Remote desktop or RemoteApps break when Session broker is behind UAG Server

For quite sometime I saw this question poping up on forums and cases as why UAG breaks the RDP traffic if Session broker or connection broker is sitting behind it to loadbalance the farm. I started investigating and took me some to establish foot print of this problem. UAG 2010 SP1 will fail to connect to backend RDP farm using Remote Desktop or Remote Apps if Session Broker is sitting behind the UAG (RDG gateway). You will see the following error on UAG Server event logs:

The following error is logged on the UAG server:

Description:
The user "Alfa\uagservice", on client computer "127.0.0.1", did not meet resource
authorization policy requirements and was therefore not authorized to resource
"10.1.2.194". The following error occurred: "23002".

 

I took some ETL tracing on Windows 2008 R2 and then based on it I took a memory dump and debugged this when this configuration was in action in memory of the server and set break point when policy function was called. I worked with Remote Desktop Escalation Engineer in Microsoft support (a colleague basically) to help through RD part of the code and noticed RAP function call made to RDG was expecting a policy to be applied using the IP address. When I looked at UAG configuration, I realized that due to not having this documented we are all just giving in FQDN of the RD Farm servers.

Remote Access Policy failure will occur if Session Broker is sitting behind the UAG (RDG) because RAP needs the IP address to communicate to the farm.

To resolve this issue here is the configuration change thats required:

When you publish RemoteApps / RemoteDesktop please add RD Connection broker on UAG server wizard or under Server Settings tab on the application (RemoteApp or RemoteDesktop), you need to add Connection broker name on top of the list and then session hosts FQDN plus their IP addresses as well in this stage of the wizard or Server tab of the applications.

 <<Screenshot below>>

With this configuration in place UAG 2010/SP1 should be able to work across RD Farm if session broker is sitting behind the UAG (which is also the RDP Gateway).

Hope this helps.