1

I have a single physical host that I am using as a virtualization lab and a number of VM's on Hyper-V that are connected to the host via an internal network. I had it working so that the physical host acted as the Remote Desktop Gateway the router points to the gateway and all was well, I could log into my VM's over the internet.

I have since moved my Gateway to a VM on the internal network that is in my active directory's DNS at remote.example.com with a static IP address. This is so that individual VM's will perform specific roles and that I will eventually be able to use load balancing on my VM's.

At the moment with just 1 VM acting as a RDG I am able to access all my VM's on the internal network fine from my host machine, as it can see the IP address for remote.example.com. I figured I would need to add some forwarding/routing/redirection to the host machine to make the Gateway visible from "outside".

(Internet) ==1==> (Router) ==2==> [Host] ==3==> [remote.example.com] ==4==> [VM_1 | VM_2 | VM_3]

What is the correct way of getting my Host to proxy requests to my internal VM/gateway?

My current setup for ARR in my ApplicationHost.config:

<webFarms>
    <webFarm name="Remote" enabled="true">
        <server address="192.168.1.3" enabled="true" />
        <applicationRequestRouting>
            <protocol>
                <cache enabled="false" />
            </protocol>
        </applicationRequestRouting>
    </webFarm>
    <applicationRequestRouting>
        <hostAffinityProviderList>
            <add name="Microsoft.Web.Arr.HostNameRoundRobin" />
            <add name="Microsoft.Web.Arr.HostNameMemory" />
        </hostAffinityProviderList>
    </applicationRequestRouting>
</webFarms>

Under system.webServer/rewrite/globalRules:

<globalRules>
    <rule name="ARR_Remote_loadbalance_SSL" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" />
        <conditions>
            <add input="{HTTPS}" pattern="on" />
            <add input="{HTTP_HOST}" pattern="remote.example.com" />
        </conditions>
        <action type="Rewrite" url="https://Remote/{R:0}" />
    </rule>
    <rule name="ARR_Remote_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" />
        <action type="Rewrite" url="http://Remote/{R:0}" />
        <conditions>
            <add input="{HTTP_HOST}" pattern="remote.example.com" />
        </conditions>
    </rule>
</globalRules>

Edit:

On an external device I can connect to https://remote.example.com and see the IIS landing page. When I go to https://remote.example.com/rpc I recieve 503 Must use post

When I attempt to use the Gateway server through an RDP client I recieve

The gateway failed to connect with the message: 404 not found

After a reboot of Host and VM I am able to access the site from an external device and I am able to perform a failed request trace on the RDP connection.

Failed Request Trace

and it appears that the ARR is trying to handle the request itself and not forward the request to the remote VM

Meberem
  • 173
  • 7
  • Elaborate on the ARR configuration and actual error messages. On step "==2==" the request comes into your host ARR as "==3=="'s host header. What happens at the "==4==" stage exactly? Do the end VMs get any traffic? Or does the ARR Rewrite rules fail entirely. – Brock Hensley Jan 22 '14 at 23:15

2 Answers2

1

Turns out this was a simple case of slightly misconfigured settings. The pattern I have posted is for ARR routing is {HTTP_HOST} = remote.example.com. According to the failed request logs this is not being matched

Failed ARR rule matching

I believe this is because the ARR rules will look at just the Host name i.e. remote.example as opposed to remote.example.com as various combinations such as remote.example., remote., remote* do match and are forwarded correctly, perhaps I missed some tricks with pattern matching for ARR.

For reference I have largely followed this guide: http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/iis-application-request-routing-part1.html

Meberem
  • 173
  • 7
0

I'm pretty sure using ARR is unsupported, even if it would work. Your easiest way out is to allow the gateway VM to talk to the "external" network so that your router can send traffic to it directly. Or you need "something" that can route traffic to the gateway VM, a NATing firewall or something. I would not put this "something" on my Hyper-V box, those should be kept as clean as possible.

Trondh
  • 4,201
  • 24
  • 27
  • My initial thoughts were to route all traffic from the external network to the gateway VM and deal with all requests there, but surely this would just move the problem as I was trying to experiment with load balancing Remote Desktop Gateways. What makes you think ARR is unsupported with this problem? – Meberem Jan 23 '14 at 08:37
  • You didn't say anything about load balacing in the OP. Could you add the relevant info to the question? – Trondh Jan 23 '14 at 10:47
  • I certainly can, although this was a goal I am will tackle after I managed to get routing to the internal VM working – Meberem Jan 23 '14 at 10:59