For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Laurence1's avatar
Laurence1
Icon for Nimbostratus rankNimbostratus
Dec 15, 2023

F5 APM Webtop - RDP Session Logging

Hello F5 Experts, I am relatively new to the F5 advanced ecosystem, am trying to generate useful logs from our APM Webtop environment and am hoping that someone can point me in the correct direction...
BIG-IP Access Policy Manager (APM)
devops
irule
logging
rdp
webtop
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Jan 03, 2024

It's great that you have such a detailed list. APM stores user session data in "session variables" that are available for user-display, logging, rule evaluation, etc. The user's truncated session ID is automatically included in all system-generated logs (except for some at the very beginning of a native mode RDP/Citrix connection where we don't know what the session is yet) 

Let's talk about each one of your requirements.

  • Initial login's to the Webtop including ClientIP, Webtop portal address, Browser UserAgent, Client Username.

APM has an Informational-level "New session from..." message that you have probably seen, it includes the BIG-IP Virtual server that services the connection, a user-agent, a client ip. The username is unknown until the session executes and obtains that information, so you'll have to put logging agents or irules in for such. If you use iRules, fire those after the session has been fully started. The iRule event for this is called ACCESS_POLICY_COMPLETED.

 

  • When a client opens a RDP link from within the Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, RDP Address, SessionCookie(?).
  • When a client connects to a RDP session though the Webtop using one of the downloaded links, ClientIP, Webtop portal address, Client Username, RDP Address, SessionCookie(?), Session start and end time (Maybe two different log events?).

This is a little more tricky. If you enable VDI informational level logging, you'll see a lot of data that IIRC includes most of this information. Check it out and see if it works for you. If you want to do timing, you'll have to record a "start time" associated with that link, then figure out what happens at the end of the RDP session. This could vary greatly depending on if users timeout or force-close, or allow their session to expire, or log out, etc. A local proxy like Fiddler or an equivalent can help you figure out what URLs exactly that your client accesses during different usage. Once you know these URLs, you can use a technique with iRules like this to detect and log (you'd substitute log statements and the RDP URL for the VPN URL)

https://my.f5.com/manage/s/article/K27804015