Forum Discussion
Lyonell_165736
Nimbostratus
NimbostratusRemote Desktop Web Access and Remote Desktop Gateway SSO Through APM
I'm a relatively new BIG-IP admin (we purchased BIG-IP to replace our TMG 2010 solution). I'm attempting to configure Remote Desktop Web Access and Remote Desktop Gateway services (2008 R2) utilizin...
If you are going to 11.6, we are going to be publishing an iApp template that uses the new VDI profile to replace the RDG functionality. I've tested with RDWA publishing resources that go through this new proxy and it seems to work fine.
As far as trying to pre-auth connections to the RDG servers, I wouldn't recommend disabling APM for requests for the RPC proxy, as that leaves a giant security hole that defeats the purpose of using APM. Although I haven't tested it, it should be possible to pre-auth the RDP clients by creating an NTLM machine account (aka, joining the BIG-IP to the domain), creating an NTLM auth config that references that machine account, manually attaching an ECA profile to the APM virtual server, and creating an iRule to enable clientless mode for the RD client connections. You wouldn't be getting SSO with the credentials used in RDWA, however you shouldn't get prompted for credentials either as long as the client machines are joined to the domain.
Basically, if you are going to 11.6 anyway, I recommend going with the new VDI profile iApp, since it will take care of all the configuration for you.
Lyonell_165736Nimbostratus
NimbostratusNov 21 19:12:58 vddmz-px13-an debug tmm3[15203]: 01490000:7: Request (RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: MS-RDGateway/1.0 RDG-Connection-Id: {F7C56261-5021-4D20-BC3A-25315AD74C1F} RDG-Correlation-Id: {C7E116F0-AC72-4FAF-8B0F-50AEE86C0500} RDG-User-Id: bABrAGUAcABsAGEAcgBAAGQAZQBtAHMAZABtAHoA Host: gate.peakrc.com Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== )
Nov 21 19:12:58 vddmz-px13-an debug tmm3[15203]: 01490000:7: Client-type (rdg-http)
Nov 21 19:12:58 vddmz-px13-an debug tmm3[15203]: 01490000: Got rdg-http OUT on tmm 0 3 ntlm_done 0
Nov 21 19:12:58 vddmz-px13-an notice tmm3[15203]: 01490517:5: 31aa13bc: User-Agent header is absent or empty
Nov 21 19:12:58 vddmz-px13-an notice tmm3[15203]: 01490544:5: 31aa13bc: Received client info - Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
Nov 21 19:12:58 vddmz-px13-an notice tmm3[15203]: 01490500:5: 31aa13bc: New session from client IP 67.137.4.65 (ST=Washington/CC=US/C=NA) at VIP 67.137.4.78 Listener /Common/gate.peakrc.com.app/gate.peakrc.com_vs (Reputation=Unknown)
Nov 21 19:12:58 vddmz-px13-an debug vdi[11866]: 01490000: {.S} Connected to 127.0.0.1:10001
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 298 Msg: Let's evaluate rules, total number of rules for this action=1
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 304 Msg: Rule to evaluate = ""
Nov 21 19:12:58 vddmz-px13-an info apd[10743]: 01490006:6: 31aa13bc: Following rule 'fallback' from item 'Start' to item 'Client Type'
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 298 Msg: Let's evaluate rules, total number of rules for this action=2
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 304 Msg: Rule to evaluate = "expr { [mcget {session.client.type}] == "rdg-rpc" || [mcget {session.client.type}] == "rdg-http" }"
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 317 Msg: variable "session.client.type" was not found in the local cache for session "31aa13bc"
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 324 Msg: try to get it from MEMCACHED
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 356 Msg: variable found, lets add it to the local cache "session.client.type"="rdg-http"(length=8)
Nov 21 19:12:58 vddmz-px13-an info apd[10743]: 01490006:6: 31aa13bc: Following rule 'Successful' from item 'Client Type' to item 'NTLM Auth Result'
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 298 Msg: Let's evaluate rules, total number of rules for this action=2
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 304 Msg: Rule to evaluate = "expr {[mcget {session.ntlm.last.result}] == 1}"
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 317 Msg: variable "session.ntlm.last.result" was not found in the local cache for session "31aa13bc"
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 324 Msg: try to get it from MEMCACHED
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 358 Msg: variable "session.ntlm.last.result" for session "31aa13bc" was not found in MEMCACHED
Nov 21 19:12:58 vddmz-px13-an debug apd[10743]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 304 Msg: Rule to evaluate = ""
Nov 21 19:12:58 vddmz-px13-an notice apd[10743]: 01490005:5: 31aa13bc: Following rule 'fallback' from item 'NTLM Auth Result' to ending 'Deny'
Nov 21 19:12:58 vddmz-px13-an notice apd[10743]: 01490102:5: 31aa13bc: Access policy result: Logon_Deny
Lyonell_165736Nimbostratus
NimbostratusCouldn't send it as a private message either. I cut out parts that didn't look pertinent and finally got a post to go through.