HOB RD Computing - Remote Desktop Services (RDS)

Secure access to a Windows Terminal Server farm - even over the Internet

Overview

An important component of the HOB RD VPN solution is the communication capability over the Microsoft RDP protocol. With the current version of the MS Windows Server 2003, this is an especially powerful communications protocol. HOB RD VPN greatly enhances security, absolutely necessary for communications over the Internet, with extended SSL functionality. The HOB WebSecureProxy shields the Windows Terminal Servers from direct access from the Internet. The illustration below shows a sample, basic connection of a client computer to a Windows Terminal Server Farm over the Internet, using HOB WebSecureProxy. The user can make this connection with any computer equipped with a java-capable

browser. In a typical scenario, the user establishes a secure https connection to HOB WebSecureProxy, where he authenticates himself via user name and password, and, optionally, with a token, e.g., RSA SecurID. This is possible because HOB WebSecureProxy fully supports RADIUS authentication. After successful authentication, the HOB terminal server client, HOBLink JWT is downloaded to the client machine and immediately establishes an SSL-protected connection to HOB WebSecureProxy. Using the powerful Load Balancing feature, HOB WebSecureProxy then connects to the best suited terminal server in the farm. Important note for firewall administrators: All the communication from the client over the firewall goes through only one port, preferably port 443.

The illustration above shows a sample, basic connection of a client computer to a Windows Terminal Server Farm over the Internet, using HOB WebSecureProxy. The user can make this connection with any computer equipped with a java-capable browser. In a typical scenario, the user establishes a secure https connection to HOB WebSecureProxy, where he authenticates himself via user name and password, and, optionally, with a token, e.g., RSA SecurID. This is possible because HOB WebSecureProxy fully supports RADIUS authentication. After successful authentication, the HOB terminal server client, HOBLink JWT is downloaded to the client machine and immediately establishes an SSL-protected connection to HOB WebSecureProxy. Using the powerful Load Balancing feature, HOB WebSecureProxy then connects to the best suited terminal server in the farm. Important note for firewall administrators: All the communication from the client over the firewall goes through only one port, preferably port 443.

Making applications easily and reliably available to a large number of users via a Windows Terminal Server farm requires a  powerful load balancing mechanism. The versions offered by Microsoft are limited to either a simple Round Robin method or measure only the network load. For optimal performance, however, the evaluation of the CPU load or other parameters on the Terminal servers themselves is necessary. HOB's load balancing solution can evaluate up to 13 different parameters and can be custom tailored by the system administrator to perfectly fit the existing system.

The following parameters are available for load balancing evaluation:

  • CPU load
  • Page file use
  • Swap activity (total, read, write)
  • Memory utilization
  • Active sessions
  • Disconnected sessions
  • Network load
  • Number of processes
  • Number of threads
  • Hard drive load
  • In- and output activity

HOB Load Balancing: How it works

Before establishing the connection, the HOBLink JWT client queries the available Windows Terminal Servers. This can be done either over a broadcast or a defined server list. Each addressed server returns its current load. The corresponding client can then go to the server with the least load. This mechanism also supports disconnected sessions. In this case, the user will be reconnected to the same server on which he was working before the session disconnected.

For access over the Internet, the server load query is sent over HOB WebSecureProxy. This acts a the central control instance for all communication between the users/clients and the Windows Terminal Server farm. HOB WebSecureProxy is best placed in the DMZ, between the two firewalls and effectively protects servers in the LAN from any direct access over the Internet.

The scenario described above covers the basic functionality of HOB RD Computing. This basic functionality can also be extended by a powerful user management feature with , e.g., LDAP or MS Active Directory. There are no specific prerequisites on the client side (except that the client have a java-capable browser). Thus, this solution can be considered a "clientless" one. Of course, this solution by HOB can be further extended with many additional functions, for example, HOB EasyPrint, a comprehensive remote printing solution, or virus scanning of the data exchanged over Local Drive Mapping, etc.

For more information on the functionalities described above, please see the product descriptions  for HOBLink JWT and HOBLink JWT Enterprise Access.

JR 11.12.15