With a large number of simultaneously open sessions, it is recommended to add additional access servers to the Component arrangement #2.
Let their names be gw2 gw3 gw4 etc., the configuration is similar.
The IP addresses of HAProxy and additional access servers must be listed in Indeed PAM Core settings in the file
C:\inetpub\wwwroot\api\Web.config in the PamProxyIpAddresses section:
<add key="PamProxyIpAddresses" value="192.168.10.140, 192.168.10.145, 192.168.10.146, 192.168.10.147, 192.168.10.148 " /> |
In the User Console settings in the file C:\inetpub\wwwroot\uc\assets\config\config.prod.json in the Gateway Server section You need to enter the address of the balancer, for example:
"gatewayServer": {
"address": "haproxy.indeed-id.local"
},
|
The HAProxy settings in the case of four servers are presented in the example:
global
log /dev/haproxy/log local0 # see https://en.wikipedia.org/wiki/Syslog#Facility
log /dev/haproxy/log local1 notice # notice - error level. List: emerg, alert, crit, err, warning, notice, info, debug
chroot /var/lib/haproxy # We change the execution directory to protect against attacks, the folder is empty and there are no rights
maxconn 256 # Maximum number of simultaneous connections.
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 3s
user haproxy
group haproxy
daemon # Run the process in the background
defaults
log global # Log parameters are taken from the global section
mode tcp # HAProxy Instance mode
option dontlognull # disable logs for bogus connections
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
retries 3 # retries before you downgrade the status of the server
# Statistics
stats enable # Turning on the statistics output
stats hide-version # hiding the HAProxy version on the statistics page
stats realm HAProxy\ Statistics # set authentication realm
stats uri /haproxy # set link to the Stats page
stats auth stat:stat # login and password from the stats page
# Server selection algorithm
balance roundrobin
frontend ft_rdp
mode tcp
bind 192.168.10.140:3389 # Address and port on HAProxy to clients connection
timeout client 1h
log global
option tcplog # set up TCP connectivity logs with states and timers
tcp-request inspect-delay 2s # Set the maximum time to analyze the incoming connection
tcp-request content accept if RDP_COOKIE # Session opens with RDP protocol
default_backend bk_rdp # Name of the backend processing the requests
backend bk_rdp
mode tcp
balance leastconn # Select the server with the least number of active connections
timeout server 1h
timeout connect 4s
log global
option tcp-check # Perform an availability check over TCP,
tcp-check connect port 3389 ssl # by opening an encrypted connection to the port 3389.
stick-table type ip size 1m expire 12h # We configure the binding table by ip with a size of 1 million records and a record lifetime of 12 hours
stick on src # Use client ip address to stick
default-server inter 3s rise 2 fall 3 # Set the scan interval on backend servers for 3 seconds. The server will be considered active after 2 successful checks and unavailable after 3 failed checks.
server gw4 192.168.10.148:3389 weight 10 check verify none #######################
server gw3 192.168.10.147:3389 weight 10 check verify none #PAM Gateway Servers
server gw2 192.168.10.146:3389 weight 10 check verify none #Server weights are equal relative to each other
server gw1 192.168.10.145:3389 weight 10 check verify none #Availability check enabled, certificate not verified |