Forum Discussion
Remote Desktop Web Access and Remote Desktop Gateway SSO Through APM
- Sep 16, 2014
If you are going to 11.6, we are going to be publishing an iApp template that uses the new VDI profile to replace the RDG functionality. I've tested with RDWA publishing resources that go through this new proxy and it seems to work fine.
As far as trying to pre-auth connections to the RDG servers, I wouldn't recommend disabling APM for requests for the RPC proxy, as that leaves a giant security hole that defeats the purpose of using APM. Although I haven't tested it, it should be possible to pre-auth the RDP clients by creating an NTLM machine account (aka, joining the BIG-IP to the domain), creating an NTLM auth config that references that machine account, manually attaching an ECA profile to the APM virtual server, and creating an iRule to enable clientless mode for the RD client connections. You wouldn't be getting SSO with the credentials used in RDWA, however you shouldn't get prompted for credentials either as long as the client machines are joined to the domain.
Basically, if you are going to 11.6 anyway, I recommend going with the new VDI profile iApp, since it will take care of all the configuration for you.
When I use the application template, I keep getting NTLM authentication errors. Our environment does enforce the "NTLMv2 Only/refuse LM & NTLM" policy.
Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490517:5: 6370a13a: User-Agent header is absent or empty
Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490544:5: 6370a13a: Received client info - Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490500:5: 6370a13a: New session from client IP x.x.x.x (ST=Washington/CC=US/C=NA) at VIP x.x.x.x Listener /Common/rdp-gateway.app/rdp-gateway_vs (Reputation=Unknown)
Nov 21 18:03:09 vddmz-px13-an notice apd[10743]: 01490005:5: 6370a13a: Following rule 'fallback' from item 'NTLM Auth Result' to ending 'Deny'
Nov 21 18:03:09 vddmz-px13-an notice apd[10743]: 01490102:5: 6370a13a: Access policy result: Logon_Deny
Nov 21 18:03:09 vddmz-px13-an notice tmm[15203]: 01490520:5: 6370a13a: Session deleted due to admin initiated termination.
Nov 21 18:03:43 vddmz-px13-an notice tmm[15203]: 01490521:5: 6370a13a: Session statistics - bytes in: 0, bytes out: 0
Nov 21 18:03:47 vddmz-px13-an notice adutil[21805]: 01490175:5: Prefer resolving hostname with IPv4 address
- mikeshimkus_111Nov 21, 2014Historic F5 AccountAs far as I can tell, NTLMv2 should be supported by the NTLM Auth Result event. Do you have Access Policy logging set to Debug in your logging options (is this the chatty version of the log)?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com