remote desktop
13 TopicsClient SSL Profile set to Require Client Certificate breaks RDP in APM
Hello, I have a policy set up in the BIG-IP F5 VE 15.1.10.5 APM to allow access to a handful of Remote Desktop (RDP) links. I'm attempting to set the authentication to require Common Access Card (CAC) Certificate login. In my access policy visual editor, I have a Client Cert Inspection branch that leads into OCSP Authentication and then if successful assigns the RDP resources through LDAP.This all works perfectly fine as long as the Client SSL profile connected to the access policy has Client Authentication > Client Certificate set to "Request" or "Require." If set properly, when a user attempts to connect to the webtop URL they are prompted for their certificate, authorized against the OCSP, and given access to the resources as corresponds to LDAP group. However when attempting to use one of the Remote Desktop Links it'll download the RDPconnection as intended and fail to connect with "There was a problem connecting to the remote resource. Ask your network administrator for help." I know this is because of the Client SSL profile because if i change it back to "Ignore" and have the user click the Remote Desktop link, it downloads and connects to the specified resource with no issue. The server the RDP connects to is configured with a client certificate that is trusted by the Root and Intermediate CA in the "Trusted Certificate Authorities" under the Client SSL Client Authentication profile. I was originally able to get around this by, instead of using Client Cert Inspection in my access policy, using On-Demand Cert Auth and leaving the Client SSL profile to "Ignore" client certificate. This allowed the user to be prompted and authenticated when originally accessing the webtop and utilize the RDP resources assigned. Unfortunately, On-Demand Cert Auth recently broke and users are not being prompted for their certificate and as such cannot connect to the webtop without the Client SSL profile being set to "Request" or "Require" to force the certificate prompt. https://my.f5.com/manage/s/article/K63123740 I've read the above KB where it says "the RDP client doesn't like the certificate request." but I'm not sure why, RDP should support certificate requests, users authenticate with token certificates all the time when RDP'ing to resources unless I'm misunderstanding what is happening? With that article I thought maybe the Server SSL profile would be an issue, but only changing the Client SSL profile certificate settings affects login. Any help would be appreciated, thanks!37Views0likes0CommentsAPM/Analytics - Log click on webtop resources [serverside]
Problem this snippet solves: When providing VPN SSL portal to the client, you publish several applications like Portal access, Remote Desktop, Webtop links, SAML Resources, Citrix/Vmware VDI, etc. APM log access to the webtop, once connected, there is no more visibility on who click on which icon. We provide Visibility and Analytics capabilities through a simple irule. How to use this snippet: Installation You just need to put this irule in the Virtual Server configuration that handle your access profile. Logging information Clicks are logged in the local0 (ltm logs). You can see below examples : virtual=/Common/test, apm=1239853, user=testuser, resource_type=portal, resourcename=owa virtual=/Common/test, apm=1239853, user=testuser, resource_type=remote_desktop, resourcename=ActiveDirectory Features You can currently log the following application types : Portal access Remote Desktop access The irule provide the additional features : Decode Portal access uri logging of username, apm session and resource name Credits Inspired from an original irule in a reply from Kevin Stewart : Logging for Portal Access External links Github : github.com/e-XpertSolutions/f5 Code : when ACCESS_ACL_ALLOWED { switch -glob [HTTP::uri] { "*resourcetype=remote_desktop*" { # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" } "*f5-w-*" { catch { set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]] if { [table lookup -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource"] eq "" } { table set -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource" [clock format [clock seconds] -format %Y%m%d-%H%M%S] 3600 # # Basic logging. Remote or local logging settings can be configured # # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS logging before v13.x # log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" # # ACCESS::log is available in v13.x. Log saved in Access report too. # # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" } } } } } Tested this on version: 11.5475Views0likes4CommentsAPM :: Remote Desktop List :: Monitor Span/Multimon
Has anybody been able to get monitor spanning to work with an RDP access resource? Neither of these parameters appear to work: I opened a support case with F5 - but the engineer was not entirely helpful. When asking about Java RDP spanning: The short answer is no, Span support isn't available for the Java RDP client. It is possible to configure the MSTSC.exe client to support span however if you absolutely need it. This has been brought up as an RFE on multiple occasions and is a limitation of the underlying Java RDP implementation that PD has said they won't change. When asking about RDP spanning with the native (Windows) client: I am certain I have seen the mstsc monitor span successful with the *span monitors:i:1*. I don't recall off hand if it was using an access portal or the client itself. When pressing about the response: I only saw it work in a lab environment when I was testing against a previous bug with the active x control RDP module. I hadn't configured it, one of my colleagues did and I may have been mistaking what I saw (he may have been connecting directly to a windows box, not through the F5). Does he just not feel like helping people today? If that was my answer to one of my customers I'd be getting some heat from my boss. Our SE says that Mac will have an official RDP launch client (non-Java) and the mstsc launcher has some updates in version 13 that's coming out soon. Not sure if that's the root of my problems or not - and I'm not really interested in upgrading to .0 code right now... so I'd really like to get this to work at least on Windows... Mac is what it is at the moment unless I buy the HOB client (which I likely won't get approval for from management - not to mention it will look really bad when I ask for more money to do something we already have working in the environment with the solution we're replacing ). Thanks-360Views0likes1CommentChange Webtop Remote Desktop Icon
I have an access policy for VMware VDI and I can't seem to change the icons for my webtop/remote desktop links. The default icon is "terminal_service.png" located in /var/sam/www/webtop/public/images/full_wt I have changed this to an icon with the same dimensions (32px) in Access Policy>Customization>Basic>Remote Desktop and General>Branding>Remote Desktops but still the old icon is dispayed. Any ideas?691Views0likes7CommentsAPM :: Remote Desktop List :: Remote Sound Not Working
Has anybody ran into where the remote audio is not being played locally? I have the local sound box checked, and I even tried the audiomode:i:0 custom parameter (even though it's defaulted to zero), and neither seem to be working. I know it's nothing wrong with the workstation (or so it seems) because the other VPN solution that I'm trying to migrate off of works perfectly fine. General Properties: Local Resources: I haven't been able to get monitor spanning to work either (no matter what combination of anything I use)... but that's a whole other issue. Thanks-401Views0likes2CommentsAPM "Remote Desktop Web Access" Kerberos SSO option
Currently working with a customer who is very interested in APM's Remote Desktop Web Access feature. MFA is strictly enforced in this environment so username and passwords are a no go, so NTLM is out. But within the Remote Desktop Web Access object definition, there is a "Kerberos SSO Configuration" option where you can select a predefined Kerberos SSO profile. Through contextual clues, I assumed that this would be to setup a Kerberos Constrained Delegation scenario. Mostly geared towards environments where passwords are not an option. In setting this up.. I have confirmed that the Windows server hosting the RemoteApp Web portal has been setup to accept Windows Integrated authentication along with assigning the appropriate SPNs to the Computer Object in AD. I have validated that kerberos authentication works going directly to the RemoteApp web portal (bypassed forms page, saw the security event of the kerberos logon within windows security events, etc etc). I have setup the delegation account in AD for the kerberos SSO profile and have verified that it has the appropriate permissions and delegated spns. After all of this I still receive the logon box from Webtop requiring a username, password and domain. I haven't found any documentation on this particular option in APM, "Remote Desktop Web Access". So my question is, Can a KCD setup be done with this APM feature and is this particular Kerberos SSO drop down used in this setup? If it can not be done, what does this Kerberos SSO drop down menu do? Thanks any and all who can share their wisdom!606Views0likes0CommentsLoad balancing Remote Desktop 2012R2 with F5 instead of Connection Broker.
Microsoft Issues: We have a Remote Desktop deployment of around 60 Session hosts, 2 HA connection brokers, 3 gateways, and 3 web access servers. We have had trouble with Microsoft's load balancing and session directory services provided by the connection broker. specifically, there are circumstances when are specific session host may become unresponsive, some users on it are working, but new users can't connect. the host can't be removed from the collection as it is not responding to WMI request. the only option we have is to hard reboot it and kick everyone off it. since the host has a low number of users it also becomes a magnet for new connections and effectively takes down the entire cluster as far as new connections are concerned. another scenario is we lose a session host without it being able to power down gracefully (hardware failure) the session directory seems to keep record of all the users on that host and attempts to reconnect them to it even though it is dead and gone. those users can not longer connect. the only way to resolve is restarting the connection broker and causing a cluster wide outage. Potential for F5 magic: Our desire here is to replace the load balancing responsibility with the F5, which we have better health checking capabilities, better load balancing decision making, and better central control over which nodes are active in a pool. We would like to be able to disable a problematic node with the F5 and have new connections directed to other session hosts while existing users on that host are allowed to continue until attrition allows us to restart it. We'd like to incorporate better health monitoring to identify problematic hosts prior to receiving calls from our clients. Trouble with interaction between F5 and RDP deployments After setting up the latest version of the RDP Session host IApp and doing some testing we are finding some issues with the F5 performing load balancing. We have the Session hosts set to use Token redirection in order to get the F5 to forward users to appropriate session hosts where existing sessions are located (session directory), if it is left in IP redirect mode then these redirects cause the RDP client to attempt to bypass the F5 virtual server and access another host directly. The problem we are running into is that no matter what node the F5 decides to balance the user to, that session host will perform a load balancing election with the connection broker and issue a redirect token to a different node. So the F5 cannot perform any load balancing. Furthermore, if we have a problematic host and we disable it in the F5 the F5 will continue to accept the redirect tokens for the disable hosts. Even if we set it to force offline the F5 will still attempt to connect to the offline host specified in the redirect and a connection failure will be returned to the RDP client. So the F5's ability to manage which hosts receive connections is rendered completely moot. We attempted to find and disable the "Connection broker load balancing" option in the registry which was used in previous versions of RDP, but this does not seem to stop the redirection tokens from being issued by the session host, in fact it seems to break session directory so that once a user is assigned a host it will never realize they disconnected, and permanently hold that user to that host regardless of session status. Problem There seems to be no means to have F5 perform any authoritative load balancing or connection management among Remote Desktop 2012R2 session collections. What then is the point of putting all this behind an F5 virtual server... Request Anyone out there with experience running MS Remote Desktop 2012R2 session hosts via the F5 LTM virtual server that is able to perform load balancing/connection management, any tips or reference configurations?360Views0likes1CommentCan't maximize RDP sessions with internet explorer - APM
I see a few similar posts on here about this but no definitive answer. I have Microsoft Remote Desktop shortcuts on my APM and they connect fine and maximize, but if you exit full screen, then it locks the screen to a small size. You can't resize or even maximize again and the maximize button becomes greyed out. Pretty unusable after that point. I thought this might be a bug when I was running 11.4 but I have upgraded to 11.6 and have the same issue. Anybody had the same issues and know how to fix this? Thanks640Views0likes11CommentsCitrix APM 11.5.1 HF8 Citrix Client download Bundle not working
I experience something weird while implementing APM with Citrix Storefront is that when I try to Access the F5 APM published page and the client does not contain the Citrix Receiver client the APM should redirect the client to the location where to download the client. Everything else is working correctly. This is Spanish for not having received any data (Empty response) First we tried to change the Citrix Client Bundle to the internal installation package and it shows the before mentioned error. When trying to change it to an external link it does not change the download location, in other words the problem persists. One thing I dont have clear is how exactly is this object linked to the APM Access policy or webtop? Something similar is explained in this article https://devcentral.f5.com/questions/issue-citrix-client-bundle-configuration-apm295Views0likes2CommentsAPM Remote Desktop auto-logon without password fails
Hi all, I am trying to configure auto logon for remote desktop for one of my clients with blank/empty password. Quite a strange requirement but... So, I am struggling trying to get it to work. I am using custom session variables to pass domain and username information but having trouble passing an empty password. I have tried to set pw variable string to and leaving it empty but that just results in failed login or refusal to attempt to logon. Leaving Password source blank neither works. Does anyone have an idea how to do this the right way if possible at all? Thanks in advance. Alex435Views0likes5Comments