Forum Discussion
NimbostratusTransparent ASM profile breaks RDS GW connection?
We have Web RDS/RDS gateway setup through the LTM (without APM) and when I apply the transparent ASM profile the gateway no longer works. Interestingly, the Gateway already has an HTTP profile and it works fine with the HTTP profile, it seems to be only when we apply the ASM profile that it causes a problem. Unfortunately I don't have a lot of details as to why it is happening. Any suggestions on where to go with this? We'd like the ASM profile on there for PCI compliance. I was thinking maybe a different attack signature set.
Simon_BlakelyEmployee
Do you get logged violations in the ASM Event log?
Does your ASM profile implement DeviceID/Session Opening Tracking or other features that cause clientside Javascript insertion?
Do you have Dataguard enabled, as this is also active even in a Transparent profile, and can modify content impacting functionality.
Many features of ASM can interfere with complex website operation, and some of these are independent of the blocking/transparent status of the policy.
This can also be version dependent - what version of ASM are you using?
patonbikeCirrus
I do see violations ... right off the bat, there were a lot of characters sets that the ASM thought were suspect, which seemed like it was more likely just binary traffic going through... with that being said the HTTP profile has never caused a problem (alone). I am going to try ignoring the wildcard parameter and uncheck Check characters on this parameter name.
It may also be that ASM just cannot work with RDS GW due to the nature of the traffic. However It'd be nice to have an ASM policy applied even if it's less restrictive.
We're not using dataguard.
We're using 11.5.4 HF4.
Just found this - may be the issue: https://support.f5.com/csp/article/K17411
- Simon_Blakely
According to Using Remote Desktop Services Over the Internet
Remote Desktop Web Access uses RPC, so K17411 should work. - patonbike
Thanks - I will give this a try!
suttonscChecking to validate this has been successfully answered with the following article.
For 11.5.4:
K17411: Bypassing the BIG-IP ASM system for connections that use RPC over HTTP (11.4.0 - 12.0.0)
https://support.f5.com/csp/article/K17411
If you are looking to upgrade to a current version:
K40345000: Bypassing the BIG-IP ASM system for connections that use RPC over HTTP (12.1.0 and later)
https://support.f5.com/csp/article/K40345000
- patonbike
It looks like the method was slightly different for RDS GW. It's this:
or ([HTTP::method] equals "RDG_IN_DATA") \ or ([HTTP::method] equals "RDG_OUT_DATA") \
I also excluded ([HTTP::path] equals "/KdcProxy") which I suspect may not be necessary but I ran out of time for testing.
So the above 3 have ASM::disable on them and all functions well in the world of RDS gateways.