Client SSL Profile set to Require Client Certificate breaks RDP in APM
Hello, I have a policy set up in the BIG-IP F5 VE 15.1.10.5 APM to allow access to a handful of Remote Desktop (RDP) links. I'm attempting to set the authentication to require Common Access Card (CAC) Certificate login. In my access policy visual editor, I have a Client Cert Inspection branch that leads into OCSP Authentication and then if successful assigns the RDP resources through LDAP.This all works perfectly fine as long as the Client SSL profile connected to the access policy has Client Authentication > Client Certificate set to "Request" or "Require." If set properly, when a user attempts to connect to the webtop URL they are prompted for their certificate, authorized against the OCSP, and given access to the resources as corresponds to LDAP group. However when attempting to use one of the Remote Desktop Links it'll download the RDPconnection as intended and fail to connect with "There was a problem connecting to the remote resource. Ask your network administrator for help." I know this is because of the Client SSL profile because if i change it back to "Ignore" and have the user click the Remote Desktop link, it downloads and connects to the specified resource with no issue. The server the RDP connects to is configured with a client certificate that is trusted by the Root and Intermediate CA in the "Trusted Certificate Authorities" under the Client SSL Client Authentication profile. I was originally able to get around this by, instead of using Client Cert Inspection in my access policy, using On-Demand Cert Auth and leaving the Client SSL profile to "Ignore" client certificate. This allowed the user to be prompted and authenticated when originally accessing the webtop and utilize the RDP resources assigned. Unfortunately, On-Demand Cert Auth recently broke and users are not being prompted for their certificate and as such cannot connect to the webtop without the Client SSL profile being set to "Request" or "Require" to force the certificate prompt. https://my.f5.com/manage/s/article/K63123740 I've read the above KB where it says "the RDP client doesn't like the certificate request." but I'm not sure why, RDP should support certificate requests, users authenticate with token certificates all the time when RDP'ing to resources unless I'm misunderstanding what is happening? With that article I thought maybe the Server SSL profile would be an issue, but only changing the Client SSL profile certificate settings affects login. Any help would be appreciated, thanks!
F5 APM Webtop - RDP Session Logging
Hello F5 Experts, I am relatively new to the F5 advanced ecosystem, am trying to generate useful logs from our APM Webtop environment and am hoping that someone can point me in the correct direction. I am trying to log the following things from our environment: Initial login's to the Webtop including ClientIP, Webtop portal address, Browser UserAgent, Client Username. (Optional) Client group membership/published resources when they log into Webtop. When a client opens a Web Portal Access from within Webtop including,ClientIP, Webtop portal address, Browser UserAgent, Client Username, Web Portal Access Address. (It would be good to get their session duration for this but that might not be fesable). When a client opens a RDP link from within the Webtopincluding,ClientIP, Webtop portal address, Browser UserAgent, Client Username, RDP Address, SessionCookie(?). When a client connects to a RDP session though the Webtop using one of the downloaded links,ClientIP, Webtop portal address, Client Username, RDP Address, SessionCookie(?), Session start and end time (Maybe two different log events?). From what I can tell this is likely to be an iRule. I think I have an idea how to do the Webtop portal logging, but what is really eluding me is how to log the RDP session connection and duration. Any help or a direction where to look would be greatly appreciated. Thank you,
Added Internal site on F5 Webtop, now it mixes user accounts
Hi, I have internal booking website "x", which works properly when I access it directly. I have added it in F5 webtop portal for remote users. When remote user accesses the website and logs in with he's user, the portal or website (idk which) mixes user accounts, that is when user Y logs in from webtop, it may actually login a user Z using user T's credentials. I'm not sure if our website X has problem itself or it is webtops fault. Plesae suggest me something if you know this problem. Thanks, Diamond.APM Session deleted when following link Webtop Link to Application URI
Hi all, I have three virtuals: web1.mydomain.com web2.mydomain.com webtop.mydomain.com and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth). The webtop has two Webtop Links (Type: Application URI) for web1 and web2 When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1. But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop). Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2. I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted. Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1 Thanks in advance & KR Daniel
Hide applications from APM Citrix Webtop?
In Citrix Web Interface and Citrix Storefront it is possible to hide applications from appearing during app ennumeration with some modifications to their configuration files, even when a user has access to those apps. I have a APM Citrix webtop (it is replacing webinterface/storefront) I would like to do the same with. Is there some place I can configure or code I can modify to mask specific apps from appearing on the webtop? I know it seems like a strange request- but I need to filter a specific app from appearing only through one gateway while allowing it to appear for the same users in another gateway. Long story...hoping there is a way to do this with the webtop. Thanks!
Change Webtop Remote Desktop Icon
I have an access policy for VMware VDI and I can't seem to change the icons for my webtop/remote desktop links. The default icon is "terminal_service.png" located in /var/sam/www/webtop/public/images/full_wt I have changed this to an icon with the same dimensions (32px) in Access Policy>Customization>Basic>Remote Desktop and General>Branding>Remote Desktops but still the old icon is dispayed. Any ideas?Load webtop from F5 Access edge client
I have an access profile set up for iOS devices to create a VPN connection via the F5 Access edge client. The network portion is working great. What I am struggling with is trying to present a set of bookmarks via webtop to frequently accessed resources people are accustomed to seeing (migrating from Pulse Secure). I have not found a way to display those bookmarks in the F5 Access client like Pulse Secure does. The closest I have come is a redirect either in the client (portal webtop) or Safari (via network access app launcher) to our portal page. Problem is, that requires them to login again since it is another session. I'm extremely new to all of this, so I'll keep poking around, just wanted to see if there were any suggestions from the community. Thanks!SP Initiated SAML Authentication stops at Webtop page
I'm trying to set up a new SAML connection with an external 3rd Party. I have one similar SAML connection set up and functioning with a different 3rd Party, but I can't see the difference between the two. I visit the URL of the external website, the browser is redirected to the F5's ssoportal, but it stops at the Webtop page, rather than redirecting the browser back to the website. When I view the logs, I can see that the F5 initiates a session for the user on the /Common/SSO-Portal.vs Virtual Server, processes the SSOPortal.profileAccess Profile, assigns all the SAML Resources (including the one I'm trying to use), but seems to stop there. If I compare it to the logs from the workign SAML connection, I can see the next step is "Client initiated SSO config received in metadata." I'm very new to SAML, so not sure where to start troubleshooting.
