Forum Discussion

Torijori_Yamamada's avatar
Mar 21, 2020

APM SSO breaks RDP persistence

Hello,

 

Trying to add a virtual server behind an APM policy. The APM and LTM works on different F5 appliances and both are physical. LTM side is very basic and it was built by an iApp. It just serves an RDP service on two different Windows hosts. LTM virtual server uses Msrdp persistence profile. While testing, i can connect to that virtual server with native rdp application and it serves well. LTM virtual server manages sessions perfectly and keeps persistence record for each connection asit sholud be. 

 

The APM side is already been there since couple of years. I just trying to add that LTM virtual Server as an RDP resource into the APM policy. The policy building phase is already done and when i click on RDP link on the webtop, APM prepare rdp file and download it. When i click "Open" button on for that file native rdp client application loads session and opens a window for it. So far good.

 

When session established by APM with SSO option enabled, LTM virtual server can't see the username and this is causing the persistence issue. If i disable SSO on APM, the LTM virtual server sees the username field and maintains the persistence.

 

While struggling this issue a couple of idea came up. 

  • A ) Create a layer 2 connection to LTM virtual server so no need to SNAT. Ltm virtual server sees source IP and use it for session persistence. (Not that easy because this policy is already in use)
  • B ) Construct an iRule which maintains the session, load balancing, monitoring and persistence. (Wrote some of the parts but not finished yet.)
  • C ) Send "Client IP" as a TCP Option. (Since APM using Application Tunnel for RDP sessions this option doesn't work)
  • D ) Force to native client to send username clear text. (Added "username:s:%{session.logon.last.username}" in rdp profile but doesn't work)

 

I feel like i missed some point obviously. Is there any other way to solve this issue ?

  • Abed_AL-R's avatar
    Abed_AL-R
    Mar 14, 2021

    There is a good news 🙂

    We solved it and provided the solution to F5 TAC to maybe enhance it a little bit or publish it to help others after examining it.

    But it works fine in our environment and solved the persistence problem.

    We used some of your irule and enhance it a little to use LTM load balance.

    So, we have an iRule that is doing OTP SMS authentication and it is called from the VPE to send the OTP code to the end user. So we inserted at the top on the iRule a process to pick an available pool member using round robin method:

    proc pickOneAvailable { } {
    set poolNameEnc TWFydmFblablablaBTg==
    pool [b64decode $poolNameEnc]
    if {[active_members [b64decode $poolNameEnc]] < 1}{
    set mypick  "NULL"
    } else {
    LB::mode rr 
    set mypick  [LB::select]
    #log local0. "my pick is $mypick"
    eval $mypick 
    set retVal [getfield [LB::server addr] % 1]
    #log local0. "my retVal is $retVal"
    }
    }

    And added this section ""PopulateDestIP"" at the very end of "when ACCESS_POLICY_AGENT_EVENT { " section

    "PopulateDestIP" {
    set uName [ACCESS::session data get session.logon.last.username]
    set sessionSID [ACCESS::session sid]; log local0. "DEBUG ACCESS SID = $sessionSID"
    set nextNode [call pickOneAvailable ]
    if { $nextNode == "NULL" } {    
    #log local0. "Sorry, No Member could pick from pool."
    } else {
    ACCESS::session data set "session.logon.rdp.dest" $nextNode
    #log local0. "This user $uName has picked this server: $nextNode"                                                            
    }
    unset uName
    unset sessionSID
    }

    The " PopulateDestIP " will run/call the process " pickOneAvailable " and get the available node and put it into a variable named " $nextNode "

    Then it will put this variable into a APM variable named " session.logon.rdp.dest "

    After then I take the "session.logon.rdp.dest" variable and use it in the APM RDP configuration [access > connectivity/VPN > VDI/RDP > in the RDP destination I choose type "hostname" and put this variable there " %{session.logon.rdp.dest} " ].

    Now, in the VPE, before doing the LDAP query for group membership, I put a Custom iRule Event Agent to call the " PopulateDestIP " )

    That’s it. Now when the user login, he will get at the first beginning the IP address of the RDP server using the LTM pool and method round robin.

    Now, even if the user got disconnected from the RDP session for any reason or logged out from the RDP server but did not got disconnected from the APM session (he didn't logout entirely from the APM) he will always get the same RDP server because it is written "coded" in the native RDP file he downloads.

     

    So the strategy is :

    1. To get the available RDP server IP from the LTM pool
    2. To put the IP as a variable in LTM
    3. To put that variable into APM variable
    4. To populate that variable to the end-user

     

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      that is very nice Torijori, could you share the iRule for others that have this issue?

      • Sure. But i think that i choose the hard way. Because, i needed session persistence feature before starting to write an iRule. While writing the iRule i've realised that i have to write other features like load balancing, monitoring. All those features are built-in abilities of F5 and deciding to use an iRule for them is a risky move. By deciding to use an irule for that i forced myself to refuse to use basic principles of the load balancing. Regret ? Nope, i think it was the funiest way learn something. 

         

        Here is the link:

        https://github.com/GlynisBarberBrandon/F5.git

         

  • Hello,

    I'm struggling with the same

    Can't see neither the usename nor the client IP any more after moving from ActiveX RDP to Native. And msrdp persistence not working also

    I created ticket for that, and I hope if the support will share an irule which is much simple for us

      • Abed_AL-R's avatar
        Abed_AL-R
        Icon for Cirrostratus rankCirrostratus

        No luck actually.

        They say it is an internal known bug "MSRDP based persistence with encryption enabled "and no iRule they can create for us in the mean time

        This is all because of the encrypted entire RDP traffic because of the SSO.

        So it is either to remove sso on the native rdp, or this is what it is ..

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      There is a good news 🙂

      We solved it and provided the solution to F5 TAC to maybe enhance it a little bit or publish it to help others after examining it.

      But it works fine in our environment and solved the persistence problem.

      We used some of your irule and enhance it a little to use LTM load balance.

      So, we have an iRule that is doing OTP SMS authentication and it is called from the VPE to send the OTP code to the end user. So we inserted at the top on the iRule a process to pick an available pool member using round robin method:

      proc pickOneAvailable { } {
      set poolNameEnc TWFydmFblablablaBTg==
      pool [b64decode $poolNameEnc]
      if {[active_members [b64decode $poolNameEnc]] < 1}{
      set mypick  "NULL"
      } else {
      LB::mode rr 
      set mypick  [LB::select]
      #log local0. "my pick is $mypick"
      eval $mypick 
      set retVal [getfield [LB::server addr] % 1]
      #log local0. "my retVal is $retVal"
      }
      }

      And added this section ""PopulateDestIP"" at the very end of "when ACCESS_POLICY_AGENT_EVENT { " section

      "PopulateDestIP" {
      set uName [ACCESS::session data get session.logon.last.username]
      set sessionSID [ACCESS::session sid]; log local0. "DEBUG ACCESS SID = $sessionSID"
      set nextNode [call pickOneAvailable ]
      if { $nextNode == "NULL" } {    
      #log local0. "Sorry, No Member could pick from pool."
      } else {
      ACCESS::session data set "session.logon.rdp.dest" $nextNode
      #log local0. "This user $uName has picked this server: $nextNode"                                                            
      }
      unset uName
      unset sessionSID
      }

      The " PopulateDestIP " will run/call the process " pickOneAvailable " and get the available node and put it into a variable named " $nextNode "

      Then it will put this variable into a APM variable named " session.logon.rdp.dest "

      After then I take the "session.logon.rdp.dest" variable and use it in the APM RDP configuration [access > connectivity/VPN > VDI/RDP > in the RDP destination I choose type "hostname" and put this variable there " %{session.logon.rdp.dest} " ].

      Now, in the VPE, before doing the LDAP query for group membership, I put a Custom iRule Event Agent to call the " PopulateDestIP " )

      That’s it. Now when the user login, he will get at the first beginning the IP address of the RDP server using the LTM pool and method round robin.

      Now, even if the user got disconnected from the RDP session for any reason or logged out from the RDP server but did not got disconnected from the APM session (he didn't logout entirely from the APM) he will always get the same RDP server because it is written "coded" in the native RDP file he downloads.

       

      So the strategy is :

      1. To get the available RDP server IP from the LTM pool
      2. To put the IP as a variable in LTM
      3. To put that variable into APM variable
      4. To populate that variable to the end-user