HAProxy Remote Desktop Services Example Configuration

The below configuration load balances between two RDS servers - one used for trusted clients (defined in untrustedservers.lst) and another for trusted clients (defined in trustedservers.lst) - anything else attempting to connect to the RDS server is rejected.

frontend localnodes
    bind *:3389
    mode tcp
    default_backend restricted
    timeout client          1h
    option tcpka
    acl trustedclients src -f /etc/haproxy/trustedservers.lst
    acl untrustedclients src -f /etc/haproxy/untrustedservers.lst
    acl world src 0.0.0.0/0
    tcp-request connection reject if !trustedclients !untrustedclients
    tcp-request inspect-delay 2s
    tcp-request content accept if RDP_COOKIE
    use_backend unrestricted if trustedclients
    use_backend restricted if untrustedclients
backend unrestricted
    mode tcp
    balance source
    option tcpka
    server rds-server-01 10.0.0.1:3389 check port 3389 weight 256 inter 2s
    server rds-server-02 10.0.0.2:3389 check port 3389 weight 1 inter 2s
    timeout connect        10s
    timeout server          1h
backend restricted
    mode tcp
    balance source
    option tcpka
    server rds-server-02 10.0.0.2:3389
    timeout connect        10s
    timeout server          1h

Important: option tcpka - This ensures that the TCP session from client to frontend (and proxy to backend) are kept alive - since RDP sessions can remain idle for long periods of time.