Forum Discussion
NimbostratusiRule for APM Ressource Assignment
Hello,
we use our F5 as a gateway for RDP sessions. We have a logon page, a radius authentication and then an Advanced Resource Assign to assign the RDP session. Every user has a different RDP connection. I have configured this via VPE and it works.
Now over 200 users should be added and this is wasteful over VPE. That's why I'm writing an iRule to solve the resource assignment.
In the Advanced Ressource Assign I only assign a webtop.
My iRule:
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
"do_something" {
set username [ACCESS::session data get session.logon.last.username]
set domain "xxx"
set terminalrdp "/Common/Terminalserver-RDP-pool"
set c2123 "/Common/C2123"
set c2124 "/Common/C2124"
if {$username contains "Testuser"} {
ACCESS::session data set session.logon.last.domain $domain
ACCESS::session data set session.assigned.resources.rd $terminalrdp
}
if {$username == "UserX"} {
ACCESS::session data set session.assigned.resources.rd $c2123
}
if {$username == "UserY"} {
ACCESS::session data set session.assigned.resources.rd $c2124
}
}
}
}
But this doesn´t work as expected and I hope someone can help me. Maybe there is a simpler and better solution for the problem.
Stanislas_Piro2Cumulonimbus
How many rdp resources do you want to assign to each user?
For a customer we created only one rdp resource with hostname
and we created dns record for each users!%{session.logon.username}.company.local
Universal-InvesAre there other ways to solve the problem? What's wrong with my iRule that it doesn`t work?
iaineNacreous
Where are the rdp resources stored? If in AD then you can query the attribute and parse the response into APM variables. You can then create RDP links using the APM variable and tailor your APM policy so that the RDP icon is only presented to the user if the APM variable has been populated
youssef1Hello,
you could manage your needs in 2 different ways.
-> Populate RDP User's in an AD/LDAP attribute (multivalue). and Using Irule to feed dynamic RDP.
-> Or via an irule using a datagroup in order to store your rdp.
Second point I advise you to create 5 (or more depending on your convenience) Dynamic RDP that you will feed according the number of rdp allocated to the user.
all you have to do is feed your dynamics rdp with the IPs addresses of the user machines. by default if the user has only one machine it will feed the other RDP with a non resolvable fqdn and therefore it will not display them on the portal.
for information, when I speak dynamic RDP, I mean that you create an RDP with instead of the fqdn a session variable that you feed according to the user.
I have already done a similar job at a customer if you want help on the subject let me know.
Regards
- Universal-Inves
Hello, I finally found my mistake, why the iRule never worked. The iRule was only assigned to the access policy in the VPE, but not to the virtual server. After that was solved, the iRule also worked. However, I could only assign a value to each user in the data group. That's why I wrote the iRule as follows:
when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "ui-rdp" { set dynrdp "notresolvable.net" set username [ACCESS::session data get session.logon.last.username] ACCESS::session data set session.assigned.resources.dynrd1 $dynrdp ACCESS::session data set session.assigned.resources.dynrd2 $dynrdp switch $username { User1 { ACCESS::session data set session.assigned.resources.dynrd1 "Client1" ACCESS::session data set session.assigned.resources.dynrd2 "Server1"} User2 { ACCESS::session data set session.assigned.resources.dynrd1 "Client2" ACCESS::session data set session.assigned.resources.dynrd2 "Server2"} UserX { ACCESS::session data set session.assigned.resources.dynrd1 "ClientX"} } } } }I still have 2 problems:
-
even if the client is not resolvable, it will be displayed in the webtop with the name that is not resolvable. Is this possibly a bug in version 13.1, which we use? The function will be described in a Configuration Guide from 11.4
-
I have an RDP with "user defined", if I enter there the IP of a client, on which the access works I get the error message "Your user account is not listed in the RD Gateway's permission list". Does anyone know this error?
Best Regards Tina
- Abdessamad_851
I think you can still work with data group. Just define all necessary RDPs in a list in each user entry, and then loop that list and assign all rdp resources.
ltm data-group internal myClassName { records { User1 { data "{Client1 Server1}" } User2 { data "{Client2 Server2}" } } type string }The irule DG part should look like this:
set RDPs [class match -value $username equals myClassName] foreach rdp $RDPs { set rdpIndex [lsearch $RDPs rdp] set dynrdVar "dynrd"$rdpIndex ACCESS::session data set session.assigned.resources.$dynrdVar $rdp }I didn't test it, so the code might have to be adjusted a little.
regards.
-