Hi! I've set up haproxy to load balance two (later more) RDP servers (MS Terminal Services) without any connection broker (later I want to add a second haproxy to make sure all parts keep working even if one part fails).
So: 2x backend terminal servers running on port 3389 1x haproxy connfigured for load balancing, listening on port 3389 some clients to connect to haproxy on port 3389 Config is (based on https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html): global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats timeout 30s user haproxy group haproxy daemon ssl-server-verify none peers nxmux peer nxmux01 *:3388 frontend ft_rdp mode tcp bind *:3389 name rdp timeout client 1h log global option tcplog tcp-request inspect-delay 2s tcp-request content accept if RDP_COOKIE default_backend bk_rdp backend bk_rdp mode tcp balance leastconn timeout server 1h timeout connect 4s log global option tcplog stick-table type string len 32 size 10k expire 8h peers nxmux stick on rdp_cookie(mstshash) option tcp-check tcp-check connect port 3389 ssl default-server inter 3s rise 2 fall 3 #server nxnode01 10.169.16.105:3389 weight 10 check #server nxnode02 10.169.16.106:3389 weight 10 check server nxnode03 10.169.16.107:3389 weight 10 check server nxnode04 10.169.16.108:3389 weight 10 check I can connect to both clients directly from all clients. If I try to connect to haproxy it fails. Any idea what I missed? # haproxy -vv HA-Proxy version 1.7.9 2017/08/18 Copyright 2000-2017 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built without PCRE support (using libc's regex instead) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe -- Thomas
