2

tl;dr

Is Amazon Web Services Elastic Load Balancer a viable replacement for Remote Desktop Gateway?

short enough; did read

My client currently uses a remote desktop gateway with roughly 10 remote desktop servers. We're now moving them to AWS. And I'd like to use AWS' Elastic Load Balancer due to reduced cost and improved functionality. I've successfully created a remote desktop environment behind an ELB by balancing port 3389.

Despite this, my knowledge on RDGW is slim, and in order to avoid any gotcha's I thought it'd be a good idea to consult the community.

My concerns are:

  1. When losing connection from the session, will the user be able to log back onto the same server?
  2. Will the user be randomly balanced to another server?
  3. I've overlooked an obvious fact that'll get me fired when we release the system to production
Community
  • 1
MrJD
  • 139
  • 1
  • 6

3 Answers3

1

Running a ELB as RDGW for two years now...

Firstly, it works*

* It works sufficiently

  • + Users are able to login through ELB and use the servers as expected
  • + We have not experienced any sudden or unexpected loss of connection
  • – Disconnected sessions are not restored to the same server
MrJD
  • 139
  • 1
  • 6
  • Any info how on how this is setup to work for you? I'm directing port 3389 to specific machines using subdomains, but RDP client just gives me "protocol error" – Jordan Morris Apr 19 '17 at 23:48
  • A bit late sorry; it's a bit hard to tell with so little information. I do remember having significant trouble routing the machines properly back through a NAT. But I doubt that's related to what you're describing. – MrJD May 22 '17 at 23:05
  • Tail the /var/log/messages when attemping to connect. I found that changes to the user-mapping.xml for the security entry did the trick for me (try rdp, tls, etc.). Also, depending on your windows config, you may want to test it out with NLA disabled. – Michael Behrens Mar 19 '21 at 01:13
0

IMHO, using an AWS Elastic Load Balancer is not a viable replacement for RD Gateway - or just generally securing infrastructure in the backend subnet and only allowing credentialized access to that subnet.

I have no clue what you environment looks like - but I can say based on experience, using an ELB will open your attack surface up considerably. While you can lock down via security group, that is only one piece of the puzzle.

I suggest looking at a couple of appliances in the AWS Marketplace - the first being: Xceedium (probably overkill, but check it out nonetheless), Sophos UTM (allows VPN tunnelling and has a special portal like Xceedium where you can create roles, add users to those roles and assign those users access to certain servers/applications.

For a free (and awesome) solution, I suggest Guacamole: http://guac-dev.org/

Scott Moore
  • 561
  • 1
  • 4
  • 11
  • Thanks for the input. I wasn't originally looking at a security point of view. But it's good to know and exactly why I asked the question... The point you raise about opening my attack surface, does that also apply in a situation where a RDGW is publicly accessible? – MrJD Sep 23 '14 at 01:40
  • Anytime you make something publically accessible-you are making your attack surface much larger. It does not mean you will be attacked of course, but the probability is much higher. RD Gateway is limiting as it requires AD credentials to even access the systems in the backend. I would say it is a much safer bet than using a straight ELB for pushing RDP/SSH traffic to nodes in the backend, due to the inclusion of having to authenticate and validating permissions, then accessing said resources. IMHO though – Scott Moore Sep 23 '14 at 20:28
  • I see. I was under the impression RDGW didn't authenticate; I thought users went straight to the server and authenticated there. That may just be the system I'm using though... Are you saying that's unsafe because technically you're opening backend infrastructure to the public without an authentication barrier? – MrJD Sep 23 '14 at 23:50
  • Yes, RDGW most definitely can/does authenticate. Without some sort of auth mechanism in place, you are most definitely opening up your backend infrastructure to potentially unwanted intruders. I recommend checking out the following site: http://technet.microsoft.com/en-us/library/cc770519.aspx – Scott Moore Sep 25 '14 at 20:48
0

I know this is a fairly old post but I was searching for load balancing remote desktop on AWS and came across it. Personally I prefer NOT using RD Gateway and just sticking to plain old session broker with a load balancer in front of it for high-availability). You could always use a VPN for extra security.

Malcolm turnbull
  • 827
  • 6
  • 6