Forum Discussion
NimbostratusNative RDP sessions used in Full Webtop does not work (BIG-IP 13.1.0.6 Build 0.0.3)
Hi folks,
I have to secure RDP session to Windows Server 2008 R2 and 2012. I want to use the APM and an appropriate Webtop but it does not work. I got the error :
I am running in my testlab a Windows 7 client and a Windows 2008 R2 Server.
The access profile does have a simple VP:
I am using a simple RDG-RAP with Start -> Allow
I am using following RDP connection settings:
Everything seems to be quiet simple but it does not work.
I don't see any attempt on tcp port 3389 in a tcpdump.
My virtual server settings are: Any hints are welcome!
Thank you & regards
Does your MS RDS setup also contain a connection broker and web access services? I also notice that you didn’t configure Auto Map or SNAT, is that correct?
NetCohort_66543The server role "remote desktop services" is not deployed. It is just remote desktop with following settings:
With those settings I am able to connect with rdp on the server directly.
The server is using the f5 self ip as default gateway. Communication between f5 and backend server is working.
Try removing the RDG Policy assign agent. I think you don’t need this in your deployment.
Stanislas_Piro2Cumulonimbus
Hi,
Did you configure SSO in rdp resource?
I already had some issue with SSO and native mode.
All the configuration I saw in your screenshot may work!
- RDP-RAP access profile is required
- you can let NTLM auth in the RDP profile but it is useless with native mode, only for direct connection from rdp file in mstsc
The only other issue can be mstsc version! The minimum mstsc version is 8.0 (not the default version in windows 7)
- Kevin_Davies
Nacreous
Native RDP requires you have a Microsoft client running RDP 8.1. https://support.microsoft.com/en-au/help/2923545/update-for-rdp-8-1-is-available-for-windows-7-sp1 The Windows 7 RDP 8.1 update has some other dependencies as well which you will discover when you go to install it.
Update: A separate RDP-RAP policy is only required if your destination is dynamic. This means in the RDP profile you specify the destination as "User Defined"
The key piece here is when APM creates the RDP file for the Remote Access Webtop link, it digitally signs this with the SSL certificate of the virtual server running the APM policy. For Microsoft RDP client to accept this signed file you MUST be using a valid SSL certificate. Inside the file it will include a token which is valid for about 20 seconds. Microsoft RDP will open the session using the APM as the gateway and present this token for authentication to APM.
Now if you want SSO you need select it inside the RDP profile you created. This is completely independent and distinctly separate to ANY OTHER SSO configuration inside APM. The variables you specify here can be left as defaults but you need to include a SSO variable assignment object in the VPE before it hits the Webtop so these variables are populated for RDP configuration to use.
Note that NTLM is not required or needed for any of this to work. The username and password from the login to the Webtop is sufficient as long as it matches the credentials for the RDP host, your desktop should appear. When you first click the remote desktop link it will download the RDP file, it is here you tell your browser to always open these files with the right application. Next time it will open the link on download and connect immediately.
- NetCohort_66543
Hi, at first thank you for your help, but it won't run. I insalled a win10 client and I got the same messsage. I tried the remote desktop app and the mstsc client: The VP is broken down to:
I disabled the SSO credentials mapping and SSO settings in the remote desktop connectivity profile, but the same messages.
The certificate is valid. The browser trusts the website.
I got with each attempt the error:
/Common/ACC-PROF-WEBTOP:Common:00000000: VDI profile on /Common/VS-RDP-WEBTOP-443 does not have associated NTLM Auth profile or ECA profile is missing
But I have to use a vdi profile, and I am using the default one.
The tcpdump tells me that the virtual server reseted my connection. This is the section where I try to access the server via rdp
> 16:44:44.414358 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [S], seq 2246235942, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.414422 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [S.], seq 721181350, ack 2246235943, win 4380, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.417240 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.419570 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 1:180, ack 1, win 64240, length 179 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.419870 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 180, win 4559, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.422987 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1:1993, ack 180, win 4559, length 1992 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.429565 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 1993, win 64240, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.429583 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 180:306, ack 1993, win 64240, length 126 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.429632 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 306, win 4685, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.430614 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1993:1999, ack 306, win 4685, length 6 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.430629 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1999:2044, ack 306, win 4685, length 45 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.433217 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 2044, win 64189, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.435396 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 306:638, ack 2044, win 64189, length 332 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.435420 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 638:671, ack 2044, win 64189, length 33 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.435452 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 638, win 5017, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.435458 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 671, win 5050, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 > 16:44:44.436649 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [R.], seq 2044, ack 671, win 0, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=800224 inslot=0 inport=0 haunit=1 priority=3 rst_cause="[0x28a318e:6247] iRule execution (reject command)" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0I don't have any irule in use. The virtual server settings again:
- Kevin_Davies
Turn on SNAT. You require it. If you turn off SSO is simply means the RDP connection will prompt you for login details.
- Kevin_Davies
So I built this again using 13.0.0. Was prompted for RDP auth and logged in fine. Still tweaking the SSO pieces. Will know more tonight. Server SSL and VDI profiles are required
OMHi Kevin, did you ever get the sso working ?
thanks.
om
- Stanislas_Piro2
Did you configure bigip host file for your resource or does the bigip use dns?
- NetCohort_66543
Hi folks,
if I try to configure those settings on a f5 ltm+apm deployment with Partitions and Route Domains I got the error message again.
I configured every step which is working in the default partition within a partition which uses route domains. Any concerns to this configuration? Are "Route Domains" in the rdp connectitiy profile supported? How does it work if I use the host name?
Thank you & Kind regards
- NetCohort_66543
I did an assigment in the Access Policy of "Route Domain" and "SNAT Selection". It is working but just every other attempt.
- OM
hi NetCohort, did you ever get this working with the routing domain ? I am facing the same issue and all objects are in a RD.
thanks.
om
