Forum Discussion

tira_li's avatar
tira_li
Icon for Nimbostratus rankNimbostratus
Sep 30, 2024

F5 APM RDP

Hi Guys,   Recently we have deployed F5 APM as SSL VPN solution for our company laptops (only for Windows within domain), all runs well. However, there is a new requirement that if other OS laptop...
apm.f5
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Sep 30, 2024

Without the /var/log/apm logs for that user's session, this is a guess, but it might be that the access is denied because there is another higher precedence ACL assigned to the user, or the system isn't noticing that it should be allowing that destination RDP server. Normally if the RDP host is statically assigned (just one IP:port) this "allow access" is automatic, but there may be some corner case issue.

Normally the RDG-RAP policy is used to authorize user access to dynamic RDP endpoints, like where you assign it with a session variable or the user chooses it. It seems weird, but this mechanism is used because of technical limitations: APM doesn't have knowledge of what RDP endpoints should be allowed, so RDG-RAP can be used to query servers to obtain authorized endpoints.

 

For testing we can just try to create a policy of type "RDG-RAP" that's just Start -> Allow so the connection is always allowed, then assign it during access policy execution.

 

 

Then assign it to the user in their access policy:

 

 

  • tira_li's avatar
    tira_li
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2024

    Hi Lucas,

    I have tried to test a simple access policy that non-domain Windows would be assigned specified Windows RDP server (172.22.13.20) with Remote Desktop Session Host service, port 3389, however it still failed. From message, it still can't be inter-connected as below. Not sure if there some configuration is wrong or not? If wrong, how to set? Can list out the steps?

    We can directly RDP this testing server 172.22.13.20 from intranet client, so if using VM F5 APM to connect, should we also allow internal IP of F5 APM to connect this testing server?

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------

     

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    error log: