APM webtop – problem with websockets for Serverside Blazor app
Dear community, We have a web application built with Blazor server side rendering that utilizes SignalR (websockets) and runs on a Windows server with IIS (i.e. not web assembly). Virtual sever: the site runs as intended! Webtop + virtual sever: The site will render and SSO works, but any page using SignalR will loose interactivity as the websocket handshake times out. We have tried to disable websockets on the server which makes SignalR use long polling as a fallback. The web browser displays a different error message but behaves the same otherwise (have not dug deeper as we intend to use websockets in production). I would greatly appreciate any guidance on what to do! This is the log from the blazor web app (behind webtop + virtual server): 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 16:50:26 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection XQNqGM4oGkm0P1v4NECJ9g created. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Establishing new connection. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 16:50:27 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Handshake was canceled. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Waiting for the client to close the socket. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket closed. 2025-09-18 16:50:42 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager Removing connection xVt0cL2a0gpMOiJROyJxhw from the list of connections. This is the log from the same blazor web app when it works as intended 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: json, implemented by Microsoft.AspNetCore.SignalR.Protocol.JsonHubProtocol. 2025-09-18 17:29:31 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Registered SignalR Protocol: blazorpack, implemented by Microsoft.AspNetCore.Components.Server.BlazorPack.BlazorPackHubProtocol. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionManager New connection c0CR_c-7xa0QydeddE5HcA created. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.HttpConnectionDispatcher Sending negotiation response. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionHandler OnConnectedAsync started. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.Http.Connections.Internal.Transports.WebSocketsTransport Socket opened using Sub-Protocol: '(null)'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubProtocolResolver Found protocol implementation for requested protocol: blazorpack. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.HubConnectionContext Completed connection handshake. Using HubProtocol 'blazorpack'. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "0", Target: "StartCircuit", Arguments: [ https://testsite.com/, https://testsite.com/counter, [], CfD...m ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "EndInvokeJSFromDotNet", Arguments: [ 2, True, [2,true,null] ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "UpdateRootComponents", Arguments: [ {"batchId":1,"operations":[{"type":"add","ssrComponentId":1,"marker":{"type":"server","prerenderId":"80...9c8","key":{"locationHash":"....","formattedComponentKey":""},"sequence":0,"descriptor":".... ], StreamIds: [ ] }. 2025-09-18 17:29:37 Debug Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcher Received hub invocation: InvocationMessage { InvocationId: "", Target: "OnRenderCompleted", Arguments: [ 2, ], StreamIds: [ ] }. This is the output in the web browser console when accessing the site via (webtop + virtual server): 2025-09-18T14:50:28.565Z Information: Normalizing '_blazor' to 'https://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:28.609Z Information: WebSocket connected to wss://testsite.com/f5-w-68747470733a2f2f6d6139392e6d6963726f2d746573742e696e747261$$/f5-h-$$/_blazor?id=xVt0cL2a0gpMOiJROyJxhw. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Connection disconnected with error 'Error: Server returned handshake error: Handshake was canceled.'. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Error: Server returned handshake error: Handshake was canceled. blazor.web.js?F5CH=J:1 2025-09-18T14:50:43.620Z Error: Failed to start the circuit. blazor.web.js?F5CH=J:1
Client SSL Profile set to Require Client Certificate breaks RDP in APM
Hello, I have a policy set up in the BIG-IP F5 VE 15.1.10.5 APM to allow access to a handful of Remote Desktop (RDP) links. I'm attempting to set the authentication to require Common Access Card (CAC) Certificate login. In my access policy visual editor, I have a Client Cert Inspection branch that leads into OCSP Authentication and then if successful assigns the RDP resources through LDAP. This all works perfectly fine as long as the Client SSL profile connected to the access policy has Client Authentication > Client Certificate set to "Request" or "Require." If set properly, when a user attempts to connect to the webtop URL they are prompted for their certificate, authorized against the OCSP, and given access to the resources as corresponds to LDAP group. However when attempting to use one of the Remote Desktop Links it'll download the RDPconnection as intended and fail to connect with "There was a problem connecting to the remote resource. Ask your network administrator for help." I know this is because of the Client SSL profile because if i change it back to "Ignore" and have the user click the Remote Desktop link, it downloads and connects to the specified resource with no issue. The server the RDP connects to is configured with a client certificate that is trusted by the Root and Intermediate CA in the "Trusted Certificate Authorities" under the Client SSL Client Authentication profile. I was originally able to get around this by, instead of using Client Cert Inspection in my access policy, using On-Demand Cert Auth and leaving the Client SSL profile to "Ignore" client certificate. This allowed the user to be prompted and authenticated when originally accessing the webtop and utilize the RDP resources assigned. Unfortunately, On-Demand Cert Auth recently broke and users are not being prompted for their certificate and as such cannot connect to the webtop without the Client SSL profile being set to "Request" or "Require" to force the certificate prompt. https://my.f5.com/manage/s/article/K63123740 I've read the above KB where it says "the RDP client doesn't like the certificate request." but I'm not sure why, RDP should support certificate requests, users authenticate with token certificates all the time when RDP'ing to resources unless I'm misunderstanding what is happening? With that article I thought maybe the Server SSL profile would be an issue, but only changing the Client SSL profile certificate settings affects login. Any help would be appreciated, thanks!APM Webtop SSL-VPN pop up customization
Hello all, I want to customize the pop up window used for webtop SSL-VPN and cannot found how. I am able to customize Webtop, Login & Logout page. Edge client too. But I found nothing about this pop up. I am using modern policy but this seems to use somehow the classic one as it has those diagonal stripes image background in header. Any ideas?
F5 APM Webtop - RDP Session Logging
Hello F5 Experts, I am relatively new to the F5 advanced ecosystem, am trying to generate useful logs from our APM Webtop environment and am hoping that someone can point me in the correct direction. I am trying to log the following things from our environment: Initial login's to the Webtop including ClientIP, Webtop portal address, Browser UserAgent, Client Username. (Optional) Client group membership/published resources when they log into Webtop. When a client opens a Web Portal Access from within Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, Web Portal Access Address. (It would be good to get their session duration for this but that might not be fesable). When a client opens a RDP link from within the Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, RDP Address, SessionCookie(?). When a client connects to a RDP session though the Webtop using one of the downloaded links, ClientIP, Webtop portal address, Client Username, RDP Address, SessionCookie(?), Session start and end time (Maybe two different log events?). From what I can tell this is likely to be an iRule. I think I have an idea how to do the Webtop portal logging, but what is really eluding me is how to log the RDP session connection and duration. Any help or a direction where to look would be greatly appreciated. Thank you,
Added Internal site on F5 Webtop, now it mixes user accounts
Hi, I have internal booking website "x", which works properly when I access it directly. I have added it in F5 webtop portal for remote users. When remote user accesses the website and logs in with he's user, the portal or website (idk which) mixes user accounts, that is when user Y logs in from webtop, it may actually login a user Z using user T's credentials. I'm not sure if our website X has problem itself or it is webtops fault. Plesae suggest me something if you know this problem. Thanks, Diamond.APM Session deleted when following link Webtop Link to Application URI
Hi all, I have three virtuals: web1.mydomain.com web2.mydomain.com webtop.mydomain.com and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth). The webtop has two Webtop Links (Type: Application URI) for web1 and web2 When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1. But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop). Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2. I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted. Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1 Thanks in advance & KR Daniel
Hide applications from APM Citrix Webtop?
In Citrix Web Interface and Citrix Storefront it is possible to hide applications from appearing during app ennumeration with some modifications to their configuration files, even when a user has access to those apps. I have a APM Citrix webtop (it is replacing webinterface/storefront) I would like to do the same with. Is there some place I can configure or code I can modify to mask specific apps from appearing on the webtop? I know it seems like a strange request- but I need to filter a specific app from appearing only through one gateway while allowing it to appear for the same users in another gateway. Long story...hoping there is a way to do this with the webtop. Thanks!Change Webtop Remote Desktop Icon
I have an access policy for VMware VDI and I can't seem to change the icons for my webtop/remote desktop links. The default icon is "terminal_service.png" located in /var/sam/www/webtop/public/images/full_wt I have changed this to an icon with the same dimensions (32px) in Access Policy>Customization>Basic>Remote Desktop and General>Branding>Remote Desktops but still the old icon is dispayed. Any ideas?
