NOOB: HA Proxy and RDP

I’ve been using HAproxy for just under two weeks - so please be gentle… I’m using it load-balance RDP hosts. Doing that with just 3389 works like a dream. But I’m having trouble with the SSL termination method.

I used openssl to create a self-sign certificate on my HAproxy, and then used this as the HAproxy.cfg file

log local0
maxconn 4096
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

log global
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ft_rdp
mode tcp
bind :443 ssl crt /etc/haproxy/certs/haproxy.pem
timeout client 1h
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp

backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 4s
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389
default-server inter 30s rise 2 fall 3
server rdp-server1 check-ssl verify none
server rdp-server2 check-ssl verify none

The config file validates and the service starts but I’m unable to make connections using the Microsoft RDP client…

Any thoughts or suggestions?

Think of HTTP and RDP as languages, like English and Spanish. You’re asking HAProxy to listen for HTTP, but then you’re attempting to establish an RDP connection. These are not the same language, and HAProxy cannot understand it.

In TCP mode, HAProxy doesn’t have to care about the language spoken. It’s acting like a repeater, taking what’s heard and transmitting it to the backend without even knowing what was said.

When your configuration was in TCP mode, everything worked fine, because HAProxy just relayed info over. When you switched to HTTP mode, HAProxy started listening specifically and only for HTTP, and RDP clients don’t speak that language. HAProxy can only listen for HTTP traffic in HTTP mode. This mode is required for SSL offloading to decrypt, understand, and potentially re-encrypt traffic.