For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tira_li's avatar
tira_li
Icon for Nimbostratus rankNimbostratus
Sep 30, 2024

F5 APM RDP

Hi Guys,

 

Recently we have deployed F5 APM as SSL VPN solution for our company laptops (only for Windows within domain), all runs well.

However, there is a new requirement that if other OS laptops like Mac or non-domain Windows computer clients can also get secure RDP to their company Win laptops and then control the Win laptops to access internal network etc? If yes, how to deploy it in detail?

I tried to add one test laptop into "VDI/RDP" also add the existing Access_Policy as below. After authentication from logon page,  I can this RDP icon and click it, it would automatically download one RDP file, then I clicked it and it will try to connect, and then it failed as below. the last is existing access_policy for non-domail windows for testing RDP.

Please help review and guide me how to configure since I am not familiar with APM product.

Best Regards.

 

 

 

apm.f5

4 Replies

  • tira_li's avatar
    tira_li
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2024

    Hi, 

    Thx for your quick response! Great steps, I would like to use "Client OS" to detect client type with specified domain Win Registry for client restrictions, and I want to check if the RDP host you mentioned is pointing a Windows Terminal Server with Remote Desktop Session Host service, use the terminal server to call end user own company laptop? Or directly pointing to end user's own company laptop?

  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Sep 30, 2024

    Without the /var/log/apm logs for that user's session, this is a guess, but it might be that the access is denied because there is another higher precedence ACL assigned to the user, or the system isn't noticing that it should be allowing that destination RDP server. Normally if the RDP host is statically assigned (just one IP:port) this "allow access" is automatic, but there may be some corner case issue.

    Normally the RDG-RAP policy is used to authorize user access to dynamic RDP endpoints, like where you assign it with a session variable or the user chooses it. It seems weird, but this mechanism is used because of technical limitations: APM doesn't have knowledge of what RDP endpoints should be allowed, so RDG-RAP can be used to query servers to obtain authorized endpoints.

     

    For testing we can just try to create a policy of type "RDG-RAP" that's just Start -> Allow so the connection is always allowed, then assign it during access policy execution.

     

     

    Then assign it to the user in their access policy:

     

     

    • tira_li's avatar
      tira_li
      Icon for Nimbostratus rankNimbostratus
      Oct 08, 2024

      Hi Lucas,

      I have tried to test a simple access policy that non-domain Windows would be assigned specified Windows RDP server (172.22.13.20) with Remote Desktop Session Host service, port 3389, however it still failed. From message, it still can't be inter-connected as below. Not sure if there some configuration is wrong or not? If wrong, how to set? Can list out the steps?

      We can directly RDP this testing server 172.22.13.20 from intranet client, so if using VM F5 APM to connect, should we also allow internal IP of F5 APM to connect this testing server?

      ---------------------------------------------------------------------------------------------------------------------------------------------------------------------

       

      ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

      error log: