I've been working to implement a load balancer using HAProxy and use the load balancer as a bridge to backend(Terminal Server Windows 2008 R2), so that remote session between client to the load balancer will be secured and clear traffic between the load balancer to the backend without RDP Gateway. Any Idea will be much appreciated.
Thanks.
PS : This is a simple configuration for the configuration above
[client(s)] =secure=> [proxy server] =clear=> [pool of windows servers]
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy.sock
defaults
log global
mode tcp
option tcplog
option dontlognull
maxconn 2000
timeout connect 3h
timeout client 3h
timeout server 3h
frontend secure
bind *:3389
bind *:443 ssl crt /etc/haproxy/certs/x.pem
mode tcp
default_backend rdp
backend rdp
mode tcp
option tcpka
balance leastconn
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
server ts1 x.x.x.x:3389
Best Answer
Since you've got your
modeset as TCP, you're not actually doing any SSL decryption of the traffic, you're just shuttling (encrypted) bits back and forth between the client and server.I don't even think you could do what you propose with RDP, since HAProxy only understands HTTP as a layer 7 protocol.