Otdfbt

Non-deterministic Finite Automata | Sipser Example 1.16

Do Life Drain attacks from wights stack?

Could there be a material that inverts the colours seen through it?

What does the vector to raster option in QGIS do, exactly?

What information do scammers need to withdraw money from an account?

Is there ever any indication in the MCU as to how Spider-Man got his powers?

what does a native speaker say when he wanted to leave his work?

What is the best way for a skeleton to impersonate human without using magic?

What's the difference between "за ... от" and "в ... от"?

Program which behaves differently in/out of a debugger

Quote from Leibniz

Is Germany still exporting arms to countries involved in Yemen?

As programers say: Strive to be lazy

Smallest Guaranteed hash collision cycle length

What are the components of a legend (in the sense of a tale, not a figure legend)?

Why is it harder to turn a motor/generator with shorted terminals?

Find hamming distance between two Strings of equal length in Java

Is 12 minutes connection in Bristol Temple Meads long enough?

How can a layman easily get the consensus view of what academia *thinks* about a subject?

What are the holes in files created with fallocate?

How can dragons propel their breath attacks to a long distance

What are the implications of the new alleged key recovery attack preprint on SIMON?

How do I tell my supervisor that he is choosing poor replacements for me while I am on maternity leave?

Are there any established rules for splitting books into parts, chapters, sections etc?

How to use HAProxy as a load balancer with SSL for Terminal Server Environment?

HaProxy + IIS pages gradually get slowerHaProxy - Http and SSL pass through configHow to horizontally scale SSL termination behind HAProxy load balancing?Logging client ip address from tcp connection from HAproxy to nginxHaproxy logging not workHA-Proxy 301 re-direct: https to https://wwwHaProxy giving - 503 Service UnavailableHAProxy not logging all requestsSASL auth to LDAP behind HAPROXY with name mismatchesopenldap with haproxy - (ldap_result() failed: Can't contact LDAP server)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I've been working to implement a load balancer using HAProxy and use the load balancer as a bridge to backend(Terminal Server Windows 2008 R2), so that remote session between client to the load balancer will be secured and clear traffic between the load balancer to the backend without RDP Gateway. Any Idea will be much appreciated.
Thanks.

PS : This is a simple configuration for the configuration above

[client(s)] =secure=> [proxy server] =clear=> [pool of windows servers]

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy.sock

defaults
log global
mode tcp
option tcplog
option dontlognull
maxconn 2000
timeout connect 3h
timeout client 3h
timeout server 3h

frontend secure
bind *:3389 
bind *:443 ssl crt /etc/haproxy/certs/x.pem
mode tcp
default_backend rdp

backend rdp
mode tcp
option tcpka
balance leastconn
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
server ts1 x.x.x.x:3389

windows-server-2008 ssl haproxy

share|improve this question

edited Nov 4 '16 at 1:02

Ryan Park

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm curious why you're trying to avoid the native Gateway services.
  
  – Ryan Bolger
  Nov 3 '16 at 6:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Due to a few reasons. We are using Autoscaling to scale our terminal server capacity up or down automatically according to conditions and they are all exposed to the public via the HAProxy which does load-balancing, not the RDP gateway. To have the RDP gateway seems to be an extra cost if we can figure out how to implement the SSL connection via the HAProxy. Furthermore, I’m suspicious about how well the RDP gateway can optimize/distribute the traffic as well.
  
  – Ryan Park
  Nov 3 '16 at 21:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This is within the realm of capabilities of HAProxy, assuming RDP doesn't get in your way, and allows SSL offloading to be done for it. Possibly unrelated, but your bind :443 also needs to be configured with ssl and a certificate, if you want HAProxy to speak SSL on port 443. What happens when you test this? What is logged?
  
  – Michael - sqlbot
  Nov 4 '16 at 0:04
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot I've tested the port no.443 with and without the certificate. without the certificate, I can access to the backend through the proxy server but getting self-signed certificate from the backend. With the certificate, I can't even get into the backend. it seems like the traffic is shuttling (encrypted) bits back and forth between the client and server as GregL mentioned in the comment below
  
  – Ryan Park
  Nov 4 '16 at 1:04
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You need ssl verify none on the server configuration line if the server is speaking SSL and offering you a cert.
  
  – Michael - sqlbot
  Nov 4 '16 at 1:13
  

  
  
  
  

 | 
show 3 more comments

0

I've been working to implement a load balancer using HAProxy and use the load balancer as a bridge to backend(Terminal Server Windows 2008 R2), so that remote session between client to the load balancer will be secured and clear traffic between the load balancer to the backend without RDP Gateway. Any Idea will be much appreciated.
Thanks.

PS : This is a simple configuration for the configuration above

[client(s)] =secure=> [proxy server] =clear=> [pool of windows servers]

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy.sock

defaults
log global
mode tcp
option tcplog
option dontlognull
maxconn 2000
timeout connect 3h
timeout client 3h
timeout server 3h

frontend secure
bind *:3389 
bind *:443 ssl crt /etc/haproxy/certs/x.pem
mode tcp
default_backend rdp

backend rdp
mode tcp
option tcpka
balance leastconn
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
server ts1 x.x.x.x:3389

windows-server-2008 ssl haproxy

share|improve this question

edited Nov 4 '16 at 1:02

Ryan Park

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm curious why you're trying to avoid the native Gateway services.
  
  – Ryan Bolger
  Nov 3 '16 at 6:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Due to a few reasons. We are using Autoscaling to scale our terminal server capacity up or down automatically according to conditions and they are all exposed to the public via the HAProxy which does load-balancing, not the RDP gateway. To have the RDP gateway seems to be an extra cost if we can figure out how to implement the SSL connection via the HAProxy. Furthermore, I’m suspicious about how well the RDP gateway can optimize/distribute the traffic as well.
  
  – Ryan Park
  Nov 3 '16 at 21:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This is within the realm of capabilities of HAProxy, assuming RDP doesn't get in your way, and allows SSL offloading to be done for it. Possibly unrelated, but your bind :443 also needs to be configured with ssl and a certificate, if you want HAProxy to speak SSL on port 443. What happens when you test this? What is logged?
  
  – Michael - sqlbot
  Nov 4 '16 at 0:04
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot I've tested the port no.443 with and without the certificate. without the certificate, I can access to the backend through the proxy server but getting self-signed certificate from the backend. With the certificate, I can't even get into the backend. it seems like the traffic is shuttling (encrypted) bits back and forth between the client and server as GregL mentioned in the comment below
  
  – Ryan Park
  Nov 4 '16 at 1:04
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You need ssl verify none on the server configuration line if the server is speaking SSL and offering you a cert.
  
  – Michael - sqlbot
  Nov 4 '16 at 1:13
  

  
  
  
  

 | 
show 3 more comments

I've been working to implement a load balancer using HAProxy and use the load balancer as a bridge to backend(Terminal Server Windows 2008 R2), so that remote session between client to the load balancer will be secured and clear traffic between the load balancer to the backend without RDP Gateway. Any Idea will be much appreciated.
Thanks.

PS : This is a simple configuration for the configuration above

[client(s)] =secure=> [proxy server] =clear=> [pool of windows servers]

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy.sock

defaults
log global
mode tcp
option tcplog
option dontlognull
maxconn 2000
timeout connect 3h
timeout client 3h
timeout server 3h

frontend secure
bind *:3389 
bind *:443 ssl crt /etc/haproxy/certs/x.pem
mode tcp
default_backend rdp

backend rdp
mode tcp
option tcpka
balance leastconn
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
server ts1 x.x.x.x:3389

windows-server-2008 ssl haproxy

share|improve this question

edited Nov 4 '16 at 1:02

Ryan Park

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy.sock

defaults
log global
mode tcp
option tcplog
option dontlognull
maxconn 2000
timeout connect 3h
timeout client 3h
timeout server 3h

frontend secure
bind *:3389 
bind *:443 ssl crt /etc/haproxy/certs/x.pem
mode tcp
default_backend rdp

backend rdp
mode tcp
option tcpka
balance leastconn
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
server ts1 x.x.x.x:3389

share|improve this question

edited Nov 4 '16 at 1:02

Ryan Park

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

share|improve this question

edited Nov 4 '16 at 1:02

Ryan Park

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

asked Nov 3 '16 at 5:31

Ryan ParkRyan Park

12

2 Answers
2

active

oldest

votes

0

Since you've got your mode set as TCP, you're not actually doing any SSL decryption of the traffic, you're just shuttling (encrypted) bits back and forth between the client and server.

I don't even think you could do what you propose with RDP, since HAProxy only understands HTTP as a layer 7 protocol.

share|improve this answer

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That isn't right. bind *:3389 ssl crt ... means HAProxy will insist on negotiating SSL with the client itself, and handling the payload in the clear, internally. If server ... ssl is used on the backend, HAProxy will negotiate a new SSL session with the back-end server and re-encrypt the payload, otherwise it will pass it to the server in the clear. mode tcp directs HAProxy to not try to interpret the connection as HTTP but treat it payload-agnostic, establishing a connection to the server, tying client and server "pipes" together, and forwarding traffic without interpretarion.
  
  – Michael - sqlbot
  Nov 3 '16 at 23:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So are you saying that what OP wants to do is possible then?
  
  – GregL
  Nov 4 '16 at 0:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Well, it's possible if RDP allows itself to operate behind an SSL offload device, yes. I've transported NFS4 and SMTP (and probably other things) across the Internet wrapped in SSL/TLS using HAProxy with a very similar configuration, the difference being that I had an HAProxy on both ends, to avoid the need for the client system to understand SSL or be reconfigured. If it's TCP and doesn't need any weird stream rewriting (like FTP the PORT command in FTP, yuck) then HAProxy can switch it and handle the SSL.
  
  – Michael - sqlbot
  Nov 4 '16 at 0:11
  

  
  
  
  

add a comment | 

0

It is a bit unclear what services you are trying to load balance based on the ports used for the frontend in HAProxy I would say RD Gateways and RD Web Access, but you can never be to sure.

At a first glance I would say that you will need 2 frontend aka VIPs :
One listening on 443 to offload ssl connections and another one that will forward unecrypted traffic to the backend i.e.

[client(s)] =secure=> HAProxy VIP 443 =clear=> HAProxy VIP 3389 =clear=> Backends - Pool of windows server

share|improve this answer

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f812884%2fhow-to-use-haproxy-as-a-load-balancer-with-ssl-for-terminal-server-environment%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Since you've got your mode set as TCP, you're not actually doing any SSL decryption of the traffic, you're just shuttling (encrypted) bits back and forth between the client and server.

I don't even think you could do what you propose with RDP, since HAProxy only understands HTTP as a layer 7 protocol.

share|improve this answer

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That isn't right. bind *:3389 ssl crt ... means HAProxy will insist on negotiating SSL with the client itself, and handling the payload in the clear, internally. If server ... ssl is used on the backend, HAProxy will negotiate a new SSL session with the back-end server and re-encrypt the payload, otherwise it will pass it to the server in the clear. mode tcp directs HAProxy to not try to interpret the connection as HTTP but treat it payload-agnostic, establishing a connection to the server, tying client and server "pipes" together, and forwarding traffic without interpretarion.
  
  – Michael - sqlbot
  Nov 3 '16 at 23:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So are you saying that what OP wants to do is possible then?
  
  – GregL
  Nov 4 '16 at 0:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Well, it's possible if RDP allows itself to operate behind an SSL offload device, yes. I've transported NFS4 and SMTP (and probably other things) across the Internet wrapped in SSL/TLS using HAProxy with a very similar configuration, the difference being that I had an HAProxy on both ends, to avoid the need for the client system to understand SSL or be reconfigured. If it's TCP and doesn't need any weird stream rewriting (like FTP the PORT command in FTP, yuck) then HAProxy can switch it and handle the SSL.
  
  – Michael - sqlbot
  Nov 4 '16 at 0:11
  

  
  
  
  

add a comment | 

0

Since you've got your mode set as TCP, you're not actually doing any SSL decryption of the traffic, you're just shuttling (encrypted) bits back and forth between the client and server.

I don't even think you could do what you propose with RDP, since HAProxy only understands HTTP as a layer 7 protocol.

share|improve this answer

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That isn't right. bind *:3389 ssl crt ... means HAProxy will insist on negotiating SSL with the client itself, and handling the payload in the clear, internally. If server ... ssl is used on the backend, HAProxy will negotiate a new SSL session with the back-end server and re-encrypt the payload, otherwise it will pass it to the server in the clear. mode tcp directs HAProxy to not try to interpret the connection as HTTP but treat it payload-agnostic, establishing a connection to the server, tying client and server "pipes" together, and forwarding traffic without interpretarion.
  
  – Michael - sqlbot
  Nov 3 '16 at 23:56
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So are you saying that what OP wants to do is possible then?
  
  – GregL
  Nov 4 '16 at 0:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Well, it's possible if RDP allows itself to operate behind an SSL offload device, yes. I've transported NFS4 and SMTP (and probably other things) across the Internet wrapped in SSL/TLS using HAProxy with a very similar configuration, the difference being that I had an HAProxy on both ends, to avoid the need for the client system to understand SSL or be reconfigured. If it's TCP and doesn't need any weird stream rewriting (like FTP the PORT command in FTP, yuck) then HAProxy can switch it and handle the SSL.
  
  – Michael - sqlbot
  Nov 4 '16 at 0:11
  

  
  
  
  

add a comment | 

Since you've got your mode set as TCP, you're not actually doing any SSL decryption of the traffic, you're just shuttling (encrypted) bits back and forth between the client and server.

I don't even think you could do what you propose with RDP, since HAProxy only understands HTTP as a layer 7 protocol.

share|improve this answer

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

share|improve this answer

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

answered Nov 3 '16 at 11:27

GregLGregL

6,81222129

0

It is a bit unclear what services you are trying to load balance based on the ports used for the frontend in HAProxy I would say RD Gateways and RD Web Access, but you can never be to sure.

At a first glance I would say that you will need 2 frontend aka VIPs :
One listening on 443 to offload ssl connections and another one that will forward unecrypted traffic to the backend i.e.

[client(s)] =secure=> HAProxy VIP 443 =clear=> HAProxy VIP 3389 =clear=> Backends - Pool of windows server

share|improve this answer

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

add a comment | 

0

It is a bit unclear what services you are trying to load balance based on the ports used for the frontend in HAProxy I would say RD Gateways and RD Web Access, but you can never be to sure.

At a first glance I would say that you will need 2 frontend aka VIPs :
One listening on 443 to offload ssl connections and another one that will forward unecrypted traffic to the backend i.e.

[client(s)] =secure=> HAProxy VIP 443 =clear=> HAProxy VIP 3389 =clear=> Backends - Pool of windows server

share|improve this answer

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

add a comment | 

It is a bit unclear what services you are trying to load balance based on the ports used for the frontend in HAProxy I would say RD Gateways and RD Web Access, but you can never be to sure.

At a first glance I would say that you will need 2 frontend aka VIPs :
One listening on 443 to offload ssl connections and another one that will forward unecrypted traffic to the backend i.e.

[client(s)] =secure=> HAProxy VIP 443 =clear=> HAProxy VIP 3389 =clear=> Backends - Pool of windows server

share|improve this answer

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

share|improve this answer

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11

answered Nov 4 '16 at 9:20

AndreiGAndreiG

11