Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for APM Ressource Assignment

Hello,

we use our F5 as a gateway for RDP sessions. We have a logon page, a radius authentication and then an Advanced Resource Assign to assign the RDP session. Every user has a different RDP connection. I have configured this via VPE and it works.

Image Text

Now over 200 users should be added and this is wasteful over VPE. That's why I'm writing an iRule to solve the resource assignment.

Image Text

In the Advanced Ressource Assign I only assign a webtop.

My iRule:

when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
        "do_something" {
        set username [ACCESS::session data get session.logon.last.username]
        set domain "xxx"
        set terminalrdp "/Common/Terminalserver-RDP-pool"
        set c2123 "/Common/C2123"
        set c2124 "/Common/C2124"

        if  {$username contains "Testuser"} {
            ACCESS::session data set session.logon.last.domain $domain  
            ACCESS::session data set session.assigned.resources.rd $terminalrdp
            }

        if  {$username == "UserX"} {
            ACCESS::session data set session.assigned.resources.rd $c2123
            }

        if  {$username == "UserY"} {
            ACCESS::session data set session.assigned.resources.rd $c2124
            }
        }   
    }
}

But this doesn´t work as expected and I hope someone can help me. Maybe there is a simpler and better solution for the problem.

0
Rate this Question
Comments on this Question
Comment made 5 months ago by Universal-Investment 69

Are there other ways to solve the problem? What's wrong with my iRule that it doesn`t work?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How many rdp resources do you want to assign to each user?

For a customer we created only one rdp resource with hostname %{session.logon.username}.company.local and we created dns record for each users!

0
Comments on this Answer
Comment made 5 months ago by Universal-Investment 69

That`s varying. Some users have only one rdp resource, others have 2 or more.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Where are the rdp resources stored? If in AD then you can query the attribute and parse the response into APM variables. You can then create RDP links using the APM variable and tailor your APM policy so that the RDP icon is only presented to the user if the APM variable has been populated

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

you could manage your needs in 2 different ways.

-> Populate RDP User's in an AD/LDAP attribute (multivalue). and Using Irule to feed dynamic RDP.

-> Or via an irule using a datagroup in order to store your rdp.

Second point I advise you to create 5 (or more depending on your convenience) Dynamic RDP that you will feed according the number of rdp allocated to the user.

all you have to do is feed your dynamics rdp with the IPs addresses of the user machines. by default if the user has only one machine it will feed the other RDP with a non resolvable fqdn and therefore it will not display them on the portal.

for information, when I speak dynamic RDP, I mean that you create an RDP with instead of the fqdn a session variable that you feed according to the user.

I have already done a similar job at a customer if you want help on the subject let me know.

Regards

0
Comments on this Answer
Comment made 5 months ago by Universal-Investment 69

Thanks for your response. How would the irlue look, if I want to assign the session variable? I always get only an empty RDP, although I have entered the session variable in the RDP.

0
Comment made 5 months ago by youssef 2938

Jute before going into details, you want to make an irule to assign the RDP to your users ? with Datagroup ?

I always get only an empty RDP, although I have entered the session variable in the RDP: so to answer your question, you get this kind of problem in this usecase: Check that your rdp is configured has hostname and not IP, and check that hostname that you entered is resolved by F5. Because if F5 can't resolve your hostnam, it nos display the rdp...

0
Comment made 5 months ago by Universal-Investment 69

yes I want to try RDP with Datagroup. I built 2 RDP connections. A dynamic with the session variable %{dynrdp1} as hostname and one with fixed hostname which is resolvable and working.

as simple as possible:

when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
    "do_something" {
        set dynrdp1 "dmz-svlab1-84.dmz.lab"
        set rdp1 "/Common/DYN-RDP1"
        ACCESS::session data set session.assigned.resources.rd $rdp1
        ACCESS::session data set config.connectivity_resource_remote_desktop.$rdp.host $dynrdp1
        }
    }
}    
0
Comment made 5 months ago by youssef 2938

First create your DG: DG_RDP string: username value: hostname (fqdn)

Then use this irule (I don't tested it but it is simple)

when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
    "do_something" {

        set dynrdp1 "notresolvable.dmz.lab"
        set rdp1 "dmz-svlab1-84.dmz.lab"
        set username "[ACCESS::session data get session.logon.last.username]"

        if { [class match $username eq DG_RDP } {
            set dynrdp [class match -value $username equals myClassName]
        }   

        ACCESS::session data set session.assigned.resources.rd1 $rdp1
        ACCESS::session data set session.assigned.resources.dynrd1 $dynrdp1


        }
    }
}

In your RDP (object) don't forget to modify hostname by %{session.assigned.resources.dynrd1}

Keep me in touch, regards

0
Comment made 5 months ago by Universal-Investment 69

Thanks for your instructions and your iRule. I've configured everything as described, but I still get an empty RDP session where I can manually enter a destination. It seems like the variable is not passed to the session.

Image Text

0
Comment made 5 months ago by youssef 2938

are you sure that the username match. Be carreful to Uppercase In irule below I set username as tolower. just be carefull to enter the username in tolower case in the DG.

Try this and check logs:

when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
    "do_something" {

        set dynrdp1 "notresolvable.dmz.lab"
        set rdp1 "dmz-svlab1-84.dmz.lab"
        set username "[string tolower[ACCESS::session data get session.logon.last.username]]"
        log local0. "DEBUG LOG: Username : $username"
        if { [class match $username eq DG_RDP } {
            log local0. "DEBUG LOG: dynrdp : $dynrdp"
            set dynrdp [class match -value $username equals myClassName]
        }   

        ACCESS::session data set session.assigned.resources.rd1 $rdp1
        ACCESS::session data set session.assigned.resources.dynrd1 $dynrdp1


        }
    }
}

do a test witch checking logs:

Tailf /var/log/ltm | grep 'DEBUG'

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, I finally found my mistake, why the iRule never worked. The iRule was only assigned to the access policy in the VPE, but not to the virtual server. After that was solved, the iRule also worked. However, I could only assign a value to each user in the data group. That's why I wrote the iRule as follows:

when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
    "ui-rdp" {
        set dynrdp "notresolvable.net"
        set username [ACCESS::session data get session.logon.last.username]

        ACCESS::session data set session.assigned.resources.dynrd1 $dynrdp
        ACCESS::session data set session.assigned.resources.dynrd2 $dynrdp

        switch $username {

            User1 {
                    ACCESS::session data set session.assigned.resources.dynrd1 "Client1"
                    ACCESS::session data set session.assigned.resources.dynrd2 "Server1"}
            User2 {
                    ACCESS::session data set session.assigned.resources.dynrd1 "Client2"
                    ACCESS::session data set session.assigned.resources.dynrd2 "Server2"}
            UserX {
                    ACCESS::session data set session.assigned.resources.dynrd1 "ClientX"}

            }
        }
    }
}

I still have 2 problems:

  1. even if the client is not resolvable, it will be displayed in the webtop with the name that is not resolvable. Is this possibly a bug in version 13.1, which we use? The function will be described in a Configuration Guide from 11.4

  2. I have an RDP with "user defined", if I enter there the IP of a client, on which the access works I get the error message "Your user account is not listed in the RD Gateway's permission list". Does anyone know this error?

Best Regards Tina

0
Comments on this Answer
Comment made 5 months ago by Abdessamad 268

I think you can still work with data group. Just define all necessary RDPs in a list in each user entry, and then loop that list and assign all rdp resources.

ltm data-group internal myClassName {
    records {
        User1 {
            data "{Client1 Server1}"
        }
        User2 {
            data "{Client2 Server2}"
        }
    }
    type string
}

The irule DG part should look like this:

set RDPs  [class match -value $username equals myClassName]
foreach rdp $RDPs {
    set rdpIndex [lsearch $RDPs rdp]
    set dynrdVar "dynrd"$rdpIndex
    ACCESS::session data set session.assigned.resources.$dynrdVar $rdp
}

I didn't test it, so the code might have to be adjusted a little.

regards.

0