Implement high availability for your RDS gateways on Windows Server 2012 / 2012 R2 / 2016

6. Distribute network load with NLB

6.1. Creating the NLB cluster

In order for your users to connect to one of these servers through a single domain name, you will need to place your RDS gateway servers in a NLB cluster.
To do this, open the Network Load Balancing Manager and right-click "New Cluster".

Since creating a cluster is almost identical to creating an IIS web servers cluster, refer to our NLB tutorial for this part.

Enter the name of your 1st RD gateway server and click Connection.

Specify an IP address for this cluster.

Provide a name for your cluster.

Note : if you test this tutorial in virtual (thanks to VMware), choose Multicast because unicast is not supported by default.

If you choose Unicast and your gateway servers are virtualized using VMware Workstation :

you will receive this error : Adapter 'Ethernet0' may not have network connectivity. MAC address ... of adapter 'Ethernet0' is within the reserved address range or is in use by another virtual adapter on your system.
one of your 2 RD gateways will lose access to the network

Create the associated record on your DNS server :

Name : name of your cluster
IP address : the IP address of your cluster

Note : generally, the DNS server is on the same server as the Active Directory.

Change the default port rule to use only TCP port 443 (HTTPS) and choose the "Multiple Host" filtering mode so that the network load is distributed by NLB on your different RDS gateway servers.

At the moment, you have a cluster with a single RDS gateway server.

6.2. Add a server to the cluster

To add your 2nd RD gateway server to your cluster, just right-click "Add Host To Cluster" on your NLB cluster.

Enter the name of your 2nd RDS gateway server and click Login.
Then, click Next.

Port rules are already indicated.
Click Finish.

Once the configuration is complete, your 2 servers will be in "state : converged".

7. Certificate import on your RD Gateways

In the properties of your RD gateways :

go to the "SSL Certificate" tab
select : Import a certificate in the RD Gateway ... Certificates (Local Computer)/Personal Store
click on the button : Browse and Import Certificate

Choose the certificate that is valid for the public (external) domain name of your RDS gateways (in our case : rds.informatiweb-tuto.net) and that has been provided by a trusted Internet-based certification authority (such as : Symantec SSL or GeoTrust).

In our case, we used a small trick to generate a free valid Internet certificate for our RD gateways through Let's Encrypt (free certification authority) and OpenSSL (for certificate conversion from PEM to PFX).

Note : to convert the certificate obtained in PEM format (Linux format) to PFX format (Windows format), use this command with OpenSSL 1.x :

Batch

openssl pkcs12 -export -out Cert.pfx -in cert.pem -inkey privkey.pem -passin pass:my_pass -passout pass:my_pass

Explanations :

Cert.pfx : output file name
cert.pem : certificate name in PEM format provided by Let's Encrypt
privkey.pem : name of the file containing the private key in PEM format provided by Let's Encrypt
-passin pass:my_pass : indicates that the password that protects the private key in PEM format is "my_pass"
-passout pass:my_pass : indicates that the password that will protect the private key in PFX format will always be "my_pass"

Enter the password protecting the private key.

If the password is correct, the certificate will be imported to the gateway server.

As you can see, our certificate :

is issued to : rds.informatiweb-tuto.net
is issued by the free certification authority : Let's Encrypt Authority X3
is valid until 04/01/2019

Note : for the "No SSL certificate are installed" error to disappear, all you have to do is apply the changes and then reopen that window.

As expected, the error disappears and the message "The following certificate is installed on ..." appears.

Import the same certificate on the 2nd RD gateway server.