Forum Discussion
NimbostratusRemote Desktop Web Access & APM
We have recently built a RDS solution and have put BIG-IP LTM infront of the web access server (which is also the gateway & connection server).
I have two iApp built HTTP virtual servers currently in use - one for internally connected devices and one for externals. The idea being we could leverage APM to put 2FA in place for the external connections. All other authentication is handled by the RDS server - not the F5.
The problem I have is that whilst the internal vs works fine the external does not. As soon as I place an access policy on the vs (even just a blank one) I can no longer get a desktop. I still get to the web access RDS logon page and desktop selection, etc but everytime I launch a desktop I get...
Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.
Did you assign the RAP policy in the VPE??
Cheers,
Kees
Thomson_ThomasCirrus
Was there any update to this issue? I am running into the same exact problem, I have one vip with APM and sso internally the Remote Desktop works fine externally it does not.
rivardma_383867Hi,
We also have that same trouble here currently, using Big-IP 13.1.0 and Remote Desktop on a set of 2019 Servers. We can easily create the Virtual Server/Pool/Node setup and then, we can successfully use the Remote Desktop Environment, either by using the HTML5 client or a RDP client.
However, when we create an Application Security Policy (Brand new simple policy, setup as transparent) and apply it the the virtual server, connection immediatly stops working. As it is non-blocking, this should in theory work perfectly fine.
There seems to be an issue with code injection in the HTTPS traffic as described in these posts:
https://devcentral.f5.com/questions/how-transparent-is-transparent-mode-in-asm
My first guess looks like that Remote Desktop detects the changes and starts refusing the packets because they are altered. I did go around the system and deactivate all the features mentionned in those posts (Most of them where already off, there was one on but I can't remember which one) but none changed the end result.
- rivardma_383867
We also found this yesterady that seems to point that if your servers are not running on Server 2012 R2 and lower, they are not supported, although it isn't clear if it is through the Application Security or through the Web Access feature in the Big-IP:
We are currently working on starting a service request with F5 to have this checked out. We'll post updates here when we have some, but in the meantime, if someone here has a solution or can confirm this will never work, it would be appreciated.
Thanks
Hi,
Do you use the BIG-IP as the RDgateway or only for MFA??
- Thomson_Thomas
Only MFA
When launching an RDP session, does your RDP client use 443 or 3389 for the connection??
- Thomson_Thomas
it uses 443 for the connection.
I don't have a Web RD gateway to play with, but could you enable a vdi profile on the virtual server hosting the external connection? I think APM is breaking RDP over HTTPS.
Also, did you add a RDG-RAP policy to your APM policy??
Kees
- Thomson_Thomas
yes I can try that, forgive my ignorance how do you create a RDG-RAP profile?
No problem.
You can create it under Access -> Profiles/Policies. After you click on create you get the profile type option. One of the options is RDG-RAP (others are Full, LTM-APM, SSO).
Once you have created it, edit the policy to make sure you have start -> allow. (don't forget to click on apply policy).
After this you can assign in in the original policy containing the MFA.
Kees
- Thomson_Thomas
Thanks but no luck unfortunately, still getting the same error with the RAP and VDI enabled.
