[Failover test] Create load balancing rules and access the Windows Server via remote desktop


This recipe is part of the process of deploying FortiGate HA load-balancing for Microsoft Azure using Azure load balancer. See below for the rest of the recipes in this process:

  1. Basic concepts
    • Traffic flow
    • Azure load balancer
      • Inbound NAT rules
      • Load balancing rules
  2. Locate FortiGate HA for Azure in the Azure portal or Azure marketplace
  3. Determine your licensing model
  4. Configure FortiGate initial parameters
  5. Create VNet and subnets in network settings
  6. Select Azure instance type
  7. Assign Azure IP address
  8. Validate deployment resources
  9. Create FortiGate instances
  10. Connect to the FortiGate
  11. [Use case] Set up a Windows Server in the protected network
  12. Configure FortiGate firewall policies and virtual IPs
  13. [Failover test] Create load balancing rules and access the Windows Server via remote desktop

This is the most crucial configuration to ensure the HA setup functions.

  1. Locate the Azure load balancer, then click Load balancing rules.
  2. Click Add to create a new load balancing rule. Configure like the following:
    1. Name: unique load balancing rule name
    2. Frontend IP address: choose from the two available values. In this example, let’s choose the one associated with FortiGate A.
    3. Protocol: TCP
    4. Port: 3389 for an RDP request made by your remote desktop application.
    5. Backend port: 3389 for RDP port listening on the Windows Server.
    6. Backend pool: by default, there is only one value consisting of the two FortiGate instances.
    7. Health probe: keep as-is.
    8. Session persistence: to learn about this option, click the information symbol. For testing purposes, select None.
    9. Do not change any other field. Click OK.
  3. From the PC, start the remote desktop client by specifying FortiGate A’s public IP address. If you can see the Windows desktop, this means FortiGate A’s firewall policy for RDP port forwarding is working as expected. At this stage, you know that at least FortiGate A’s port forwarding works as expected.
  4. Test the failover case by shutting down FortiGate A. It may take a few minutes to completely shut down.
  5. When one FortiGate is shut down, the Azure HA set shows the status as the following:
  6. If only FortiGate B is found to be alive, the Azure load balancer passes incoming traffic only to FortiGate B. Verify your management GUI access to FortiGate A does not work after shutdown.
  7. From your PC, start the remote desktop client by specifying the public IP address previously assigned to FortiGate A. This IP address is what you specified in the load balancing rule as the frontend IP address. You should still be able to access the Windows Server through FortiGate B. Do not forget to make the same port forwarding configuration on FortiGate B as in the previous steps.