Forum Discussion
Lyonell_165736
Nimbostratus
NimbostratusRemote Desktop Web Access and Remote Desktop Gateway SSO Through APM
I'm a relatively new BIG-IP admin (we purchased BIG-IP to replace our TMG 2010 solution). I'm attempting to configure Remote Desktop Web Access and Remote Desktop Gateway services (2008 R2) utilizing APM. The pre-sales engineer we spoke to indicated this should be a "simple" configuration, but it's certainly kicked me in the rear.
I've created what I assumed would be a good configuration:
1: Virtual server with a pool for the RD web access and gateway server services, and an iRule to bypass APM for /rpc/rpcproxy.dll (see below, similar to rules I've seen for Exchange clients connecting using RPC over HTTPS).
2: APM configuration with forms-based SSO to the Web Access (which works perfectly), which allows us to integrate authentication to the web access page from our primary web portal.
Now, normally using RD Web Access you login to the RD Web Access page, and it automatically connects your client to the RD Gateway, so launching a RemoteApp published application is seamless. When we apply an APM configuration to the virtual server, however, even with the rpcproxy.dll APM bypass in place, the automatic login to the RD Gateway doesn't happen. If we remove the APM config from the virtual server and publish directly without APM, it works fine, so I'm pretty sure the problem is with APM.
In short, what should happen is:
1: Client lands on BIG-IP APM login page (works) 2: Client logs into BIG-IP APM login page, which passes credentials to RD Web Access form (works) 3: On login to RD Web Access, the client should automatically login to RD Gateway using same credentials used to login to RD Web Access (does NOT work)
I haven't found anything on configuring APM SSO for RPC over HTTPS, so I'm finally at a loss and asking here. Any suggestions? Pointers?
when HTTP_REQUEST {
if {[string tolower [HTTP::uri]] contains "/rpc/rpcproxy.dll"} {
COMPRESS::disable
CACHE::disable
ACCESS::disable
pool
}
}
If you are going to 11.6, we are going to be publishing an iApp template that uses the new VDI profile to replace the RDG functionality. I've tested with RDWA publishing resources that go through this new proxy and it seems to work fine.
As far as trying to pre-auth connections to the RDG servers, I wouldn't recommend disabling APM for requests for the RPC proxy, as that leaves a giant security hole that defeats the purpose of using APM. Although I haven't tested it, it should be possible to pre-auth the RDP clients by creating an NTLM machine account (aka, joining the BIG-IP to the domain), creating an NTLM auth config that references that machine account, manually attaching an ECA profile to the APM virtual server, and creating an iRule to enable clientless mode for the RD client connections. You wouldn't be getting SSO with the credentials used in RDWA, however you shouldn't get prompted for credentials either as long as the client machines are joined to the domain.
Basically, if you are going to 11.6 anyway, I recommend going with the new VDI profile iApp, since it will take care of all the configuration for you.
Hi Lyonell, what version of BIG-IP are you running?
Lyonell_16573611.5.1 (11.6 shortly)
If you are going to 11.6, we are going to be publishing an iApp template that uses the new VDI profile to replace the RDG functionality. I've tested with RDWA publishing resources that go through this new proxy and it seems to work fine.
As far as trying to pre-auth connections to the RDG servers, I wouldn't recommend disabling APM for requests for the RPC proxy, as that leaves a giant security hole that defeats the purpose of using APM. Although I haven't tested it, it should be possible to pre-auth the RDP clients by creating an NTLM machine account (aka, joining the BIG-IP to the domain), creating an NTLM auth config that references that machine account, manually attaching an ECA profile to the APM virtual server, and creating an iRule to enable clientless mode for the RD client connections. You wouldn't be getting SSO with the credentials used in RDWA, however you shouldn't get prompted for credentials either as long as the client machines are joined to the domain.
Basically, if you are going to 11.6 anyway, I recommend going with the new VDI profile iApp, since it will take care of all the configuration for you.
Manuel_Cristob3Hi where can i find the new VDI profile iapp for version 13.0? thanks
The-messenger_1Before we get to 13.1, using the iapp, can we set this in a portal to require Multifactor Authentication? Looks like the iapp will allow the client to connect direct from the RDP client. CAn we initiate this from a portal?
- Lyonell_165736
Mike: Thank you very much. I'll give your recommendations a try. Is there any expected timeline for the VDI profile iApp template for RDG replacement?
I'll post a link here when it's public, which I expect to be by the end of this week.
Hi Lyonell, an early release version of the template is available here:
https://devcentral.f5.com/wiki/iApp.Microsoft-Remote-Desktop-Gateway-APM-Gateway-iApp.ashx
The new 11.6 APM deployment won't provide SSO between RDWA and RDG; however, in my testing the experience is similar to what you would get with SSO. You'll just get a new APM session for your gateway connection.
Let me know how it goes.
Sebastien6_8297Your lucky, we tried to SSO from APM to the Web Portal of RDS 2012 and it does not work. Any specific configuration to recommend?
- Sebastien6_8297we tried to SSO the Form Based Web protal with Form Based and Form Based client initiated and both were not working.
- Lyonell_165736
No successful configuration just yet for SSO through the RDWeb/Gateway services. We're hopeful that a future native proxy solution will include the features we're looking for.
- Lyonell_165736So for now, we're just punishing the gateway using the guide and clients are logging in a second time - so SSO.
- Lyonell_165736
When I use the application template, I keep getting NTLM authentication errors. Our environment does enforce the "NTLMv2 Only/refuse LM & NTLM" policy.
Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490517:5: 6370a13a: User-Agent header is absent or empty Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490544:5: 6370a13a: Received client info - Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0 Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490500:5: 6370a13a: New session from client IP x.x.x.x (ST=Washington/CC=US/C=NA) at VIP x.x.x.x Listener /Common/rdp-gateway.app/rdp-gateway_vs (Reputation=Unknown) Nov 21 18:03:09 vddmz-px13-an notice apd[10743]: 01490005:5: 6370a13a: Following rule 'fallback' from item 'NTLM Auth Result' to ending 'Deny' Nov 21 18:03:09 vddmz-px13-an notice apd[10743]: 01490102:5: 6370a13a: Access policy result: Logon_Deny Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490520:5: 6370a13a: Session deleted due to admin initiated termination. Nov 21 18:03:43 vddmz-px13-an notice tmm[15203]: 01490521:5: 6370a13a: Session statistics - bytes in: 0, bytes out: 0 Nov 21 18:03:47 vddmz-px13-an notice adutil[21805]: 01490175:5: Prefer resolving hostname with IPv4 address- As far as I can tell, NTLMv2 should be supported by the NTLM Auth Result event. Do you have Access Policy logging set to Debug in your logging options (is this the chatty version of the log)?
- Lyonell_165736
No, I'll set it to debug and get you the results.