For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stephan_Schwar1's avatar
Stephan_Schwar1
Icon for Nimbostratus rankNimbostratus
Dec 04, 2015

having trouble proxying websocket traffic

Hi,

 

I was looking at solutions to provide RDP access from the Big-IP in a different way that the platform itself allows it out of the box (so please don't suggest to use APM's Remote Desktop objects that can be used within a webtop). The Remote Desktop objects are kind of useless in my usecase. Since I'd have to create hundreds of them if I were to go that route (and using a variable instead which can be filled during the logon page is also not good enough since this variable is only set during the logon form and then the settings of the RDP object cant be changed anymore like hostname/credentials)

 

At first I was looking at RDS Gateway, however I cant seen to find a way to provide access to the gateway using the APM with RSA/SMS without breaking the RDP client (I can access the RDS Web Access site, however the gateway service doesnt seem to work nice if placed behind the APM)

 

The product I was looking at are things like: 1. https://cloudbase.it/freerdp-html5-proxy-windows/ 2. http://www.cybelesoft.com/thinfinity/remote-desktop/server/

 

Both are html5 web clients, which means that no actual software is required except a browser. I figured this would be a nice alternative method to provide RDP access to local machines on our network without first having to connect to a citrix/vmware desktop/vdi and start the client from there.

 

If I create a virtual server using the performance layer 4 (or standard without using an http profile) the web clients work properly and responsive. However, this does not provide me with the security that I want. Since I would really like to use the APM to provide access to this application using two factor authentication by RSA/SMS. However this requires that I terminate the SSL traffic on the Big-IP (I would not bridge SSL, but offload SSL since the I would not use SSL on the back-end web-server for this). However once I have provided the credentials to the APM and I see the backend webapplication, I'm unable to open an RDP connection using FreeRDP Web Proxy, it will endlessly sit on the screen as if it tries to connect. Using the product of CybeleSoft, it falls back to plain HTTP traffic instead of Websocket for the RDP session, which makes it unusable slow (not exaggerated)

 

The Big-IP version is 11.6.0 Build 5.123.429

 

From what I was able to find, a virtual server with the http profile should now no longer require an iRule to disable HTTP (i've tried this as well, but that also doesn't work) in order to pass through the websocket traffic.

 

I was hoping anyone would be able to provide some insight as to what I'm doing wrong.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM

2 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 23, 2016

    Hello,

     

    Are you using OneConnect ? If so, can you try to remove this profile ?

     

    I think that you will need to have the same kind of connection on the clientside and backendside, thus no ssl offload. This can be an issue as the websocket may use ws:// or wss:// (over secure) and having ssl offloading may be the issue.

     

    And the last, did you try to remove the APM profile only on your Virtual Server to check if APM cause issues. If this is the case, you may try to write an irule to disable APM authentication for websocket traffic using the following command : ACCESS::disable

     

  • bigben932_22424's avatar
    bigben932_22424
    Icon for Altostratus rankAltostratus
    Apr 24, 2017

    As a vendor of a HTML5 RDP product, I am also having an issue with this. While the F5 seems to allow websockets, it does not do websocket rewriting. I have opened a more recent devcentral post regarding this.