On Wed, Oct 29, 2025 at 9:35 AM Subbareddy Alamuru < [email protected]> wrote:
> Hello, > > I have set up this design of guacamole for Windows RDP. > > Guacamole instances behind AWS Application load balancer with lb_cookie > type stickiness for a period of 1 day. > Windows Autoscaling Group behind AWS Network Load balancer with source_ip > persistence for 8 hours. > > I have 2 instances in windows ASG, but all the user's RDP sessions from > guacamole instances are directed to a single windows instance regardless of > both the instances are healthy and able to authenticate the users when > manually launched the RDP sessions in the other server. > > Has anyone faced similar issues? How did you overcome it? Is there any > better setup? Would like to learn and improve my setup. > > I can spot at least one issue with this - my guess is that, since you're balancing based on source_ip persistence, and since all of the connections are going to appear to that load balancer to come from one of two IP addresses, every connection from a Guacamole instance will get pinned to the same back-end Windows Server, every time. If the load balancer happens to select the same back-end Windows Server for both Guacamole instances, then all the connections will always end up on the same Windows Server, because you have it configured for persistence based on Source IP address, and the source IP address will always be the same (the Guacamole instance IP address). As far as how to work around this - you'll likely need to adjust the load balancer configuration to use some other form of session persistence or stickiness. Doing some reading about the AWS Load Balancer, it looks like it supports either load-balancer-generated cookies or application-generated cookies for this purpose. I don't actually know off the top of my head if Guacamole generates those cookies or not, so not sure the application-generated one would work without some modification to the code. But the load-balancer-generated cookies may work, as long as you're allowing it to do round-robin and not enabling routing based on source IP. -Nick >
