Forum Discussion
John_Masgalas_4
Nimbostratus
NimbostratusiRule for persistence table entries
We are load balancing 5 terminal servers and using the F5 persistence table to keep track of sessions. We have run into an issue where users that log in from a Linux based rdp client are getting a persistence table entry of username@domain.local. When those same users log in from a Windows rdp client they are getting an entry of just their username. This results in them not always getting sent to the correct server so that they can resume their disconnected session. How could I write an iRule that either strips the domain.local from sessions that have it or adds it to session that do not have it. I would rather strip it from the ones that do. Is this possible and could someone help me out with it? Thanks.
- JRahm
Admin
You can check for the @domain.local and strip it out before persisting on itif { $username contains "domain.local"} { persist uie [getfield $username "@" 1] } else { persist uie $username } 
John_Masgalas_4Thanks I will try that out!- John_Masgalas_4I got this error when I tried creating the rule:
01070151:3: Rule [sso_username] error:
line 1: [command is not valid in the current scope] [if { $username contains "Summithealth.local"} {
persist uie [getfield $username "@" 1]
} else { persist uie $username }] - John_Masgalas_4I think all I need for this to work is the event statement. I have tried when CLIENT_ACCEPTED and when CLIENT_DATA and neither worked. Which event can I use?
- John_Masgalas_4I still do not have this working. Can someone help me out?
- You would actually have to collect the data first with TCP::collect before the CLIENT_DATA event is triggered, then you'd have to figure out how to extract the username in each case. Something like this:
when CLIENT_ACCEPTED { collect enough data to see the username string in either case TCP::collect 1024 } when CLIENT_DATA { extract the username value from [TCP::payload], using whatever string anchors are available to mark then end & beginning of the username set username ... [TCP::payload]...??? then persist on it persist uie $username 1800 TCP::release }
Not sure what the RDP login sequence looks like, but if the server talks first, you will have to write a more complex proxy iRule. If the data is binary or otherwise encoded, you will have to account for that as well. The SMTP Proxy iRule in the codeshare (Click here) might prove helpful if you have to pursue either of those options.
hth
/deb - JRahmThis should be very helpful in extracting the username. You can probably eliminate much of the rule if not utilizing session directory:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=19311931 - John_Masgalas_4I tried the above but can't seem to get it to work. If I have an entry that is getting the value jmasgalas@summithealth.org but I want the F5 to store that in the persistence table as jmasgalas how would I change the above rule to work for me?
I don't know if I need something complicated. I just want the irule to edit the persistence table entry before it is stored. - JRahmOK, I tested this and it is working for me:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { TCP::collect 25 binary scan [TCP::payload] x11a* msrdp log local0. "Contents after binary scan: $msrdp" if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } { set msrdp [string range $msrdp 17 end] set len [string first "\n" $msrdp] if { $len == -1 } { TCP::collect return } if { $msrdp contains "@" } { if { $len > 5 } { incr len -1 log local0. "Data Persisting on: [getfield $msrdp "@" 1]" persist uie [getfield $msrdp "@" 1] } else { persist uie $msrdp } } } TCP::release }
Log entries:
Jun 25 15:56:46 tmm tmm[1695]: Rule rdp_persist : Contents after binary scan: Cookie: mstshash=elah@doma
Jun 25 15:56:46 tmm tmm[1695]: Rule rdp_persist : Data Persisting on: elah
Persistence Data:
PERSISTENT CONNECTIONS
| Mode universal Value elah
| virtual xx.xx.xx.xx:3389 node xx.xx.xx.xx:3389 age 29sec - Thanks for the heads up elah. Mind if I codeshare that one?
Colin
