Forum Discussion

Fready_Ball's avatar
Fready_Ball
Icon for Nimbostratus rankNimbostratus
Nov 22, 2021

RDS Gateway

I have been using the F5 to LB between 2 Microsoft RDS Gateways and works fine for both desktops and published apps.

I now need to use an iRule to block web page access on the RDS gateway for some network addresses and destination uri.

 

this works fine and only expected networks can load the web login page supplied by the gateways but when i select one of the published apps I see the F5 trying to connect directly to the server in the farm on port 3389. prior to using iRules the 3389 connection was initiated by the RDS gateway as expected.

 

 

Any help greatly appreciated..

 

 

  • you are using the F5 with only LTM for this?

     

    and if you remove the iRule the behaviour returns as it was before?

     

    can you share the iRule, if needed modified to not share internal information.

     

     

    • Fready_Ball's avatar
      Fready_Ball
      Icon for Nimbostratus rankNimbostratus

      Thanks for your reply..

      yes LTM.

      its not the iRule causing the issue but we need to use iRule to inspect uri. To do this we need to decrypt traffic and then re-encrypt to rds gateway. During this process the F5 is seeing the rdp connection within the ssl encapulation and using that information to connect. Can it be modified to not share internal information?

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        ok, so with SSL decrypt / encrypt enabled it does something else than with SSL decrypt / encrypt disabled?

         

        what type of virtual server do you use? which others profiling are you using?

  • I used the iapp for microsoft rds gateways. This built the virtual host and profiles. In the reconfigure you have the option to bridge ssl, decrypt and re encrypt or decrypt and forward http. We do not allow http on our network so we need to decrypt and re encrypt. I will forward the profile settings if required. Can we add to iRule to prevent udp connection attempt by F5. Thanks for your help here...

    • Fready_Ball's avatar
      Fready_Ball
      Icon for Nimbostratus rankNimbostratus
      I did play with that setting but that just allowed udp protocol through VS on F5 and that is not what should happen... HTTPS should be used from client to F5 and F5 to RDS gateway. The gateway then forwards the encapsulated udp connection. I am just in the process of decrypting successful and unsuccessful sessions to see what is being changed. Thanks for your help.. Get Outlook for iOS<>
      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        im not a RDP expert, but i dont expect the F5 the actually turn TCP into UDP if that is what you are seeing. you might see a lost UDP monitor or something like that. or the actual RDP client sending UDP which then is send further.