Hitting the Easy Button: Securing the Remote Desktop on F5 BIG-IP APM
Being able to provide the most effective remote access solution is critical, especially in these turbulent times. In this article printed with permission from authors Lucas Thompson & Michael Waechter, we're going to talk about Remote Desktop Web Access. Solution Brief In short, it enables end-users to access their Remote Desktop applications through the F5 APM Webtop. The benefits of utilizing Remote Desktop Web Access over a desktop can be many. With the only requirement being a compatible web browser, Microsoft RDP application (comes installed with all modern versions of Windows), and a backend server hosting the applications… the solution speaks for itself. When the Full Webtop is displayed, APM will fetch a list of RemoteApps available on the target Terminal Server via HTTPS (using the Server SSL profile on the APM virtual server) and the associated icons. They will then be presented to the end user. The connection is done over HTTPS to the APM, and APM uses RDP (port 3389) to the Terminal Server. In the classic Terminal Server Desktop use case, the user is assigned a ‘native’ type RDP resource. This icon is presented to the user on a Full Webtop. Access is made by selecting the icon. A .RDP file is downloaded to the end user client PC, and the browser will activate the OS’s native RDP client to proceed with the connection. The connection is done over HTTPS to the APM, and APM uses RDP (port 3389) to the Terminal Server. Not only is the client setup simple, but the administration part of the equation is equally as easy to enable. I’m running version 14.1 (LTS) and here are a few screenshots of the setup. To enable the solution, let’s click on Access -> Connectivity/VPN Go ahead and choose VDI/RDP -> Remote Desktops Add the relative information. (Note: It’s always best to have the host name be a FQDN, and add this as a LTM node for health monitoring.) Technical Workflow The user clicks a resource icon on the Full Webtop, an RDP file is downloaded and then executed by the TS client on the user’s PC. The RemoteApp use case has a few differences versus targeting a desktop, or terminal server directly. In this case APM Will: Obtain a list of the RD feeds. The list of RDP App Resources will be derived from the RemoteApp feed. The list of icons will be delivered to the end user’s browser. The end user’s browser will request the icon pictures via a proxy mechanism in the VDI module. Because the RemoteApp feed comes through HTTPS and IIS on the Terminal Server, we have to make sure that: BIG-IP data plane can route to the Terminal Server. BIG-IP can create a HTTPS connection to Terminal Server. Terminal Server is rendering the page correctly. When you browse to it (https://terminalserver/rdweb/) you should see something like this: 2008: 2012: Authenticate with the same credentials that the test user uses in APM, and you should see an App Feed or desktop feed: Solution FAQ What kind of licenses are used for RDP access? APM has two license types: CCU and Access Session. Access Sessions are used for each established session ID. CCU are used for Network VPNs and other things that require more advanced features. Native Mode RDP does NOT use a CCU (connectivity) license. Only a single Access Session license will be consumed by a connecting user. What RDP options are supported? All of them. They’re basically echoed back to the client in the .RDP file. Put your desired parameter into the Custom Parameters area. It’s OK to use session variables in %{session.variable} format as well. RDP Custom Parameters configuration Lists of the RDP options have been compiled by 3rd parties, including the one at https://www.donkz.nl/overview-rdp-file-settings/ which is quite comprehensive. Please note that the following options are reserved for APM RDG use. If you attempt to apply these custom parameters, they will be ignored and/or overwritten by APM: Gatewayusagemethod Gatewayprofileusagemethod Gatewayhostname Gatewaycredentialssource Gatewayaccesstoken authentication level full address server port enablecredsspsupport signscope signature prompt for credentials on client domain username alternate full address gatewaybrokeringtype RDP Window Title The maximized window title for MSTSC inherits the target device name (not the RD gateway host). The medium-sized window title for MSTSC inherits the RDP filename (which is always “launch” -- see RFE 610244). One interesting thing that is possible is to internally-redirect the RDP session so that the client THINKS its connecting to one site, but then re-assign the remote host variable to a different site during the RAP access policy execution. RemoteApps It’s possible to create a lot of apps by using a PowerShell script on a RemoteApp-enabled terminal server. Client Requirements Microsoft Remote Desktop Client is supported for both Windows and Mac. Because the protocol used utilizes the Remote Desktop Gateway functionality, only newer RDP clients work. Legacy clients will likely not be able to create connections. iOS/Android The latest iOS / Android App Store RDP clients from Microsoft are supported. There might be some version conflicts, but for the most part the latest and greatest will work Reconnections / Disruptions Reconnections work the same as normal RDP If the user disconnects and reconnects, the session will be resumed. The client instructs the RD Gateway (APM) to again establish the session. The Remote Desktop session will be resumed also, the same way as with normal RDP. If the session is deleted or timed out or otherwise destroyed, the connection will stop, RDP will try to reconnect, but it will fail, and you will see this message from the MSTSC client.
Configuration of the custom parameters of the RDP application in APM
Hi all I configured a RDP application by using native client type in the APM and I would like to put some RDP configuration (such as below) in the customer parameters. But after I add it, I found that those configuration are not in the rdp file generated by F5 APM. So may I know if you have same experience? If yes, how to solve it? My BIG-IP version is 13.1.3 Build 0.0.6 Disable wallpaper:i:1 Bitmapcachepersistenable:i:1 Best regards Alex Tsang
APM - User Defined RDP in version 13 - digital signature issue
I'm testing out v13 and User Defined RDP via webtop in my lab and am getting the following message when launching the .RDP file: "The digital signature of this RDP File cannot be verified. The remote connection cannot be started." Has anyone run into this at all? I'm wondering if it could be related to the use of default "clientssl" and "serverssl" profiles for the Virtual Server associated with the Access Policy.Native RDP sessions not connecting (13.0 HF2)
Hi there, we have BigIP LTM/APM configured and working. We have load balanced services, VPN and many other services working without issue. We recently upgraded to 13 and added HF2. We are currently testing the native RDP client integration (not gateway or remote access) and we're currently failing miserably. So far I've noticed the following I am making a successful connection to the BigIP on 443 from the RDP Client but it disconnects shortly after with a message about can't find the computer. RDP Requests seemingly originate from the Self IP of the BigIP not the required SNAT address. Requests are dropped by the client, and windows filtering platform shows blocked connection events in the security log. The activex/java clients work and connect, however the source IP is still the external self ip of the bigIP. So I guess I have 2 issues The connections appear to originate from the SelfIP of the BigIP not the designated SNAT Pool The RDP conncetion makes a connection to the BigIP but then windows is blocking it for some reason. Steps I've taken so far Relating to 1 Tried different SNAT Pools Changed the various settings relating to SNAT (Auto Map, SNAT, None) all give the same results Searches returned results about a bug that existed in BigIP 12 that sounded similar, however this is not mentioned in the 13 notes as either being fixed or a known issue. Relating to 2 Turned off local firewall Turned off require Network Level Authentication in Remote Connection Settings Searches didn't turn up much of any use Any advice on either issue would be great. Cheers Spencecannot get fullscreen to Windows 2012 R2 on APM webtop
Hi, I have configured a portal with some links to internal apps and rdp. I've got some issues I don't know how to fix. The problem with Remote Desktop to Windows 2012 R2 server. I set a full screen option but when I click a link on a webtop the window always appears to have a fixed size although real screen resolution is higher. So the IE window has vertical and horizontal sliders. I checked with Windows 2003 server and full screen option works. Where should I check to get that thing working? I can share any configuration and screenshots if needed.
Can't maximize RDP sessions with internet explorer - APM
I see a few similar posts on here about this but no definitive answer. I have Microsoft Remote Desktop shortcuts on my APM and they connect fine and maximize, but if you exit full screen, then it locks the screen to a small size. You can't resize or even maximize again and the maximize button becomes greyed out. Pretty unusable after that point. I thought this might be a bug when I was running 11.4 but I have upgraded to 11.6 and have the same issue. Anybody had the same issues and know how to fix this? ThanksMicrosoft Server 2016 Remote Desktop Session Host
I have a customer who would like his MS Remote Desktop to be delivered through our LTMs. The issue that I'm running into is the servers he's using. The deployment guides include Server 2008/2012, but he's using 2016. Is there somewhere posted what the Send/Receive strings will be on the health monitors if the pool members are 2016 servers? https://www.f5.com/pdf/deployment-guides/microsoft-rds-session-host-dg.pdf
RDP connection via application access fails when client certificate is set to require
I've set up a VIP with a client SSL profile that requires a certificate. The access policy on this VIP has some resource assignments: network access, rdp application access and rdp via app tunnel access. All of these resources work just fine, except the rdp application access. The connection is not established and the handshake gives this failure: TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 269 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 3 Certificates Length: 0 Handshake Protocol: Client Key Exchange However, another resource works just fine: TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 269 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 3 Certificates Length: 2647 Handshake Protocol: Client Key Exchange In the first capture, the certificate length is 0. In the second one it is 2647. Now, I've set the client SSL profile to 'request' and all resources work just fine. Can someone shed some light on this issue? Why does it fail when set to 'require'?
