Forum Discussion
Marvin
Cirrocumulus
CirrocumulusHTML5 support for RDP
I there any support for HTML5 for RDP connnections behind F5 without using a client? Or even possible with a client? The use case is to have a webtop with a link to establish an RDP connection bu...
MarvinCirrocumulus
CirrocumulusIt is registered (Bug ID 578545) [RFE] Support RDP HTML5 client on APM Webtop no ETA yet however by implementing this you would also solve this bug Bug ID 969097: Native RDP Route Domain and SNAT Selection not applying SNAT settings
https://cdn.f5.com/product/bugtracker/ID969097.html
The use case is very simple an easy to use web based RDP access and based on the role defined in access profile assign the correct SNAT IP address. Please have this implemented.
Lucas_Thompson
Employee
EmployeeThanks for the additional detail. 969097 is difficult from an architecture standpoint. That 578545 issue was a request to evaluate 3rd party HTML5 clients like Guacamole and Hobsoft, but since Microsoft now have a native HTML webclient it's probably best to focus on theirs.
After looking at it for a while, it seems like the only L4-ish solution (because of 969097) is to use a data group to hold a list of SNAT selectors and an irule (or maybe an LTM policy), and probably an extra vip, which is a way overload of extra configuration.
An L7 solution *that does support SSO* might be to use SAML IDP-chaining with Azure or a local SAML SSO chained from whatever you currently logon with in the same way that CyberArk (no affiliation) provides a nice configuration guide on here:
https://docs.cyberark.com/identity/latest/en/Content/Applications/certified-apps/RDWeb_SSO.htm
NOTE: I just stumbled on that from a google search for something like "webclient html5 microsoft saml" and have not tested it at all. They do have an impressive number of nice generic-SAML-ish integration articles!
BIG-IP APM does support these SAML-SSO-intercept and IdP-Chaining use cases that should allow you to both behave as and offer SSO for your users.