Remote Desktop Services Gateway behind AWS ALB connectivity issues

Question

I have set up a Remote Desktop Services Gateway behind an AWS ALB.

The AWS ALB does the SSL offloading and talks to the RDS Gateway Server via HTTP (port 80).

The configuration works and I can RDP to instances behind the RDS Gateway, but very often (every 15-20 minutes I would say on average) the RDP session spends a few seconds (5-10) reconnecting.

Does the ALB have issues with very long connections spanning several minutes? Which are possible root causes for such frequent reconnections?

** UPDATE WITH MORE DETAILED INFORMATION **

The Idle timeout of the ALB is set to 4000 seconds.

The setup seems to work fine for Windows RD clients (no reconnections in this case).

However, with a Microsoft RD for Mac client 10.3.9 (1767) running on Catalina 10.15.3, we experience frequent reconnects (every 5 to 20 minutes) and occasional freezes.

The Microsoft RD for Mac client log at /var/log/systemd.log does not report anything special when a reconnect occurs.

The IIS log at the RDS Gateway machine does not report anything special either (it does not seem to log the RDG_IN_DATA and RDG_OUT_DATA). It only logs the ELB status check and occasional rogue visits to the ALB.

The AWS ALB log sent to S3 does report a sequence of RDG_OUT_DATA and RDG_IN_DATA at the time of the reconnection. The first one is a RDG_OUT_DATA with a 200 status code and sizeable received bytes quantity, followed by two RDG_OUT_DATA with a 401 status code, then two RDG_IN_DATA with a 401 status code and finally a RDG_IN_DATA in with 200 status code until the next reconnection occurs.

If the Mac client is used directly against a RDS Gateway with no AWS in between then it works fine (no reconnections/freezes every 5 to 20 minutes).

Answer 1

For each request that a client makes through a load balancer, the load balancer maintains two connections. A front-end connection is between a client and the load balancer, and a back-end connection is between the load balancer and a target. The load balancer manages an idle timeout that is triggered when no data is sent over a front-end connection for a specified time period. If no data has been sent or received by the time that the idle timeout period elapses, the load balancer closes the connection.

By default, Elastic Load Balancing sets the idle timeout value to 60 seconds. Therefore, if the target doesn't send some data at least every 60 seconds while the request is in flight, the load balancer can close the front-end connection. To ensure that lengthy operations such as file uploads have time to complete, send at least 1 byte of data before each idle timeout period elapses, and increase the length of the idle timeout period as needed.

For back-end connections, we recommend that you enable the HTTP keep-alive option for your EC2 instances. You can enable HTTP keep-alive in the web server settings for your EC2 instances. If you enable HTTP keep-alive, the load balancer can reuse back-end connections until the keep-alive timeout expires. We also recommend that you configure the idle timeout of your application to be larger than the idle timeout configured for the load balancer.

For more information refer this article Application Load Balancers