Failed to set RDP launch token timeout
Hi, Recently I have deployed F5 APM access policy for non-corporate Windows/Mac device(BYOD) connect to their corporate Windows workstation. However, after setting policy, I have tried to logon using BYOD and the RDP connection is keeping connection about , and the Access Reports mentioned that Failed to set RDP launch token as below. Here is the RDP profile for Access Policy (just for test firstly, after okay, we will enable SSO to logon) As for now, no idea how to troubleshoot, your advice/suggestion will be very appreciated, many thanksIn Radius auth, how to allow second attempt of token input when the first input is incorrect?
We currently have a Radius authentication in our access policy on F5 APM. Sometimes the user may mis-input the token received from SMS and we would like the Radius authentication page to ask the user to input again instead of redirecting back to logon page on first mis-input, in other words to have a second attempt for token input with the same token from SMS. Can we achieve this function in F5 APM? Thanks a lot.
STREAM::disable and APM
TMOS 11.3.0 HF6 Does this: when HTTP_REQUEST { Disable the stream filter for all requests STREAM::disable } break APM? If not does anybody know why I get this line in /var/log/ltm: local/tmm err tmm[5477]: 01220001:3: TCL error: /Common/stream_test - Operation not supported (line 1) invoked from within "STREAM::disable" Thanks.
Unsecure web browsing on my SSL VPN
Hi All/DC Experts, I am having issue right now in my web browser. I have SSL CLient configured with certificate signed by DigiCert. Current I cant access my VPN to Google Chrome, but I can access it via Internet Explorer and Mozilla firefox. But the browsers says unsecured connection. Anyone would like to help or suggest or give any thoughts regarding this. Thanks, -Nat
IT is not Ala Carte’. Or is it?
There has been a lot written about “IT Democratization” and how it will change the world. To some extent that is true, and I’ve previously encouraged IT management to support the process. But listening to those who see a “Bright new future” makes me realize that while we agree in principal, as always, the devil is in the details. In high school, we could take the standard lunch for a set fee or eat ala-carte’, which was essentially a short-order grill. Others could bring their own lunch, whatever they (or their parents) could pack into a bag or box. In the case of ala carte’, the school had to plan ahead, make facilities ready, and be prepared to serve up quality food at affordable prices that would meet the whims of hundreds of high-school kids on any given day. A work of art that surely deserved more recognition than we gave it. In the case of bag lunches, well, the school provided nothing but tables. If the food was bad, ill-prepared, not suitable for human consumption, or otherwise not correct, this was not the school’s problem in any way. The thing is that it was far easier for the school to eliminate all responsibility for the food and let children bring their own, no need to maintain the kitchens, stock food, suffer safety inspections, etc. The flip side of that is of course that the school has no ability to insure the quality of the food being consumed either. Ala-Carte’ was the best solution. Children got a choice, but the school got some say in what was prepared. It was not “that piece of salami that sat out all day Sunday for uncle Herb’s party” slapped into a sandwich. And IT needs to come to the same realization… And guide business to that realization. Accepting connections from a variety of devices, even customizing content to meet the needs of some devices is fine, but removing all constraints makes security and quality assurance nearly impossible. There are some great tools out there – like our BIG-IP Access Policy Manager that will help your systems support a growing array of products, but you will still have to do the testing. Or customers/employees will, if your organization is of that mindset. And even then, these devices do not support every possible combination or do anything to insure the user experience is better than those bag lunches some people brought to school. The key here, is that IT Democratization cannot become a call to a chaotic “bring whatever you have” bag-lunch style arrangement, simply because what is being consumed is company property on company servers, and what stands to be wasted is company resources. You need to approach the problem from “we need to expand support, what can we offer” not either of the two extremes that seem prevalent at the moment. Of course users will push for more, that’s part of what they do. But IT is responsible for security and usability of IT systems, so there has to be an acknowledgement of user desires meeting with the requirements of corporate data and systems needs. And you have to drive that conversation. Certainly IT management, but anyone in IT that deals regularly with the rest of the company needs to reiterate the same thing… That IT wants to meet the needs of the organization, and user desires are certainly part of that, but security and usability require that the roll-out be controlled, so users need to prioritize what devices are most important to them to guide IT in its implementations. And IT needs to do the research. There is a growing industry offering all sorts of solutions for right-sizing content, along with the industry to extend enterprise-grade security to portable devices, and even specialized acceleration tools for low bandwidth devices. You just have to find the tools that best suit your needs and use them to enable users. Is it possible that all of this is a fad? Yes possible, but not likely. The first thing everyone does on new gadgets is games, so there are a lot of people out there saying they game on their iPad and work on their laptop, but not everyone is saying that. We have three tablet PCs (Samsung and two RIM), and mostly we game on them at the moment, but we also work from them when our situation makes that more convenient than one of the many laptops strategically placed about the house. No doubt the ratio will tip as time goes on, and some are already talking about ditching their laptops. So enable, but use the fact that you’re enabling to control the flood. Each new gadget that comes out does not need IT support. Some do, some don’t. Make certain your users know you are there to support them, but doing so in the manner that will work best for the organization. And if you don’t have some form of tablet PC yet, play with one. Seriously. They’re a different experience, and you’ll understand why your users want support for them yesterday.Once Again, it Really IS About the Applications.
(Booming voiceover voice); Are you running the same tired old network tools? Does your network staff have to administer security and load balancing for each and every application? Do you find application analysts and owners show a growing frustration with the network team’s response times due to overloading? Well get in there and fix that network! Get the tools that you need to make your network more application friendly, reduce fatigue amongst your network staff, and give application owners more control of their applications! That was, of course, a joke poking fun at both the way we run our networks and the advertisement that tries to sell by listing common problems in a booming voice. But as is almost always the case, there’s a grain of serious in that joke. Many organizations have their infrastructure configured such that the networking staff must intercede with a lot of functionality that is in the application domain. Be it more capacity, granular security, or routing to a new instance of the application, the network staff carries these burdens, while the application staff waits for them to do so and in many cases, the application owner gets frustrated. But the days when ADC functionality – be it security, adding servers, or shipping connections to a remote instance of the application – had to rest completely in the realm of networking staff are behind us. If you still have those problems, you need to look into a state-of-the-art ADC (yes, like F5 sells, but we do have competition if you prefer). Assuming the application people can spin up new instances, they can also get them included in the ADC’s available servers. Since most application folks can spin up a new instance, this extra step means less waiting around for another team. When security issues crop up relative to a particular application, you’ll have the application owner, systems administrators, security… Do you really need to throw the network folks in there too? You used to have to, but technology has relieved that burden. When application owners (or sysadmins) can administer the security policy for a given application, then they just need the advice of the security team (assuming you’re a big enough org to have a security team). This not only makes the organization more nimble, it reduces errors by having those directly responsible for the application implementing policy for the application without a middle-man. Need to do cloud-bursting? The networking team needs to set that all up for you, but once it’s configured and the application can take advantage of it, then when/where/how is up to the application staff, not the networking team. Again, more agile. Just in terms of reducing burden on the networking staff, and thus making them more productive on the other important things they need to do, the move to a newer ADC is worth it. But throw in the concept that the application staff is also empowered to act without waiting to consult with yet another busy team, and the improved IT response time makes the overall organization more adaptable. If you choose an ADC that also resolves other pressing issues your organization has, you can really drive home solutions, while laying the groundwork for future architectural developments. Pick an ADC that enhances VMotion over long distances, for example, and moving apps from DC-to-DC becomes simple and reliable. So if your load balancing solution is just that – load balancing – it is time to look into where the market has gone. If you use a command line for most of your ADC configuration and management, it is again time to check where the market has gone. Enable applications staff to free up time for networking staff. And take advantage of a whole new set of capabilities while you’re at it. Explore what’s out there that might just make your life easier and your company more productive. And if you have an older solution, check out scalability too. Things have come a long way in a few short years, that’s for sure. That’s not to say that you shouldn’t have a command line – F5’s tmsh is a complete command line version of the UI – but not everyone wants to type 50 lines of script when one webpage will do, and to push functionality out beyond the network team, web interfaces are definitely needed, both to increase accessibility and to reduce errors.Why Developers Should Demand Web App Firewalls.
The Web Application Firewall debate has been raging for a very long time, and we keep hearing the same comments going back and forth. Many organizations have implemented them as a fast-track to compliance, primarily compliance with PCI-DSS, but the developer community is still hesitant to embrace them as a solution to their problems. And that’s because like so many things out there, they are seen as an “either-or” proposition. Either they can relieve a developer of the need to write security code, or they can’t. If they can’t, then why have them? I’m a developer by trade, and I get the sentiment. It’s tough to say “spend all this money, and I’ll keep spending my time”, could almost seem to make no sense. But very little out there is really an either/or proposition. Many of the things that a Web Application Firewall can do for you – like DOS/DDOS attack resistance – are outside the realm of the developer. If you’ve taken the time to write DDOS protection code into your web applications, you might just be in the wrong job. Many other things that Web Application Firewalls (WAF) can do are well within the bounds of the developer domain, but could save time if they were implemented in the centralized location of the WAF instead of over and over in each app. Not relieve you of the burden of writing secure code, but save you time by eliminating bits to focus on and reducing redundant development, freeing up CPU cycles in the process. My Friendly Local Game Store (FLGS) – with doors. And that’s the key. Web App Firewalls don’t have to do everything, they have to do something that makes them worth the time to install and utilize. While many orgs have installed them, I would argue they’re not utilizing them effectively because the installation was a check-box on a compliance report, not something the organization wanted to make adequate use of. Other organizations don’t have them. But there IS one driving reason to install a web app firewall. A significant number of attacks are stopped before they get to your machine. Let me say that again… Risk of a ne’er-do-well getting root and messing up your application and your server by taking advantage of some flaw in the OS or a library is zero for every attack that is stopped before the packets reach your server. And that’s important. Because no matter how secure your code, or the code of your purchased package, or whatever, the overall system is only as strong as the weakest point the attackers can reach. Just like a soldier hiding behind a window is harder to shoot because most of his body is protected, an application resting behind a web application firewall is mostly protected, and thus, harder for attackers to take control of. Yes, services and apps have to be open to the world in order for them to present value to your customer, but the fact that a business needs a front door to let customers in does not mean that all businesses should dispense with the front wall of their shop. Another Branch of the FLGS – Without Doors! So get the protection a Web Application Firewall offers, put it to its maximum uses that you trust (did I mention I was a coder? They can do more than I’d hand off to them ;-)), and spend the time you save on security development doing coding/projects that add business value, because security is only important when it’s breached, the next rev of an important customer portal will be talked about all the time. Hopefully with praise, but talked about, either way. Or you could take the extra time and come to Green Bay to visit those FLGS’. They do rock, whether you’re into Monopoly, RPGs, CCGs, CMGs, Minis, or any of the other XXGs. And no, I don’t have any financial interest in them, and no, they don’t have a web presence, so you’ll have to visit Green Bay to see ‘em – but the top store is right by Packer Stadium, so you can get a double benefit for the trip. I will point out that the store with no front door? Yeah, it’s counting on the protection of the mall’s doors, you know, kind of like an application and a Web App Firewall. Still has a drop down chain door though – because layered security is good.It Is Not What The Market Is Doing, But What You Are.
We spend an obsessive amount of time looking at the market and trying to lean toward accepted technologies. Seriously, when I was in IT management, there were an inordinate number of discussions about the state of market X or Y. While these conversations almost always revolved around what we were doing, and thus were put into context, sometimes an enterprise sits around waiting for everyone else to jump on board before joining in the flood. While sometimes this is commendable behavior, it is just as often self-defeating. If you have a project that could use technology X, then find the best implementation of said technology for your needs, and implement it. Using an alternative or inferior technology just because market adoption hasn’t happened will bite you as often as it will save you. Take PDAs, back in the bad old days when cell phones were either non-existent of just plain phones. Those organizations that used them reaped benefits from them, those that did not… Did not. While you could talk forever about the herky-jerky relationship of IT with small personal devices like PDAs, the fact is that they helped management stay better organized and kept salespeople with a device they could manage while on the road going from appointment to appointment. For those who didn’t wait to see what happened or didn’t raise a bunch of barriers and arguments that, retrospectively, appear almost ridiculous. Yeah, data might leak out on them. Of course, that was before USB sticks and in more than one case entire hard disks of information walked away, proving that a PDA wasn’t as unique in that respect as people wanted to claim. There is a whole selection of technologies that seem to have fallen into that same funky bubble – perhaps because, like PDAs, the value proposition was just not quite right. When cell phones became your PDA also, nearly all restrictions on them were lifted in every industry, simply because the cell phone + PDA was a more complete solution. One tool to rule them all and all that. Palm Pilot, image courtesy of wikipedia Like PDAs, there is benefit to be had from going “no, we need this, let’s do it”. Storage tiering was stuck in the valley of wait-and-see for many years, and finally seems to be climbing out of that valley simply because of the ongoing cost of storage combined with the parallel growth of storage. Still, there are many looking to save money on storage that aren’t making the move – almost like there’s some kind of natural resistance. It is rare to hear of an organization that introduced storage tiering and then dumped it to go back to independent NAS boxes/racks/whatever, so the inhibition seems to be strictly one of inexperience. Likewise, cloud suffers from some reluctance that I personally attribute to not only valid security concerns, but to very poor handling of those concerns by industry. If you read me regularly, you know I was appalled when people started making wild claims like “the cloud is more secure than your DC”, because that lack of touch with reality made people more standoffish, not less. But some of it is people not seeing a need in their organization, which is certainly valid if they’ve checked it out and come to that conclusion. Quite a bit of it, I think, is the same resistance that was applied to SaaS early on – if it’s not in your physical network, is it in your control? And that’s a valid fear that often shuts down the discussion before it starts – particularly if you don’t have an application that requires the cloud – lots of spikes in traffic, for example. Application Firewalls are an easier one in my book – having been a developer, I know that they’re going to be suspicious of canned security protecting their custom app. While I would contend that it isn’t “canned security” in the case of an Application Firewall, I can certainly understand their concern, and it is a communications issue on the part of the Application Firewall vendor community that will have to be resolved if uptake is to spike. Regulatory issues are helping, but far better an organization purchase a product because they believe it helps than because someone forced them to purchase. With HP’s exit from the tablet market, this is another field that is in danger of falling into the valley of waiting. While it’s conjecture, I’ll contend that not every organization will be willing to go with iPads as a corporate roll-out for groups that can benefit from tablet PCs – like field sales staff – and RIM is in such a funk organizations are unlikely to rush their money to them. The only major contender that seems to remain is Samsung with the Galaxy Tab (android-based), but I bought one for Lori for her last birthday, and as-delivered it is really a mini gaming platform, not a productivity tool. Since that is configurable within the bounds set in the Android environment, it might not be such a big deal, but someone will have to custom-install them for corporate use. But the point is this. If you’re spending too much on storage and don’t have tiering implemented, contact a vendor that suits your needs and look into it. I of course recommend F5 ARX, but since I’m an F5 employee, expecting anything else would be silly. Along the same lines, find a project and send it to the cloud. Doesn’t matter how big or small it is, the point is to build your expertise so you know when the cloud will be most useful to you. And cloud storage doesn’t count, for whatever reason it is seeing a just peachy uptake (see last Thursday’s blog), and uses a different skill set than cloud for application deployment. Application Firewalls can protect your applications in a variety of ways, and those smart organizations that have deployed them have done so as an additive protection to application development security efforts. If for some odd reason you’re against layered protection, then think about this… They can stop most attacks before they ever get to your servers, meaning even fingerprinting becomes a more difficult chore. Of course I think F5 products rule the roost in this market – see my note above about ARX. As to tablet PCs, well, right now you have a few choices, if you can get a benefit from them now, determine what will work for you for the next couple of years and run with it. You can always do a total refresh after the market has matured those couple of years. Right now I see Apple, RIM, and Samsung as your best choices, with RIM being kind of shaky. Lori and I own Playbooks and love them, but RIM has managed to make a debacle of itself right when they hit the market, and doesn’t seem to be climbing out with any speed. Or you could snatch up a whole bunch of those really inexpensive Web-OS pads and save a lot of money until your next refresh :-). But if you need it, don’t wait for the market. The market is like FaceBook… Eventually consistent, but not guaranteed consistent at any given moment. Think more about what’s best for your organization and less about what everyone else is doing, you’ll be happier that way. And yes, there’s slightly more risk, but risk is not the only element in calculating best for the organization, it is one small input that can be largely mitigated by dealing with companies likely to be around for the next few years.
