Pitsch" wrote:

> When you give direct access to your internal network, that is high highly
> insecure. Why do you think VPN's were created? NAT is not a security
> measure. scanning and hacking 3389 is extraordinarily easy to do. that is
> why Microsoft has finally come out with their TS gateway, Citrix has had one
> for years as well as Provision networks. Those are security measures to
> protect your network, NAT is not. In other words, these products only give
> access to the DMZ not your internal network at all.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "Marc" <Marc@discussions.microsoft.com> wrote in message
> news:EBD73C86-1141-439C-ACA1-1A5993F67C89@microsoft.com...
> >I currently run a 2003 TS Farm setup the exact same way. Port are open to
> > the Ts's also, but that is not needed for MS NLB. I believe my issue
> > maybe
> > with the drivers for the NIC, it doesn't seem to like using 2 IP Address
> > for
> > the NLB NIC with the deafault 2008 drivers. As far as "The load balancing
> > is
> > not a proxy", I understand that, but I still have to allow traffic through
> > 3389. Since when is NAT'ing a server port throught a firewall "highly,
> > highly insecure"?
> >
> > "Jeff Pitsch" wrote:
> >
> >> The load balancing is not a proxy. you will need to open ports for your
> >> terminal servers as well. LB just gets the connection to the server,
> >> after
> >> that it's direct tot he server. Also this is a highly highly insecure
> >> method of granting external access to your terminal servers. you are
> >> exposing your internal network to the internet. Software from Provision
> >> Networks (yes I'm an employee) or Citrix can alleviate this. It's best
> >> to
> >> spend a bit of money up front rather than expose your network for no
> >> reason
> >> whatsoever.
> >>
> >> Jeff Pitsch
> >> Microsoft MVP - Terminal Services
> >>
> >>
> >> "Marc" <Marc@discussions.microsoft.com> wrote in message
> >> news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com...
> >> > I installed NLB on a 2008 Terminal Server, created the NLB farm, and
> >> > added
> >> > this Terminal Server. I opened my firewall the same exact way I have
> >> > for
> >> > my
> >> > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being
> >> > ALLOWED
> >> > at the firewall, but does not connect to the ts farm. From within the
> >> > same
> >> > network, I can RDP to the farm's internal IP Address, but not from
> >> > external
> >> > IP. Am I missing a setting on the server or somewhere else. Currently
> >> > there
> >> > is only 1 2008 Terminal Server in the farm.
> >>
> >>
> >>
>
>
>
 
Back
Top