remote desktop gateway
3 TopicsRemote Desktop Web Access and Remote Desktop Gateway SSO Through APM
I'm a relatively new BIG-IP admin (we purchased BIG-IP to replace our TMG 2010 solution). I'm attempting to configure Remote Desktop Web Access and Remote Desktop Gateway services (2008 R2) utilizing APM. The pre-sales engineer we spoke to indicated this should be a "simple" configuration, but it's certainly kicked me in the rear. I've created what I assumed would be a good configuration: 1: Virtual server with a pool for the RD web access and gateway server services, and an iRule to bypass APM for /rpc/rpcproxy.dll (see below, similar to rules I've seen for Exchange clients connecting using RPC over HTTPS). 2: APM configuration with forms-based SSO to the Web Access (which works perfectly), which allows us to integrate authentication to the web access page from our primary web portal. Now, normally using RD Web Access you login to the RD Web Access page, and it automatically connects your client to the RD Gateway, so launching a RemoteApp published application is seamless. When we apply an APM configuration to the virtual server, however, even with the rpcproxy.dll APM bypass in place, the automatic login to the RD Gateway doesn't happen. If we remove the APM config from the virtual server and publish directly without APM, it works fine, so I'm pretty sure the problem is with APM. In short, what should happen is: 1: Client lands on BIG-IP APM login page (works) 2: Client logs into BIG-IP APM login page, which passes credentials to RD Web Access form (works) 3: On login to RD Web Access, the client should automatically login to RD Gateway using same credentials used to login to RD Web Access (does NOT work) I haven't found anything on configuring APM SSO for RPC over HTTPS, so I'm finally at a loss and asking here. Any suggestions? Pointers? when HTTP_REQUEST { if {[string tolower [HTTP::uri]] contains "/rpc/rpcproxy.dll"} { COMPRESS::disable CACHE::disable ACCESS::disable pool } }Solved3.4KViews0likes28CommentsAPM as an RDP Proxy but still get to RD Web Access page?
Hello, I am currently trying to understand if deploying the F5 with Microsoft Remote Desktop Gateway servers will fit our needs. I am not sure if using the APM to proxy remote connections will work. I am looking to replace the RDS gateway roles on my servers with the F5 iapp but not sure if I can keep the RDS Web Access component. Using the F5 as an RDS Gateway would provide us HA --so this looks great, but I'd like to keep the ability to use the web access page that users can click the remoteApps that are published to a RDS collection. Does the F5 remove that ability when using the APM to proxy remote collections? Thank you, FranzSolved1.7KViews0likes26CommentsF5 Remote Desktop Gateway and MS Azure Multifactor Authentication
With Microsofts own Remote Desktop Gateway (2012r2) it is now possible to require 2-factor authentication for RDP clients. It is done by configuring the RD Gateway to use a NPS/Radius server which in turn uses MS Azure Multifactor Authentication server (MFA) to add the second factor. The configuration is described here: http://www.rdsgurus.com/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ 2-factor authentication for RDP clients is a long-awaited feature, and I hoped and believed that it was possible to make this work also with the F5 RD Gateway. After hours and hours trying I have realized that its not straight forward, if possible at all. The challenge/problem seems to be that the only place to put in a NPS/Radius server in the F5 solution is in the access profile (VPE), but if you do the NPS/Radius responds with access_reject (unknown username or password). I suspect this is because the access profile doesn't really participate in the NTLM authentication (challenge/response), that part is handled before the access profile - in the vdi profile. So the access profile doesn't have any valid "password" to send to the NPS/Radius server. I guess this might have worked if Radius was an option in the vdi profile, but the only option there is a NTLM Auth Configuration (Big IP Machine Account in a Windows domain). My questions are: Has anyone had better luck than me setting up F5 RD Gateway with Azure MFA? Is it possible, via tmsh maybe, to make a vdi profile use Radius instead of a NTLM Auth Configuration?797Views0likes3Comments