Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Native RDP sessions used in Full Webtop does not work (BIG-IP 13.1.0.6 Build 0.0.3)

Hi folks,

I have to secure RDP session to Windows Server 2008 R2 and 2012. I want to use the APM and an appropriate Webtop but it does not work. I got the error : Image Text

I am running in my testlab a Windows 7 client and a Windows 2008 R2 Server.

The access profile does have a simple VP: Image Text

I am using a simple RDG-RAP with Start -> Allow

I am using following RDP connection settings: Image Text

Everything seems to be quiet simple but it does not work.

I don't see any attempt on tcp port 3389 in a tcpdump.

My virtual server settings are: Image Text Any hints are welcome!

Thank you & regards

0
Rate this Question
Comments on this Question
Comment made 12-May-2018 by Niels van Sluis 2775

Does your MS RDS setup also contain a connection broker and web access services? I also notice that you didn’t configure Auto Map or SNAT, is that correct?

0
Comment made 12-May-2018 by NetCohort 106

The server role "remote desktop services" is not deployed. It is just remote desktop with following settings: Image Text

With those settings I am able to connect with rdp on the server directly.

The server is using the f5 self ip as default gateway. Communication between f5 and backend server is working.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Here is a working configuration in my lab:

ltm virtual vs_myvs { destination 1.2.3.4:https ip-protocol tcp mask 255.255.255.255 profiles { myaccessprofile { } apm-default-serverssl { context serverside } myclientssl { context clientside } myconnectivityprofile { context clientside } http { } ppp { } rba { } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } vdi { } websso { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vlans-enabled vs-index 28 }

apm profile vdi vdi { app-service none }

apm resource remote-desktop rdp AD_Demo.local {
    acl-order 100
    auto-logon enabled
    customization-group AD_Demo.local_resource_remote_desktop_customization
    host ad.demo.local
    log packet
    native-client enabled
    port ms-wbt-server
}

connectivity profile parameters are all inherited from default profile.

The access profile is the following:

Image Text

When I disable SSO, it works with:

  • MacOS / Microsoft remote desktop version 10.1.8
  • MacOS / Microsoft remote desktop version 8.0.43
  • Windows 10 build 1803 / mstsc version 10.0.17134.1

When I enable SSO in the remote-desktop profile and assign to variable session.logon.last.domain the domain name, I have same "does not have associated NTLM Auth profile or ECA profile is missing" error with MacOS / Microsoft remote desktop version, 10.1.8 but works with others clients.

0
Comments on this Answer
Comment made 18-May-2018 by NetCohort 106

At the end it was the mstsc client version. You have to use at least mstsc version 6.3.9600.

Thank you very much for the support

0
Comment made 1 month ago by James Rodgers 153

Thanks for the info.

Where you say, "When I enable SSO in the remote-desktop profile", you mean the RDP resource, right?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Native RDP requires you have a Microsoft client running RDP 8.1. https://support.microsoft.com/en-au/help/2923545/update-for-rdp-8-1-is-available-for-windows-7-sp1 The Windows 7 RDP 8.1 update has some other dependencies as well which you will discover when you go to install it.

Update: A separate RDP-RAP policy is only required if your destination is dynamic. This means in the RDP profile you specify the destination as "User Defined"

The key piece here is when APM creates the RDP file for the Remote Access Webtop link, it digitally signs this with the SSL certificate of the virtual server running the APM policy. For Microsoft RDP client to accept this signed file you MUST be using a valid SSL certificate. Inside the file it will include a token which is valid for about 20 seconds. Microsoft RDP will open the session using the APM as the gateway and present this token for authentication to APM.

Now if you want SSO you need select it inside the RDP profile you created. This is completely independent and distinctly separate to ANY OTHER SSO configuration inside APM. The variables you specify here can be left as defaults but you need to include a SSO variable assignment object in the VPE before it hits the Webtop so these variables are populated for RDP configuration to use.

Note that NTLM is not required or needed for any of this to work. The username and password from the login to the Webtop is sufficient as long as it matches the credentials for the RDP host, your desktop should appear. When you first click the remote desktop link it will download the RDP file, it is here you tell your browser to always open these files with the right application. Next time it will open the link on download and connect immediately.

1
Comments on this Answer
Comment made 13-May-2018 by Niels van Sluis 2775

Are you sure about your comment that a separate RDG-RAP policy is only needed when not launching from a webtop?

Last week I needed to add a RDG-RAP policy when using a RDS deployment that uses connection brokers and multiple session hosts. In order to get this working I needed to add the RDG-RAP policy. Without one it would not work and the error messages in the APM suggested it was missing one. The APM deployment guide (page 51) also notes:

An RDG-RAP access policy is required if the target server is dynamic or redirected to a different target server by a Terminal Services server with the broker role installed.

1
Comment made 13-May-2018 by Kevin Davies 3030

Thats the restriction I was looking for Neils. I was trying to find it when I posted... Thanks, I have updated my post.

1
Comment made 17-Oct-2018 by OM 423

Hello kevin, tried to get the sso working, no luck. would you please provide more details about the VPE ?

thanks.

ps: right now, I am using a specific admin partition with a routing domain (non default)

om

0
Comment made 1 month ago by James Rodgers 153

Thanks for the info.

Again, where you say "This means in the RDP profile you specify the destination...", and "if you want SSO you need select it inside the RDP profile you created" — in each case you mean RDP resource, right?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Try removing the RDG Policy assign agent. I think you don’t need this in your deployment.

0
Comments on this Answer
Comment made 12-May-2018 by NetCohort 106

I tried it, but without success.

telnet from f5 device with success: config # telnet f5demo-dc.f5demo.com 3389 Trying 10.128.20.10... Connected to f5demo-dc.f5demo.com. Escape character is '^]'.

Certificates are valid. MSTSC client in version 6.1.7600

0
Comment made 12-May-2018 by Niels van Sluis 2775

Did the error shown by the RDP client changed when you removed the RDG Policy agent? When you enable Access Policy and VDI debugging, does it show any errors in the /var/log/apm logs? Do you use an ACL?

0
Comment made 12-May-2018 by NetCohort 106

The error is the same. I do not use an ACL. And if I change the RDP client type to ActiveX in the Access ›› Connectivity part, everything is working.

But well, I will try to execute some debugs.

0
Comment made 12-May-2018 by NetCohort 106

Ok, big sorry, I was focused on basic settings but it seems there is a problem with authentication. I got following message every second:

err nlad[4864]: 01620000:3: <0x2b85b935e700> nlclnt[10a14800a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.128.20.10

With an authentication of the rdp client I got:

Could not verify user (f5demo\test) credential (STATUS_NO_LOGON_SERVERS)

I deleted the machine account, and recreated it.

adutil[18161]: 0149019f:5: machine 'lab.f5demo.com' has successfully joined with AD domain 'f5demo.com' (NetBIOS domain 'F5DEMO')

With the configuration of the "NTLM Auth Configuration" the messages appear again.

Any ideas?

0
Comment made 12-May-2018 by Niels van Sluis 2775

Not sure why you need NTLM auth. Can’t you just enable SSO in the RDP profile? From the screenshot I seems you are not using this.

0
Comment made 13-May-2018 by Niels van Sluis 2775

Are you using NTLM SSO in the Access Policy? If so, remove it from the Access Policy. Like Stanislas mentions the RDP client version could be a issue. If you are using the RDP client under Windows 10 you should be good to go.

0
Comment made 13-May-2018 by Niels van Sluis 2775

It could also be a Domain GPO setting, that is trying to force NTLM. Can you check this?

User Configuration-->Administrative Templates-->Windows Components-->Remote Desktop Services--> RD Gateway-->Set RD Gateway authentication method

If this policy is set to "Enabled" it could be forcing NTLM.

Source: https://devcentral.f5.com/questions/apm-as-an-rdp-proxy-but-still-get-to-rd-web-access-page-50412

The APM Operation Guide also says something interesting about the error you are seeing:

There are two generations of the RDP Gateway protocol:

  • An RPC-based generation (BIG-IP 11.6 and later)
  • A newer, simplified non-RPC-based protocol generation (BIG-IP 13.0 and later)

Both generations of RDP Gateway protocol use the HTTP protocol for message transport. BIG-IP APM supports both generations, but support of the older protocol requires NT LAN Manager (NTLM) passthrough authentication (similar to Exchange). This means you must configure an NTLM machine account in BIG-IP APM.

It’s difficult to determine which generation of these protocols BIG-IP APM chooses. If the client chooses the older protocol and you don’t have an NTLM Auth profile set up, the following error message syntax appears:

<client> does not have associated NTLM Auth profile or ECA profile is missing  
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Did you configure SSO in rdp resource?

I already had some issue with SSO and native mode.

All the configuration I saw in your screenshot may work!

  • RDP-RAP access profile is required
  • you can let NTLM auth in the RDP profile but it is useless with native mode, only for direct connection from rdp file in mstsc

The only other issue can be mstsc version! The minimum mstsc version is 8.0 (not the default version in windows 7)

0
Comments on this Answer
Comment made 12-May-2018 by NetCohort 106

I added my RDG-RAP again, and the VP looks like the screenshot I mentioned in my first post. I added the default "vdi" profile without NTLM auth, but I got with each attempt:

May 13 07:47:24 lab notice vdi[14308]: 019c0001:5: /Common/ACC-PROF-WEBTOP:Common:4dd4d711: Starting RDP 'Desktop' from resource '/Common/CONN-RES-RDP' > May 13 07:47:50 lab notice tmm[17887]: 01490521:5: /Common/ACC-PROF-WEBTOP:Common:764f7ab5: Session statistics - bytes in: 48800, bytes out: 15761 May 13 07:48:02 lab err tmm[17887]: 019cffff:3: /Common/ACC-PROF-WEBTOP:Common:00000000: VDI profile on /Common/VS-RDP-WEBTOP-443 does not have associated NTLM Auth profile or ECA profile is missing

SSO is enabled now, but the behaviuor does not change. If I execute the rdp file I have to edit it manually to allow the input of credentials....

0
Comment made 13-May-2018 by Stanislas Piron 10677

I asked if you enabled sso in rdp resource, to disable it if was set!

Mstsc version may be the cause!

Can you confirm your client version?

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, at first thank you for your help, but it won't run. I insalled a win10 client and I got the same messsage. I tried the remote desktop app and the mstsc client: The VP is broken down to: Image Text

I disabled the SSO credentials mapping and SSO settings in the remote desktop connectivity profile, but the same messages.

The certificate is valid. The browser trusts the website.

I got with each attempt the error:

/Common/ACC-PROF-WEBTOP:Common:00000000: VDI profile on /Common/VS-RDP-WEBTOP-443 does not have associated NTLM Auth profile or ECA profile is missing

But I have to use a vdi profile, and I am using the default one.

The tcpdump tells me that the virtual server reseted my connection. This is the section where I try to access the server via rdp

> 16:44:44.414358 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [S], seq 2246235942, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.414422 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [S.], seq 721181350, ack 2246235943, win 4380, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.417240 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.419570 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 1:180, ack 1, win 64240, length 179 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.419870 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 180, win 4559, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.422987 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1:1993, ack 180, win 4559, length 1992 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.429565 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 1993, win 64240, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.429583 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 180:306, ack 1993, win 64240, length 126 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.429632 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 306, win 4685, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.430614 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1993:1999, ack 306, win 4685, length 6 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.430629 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [P.], seq 1999:2044, ack 306, win 4685, length 45 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.433217 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [.], ack 2044, win 64189, length 0 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.435396 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 306:638, ack 2044, win 64189, length 332 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.435420 IP 10.128.10.10.50147 > 10.128.10.100.443: Flags [P.], seq 638:671, ack 2044, win 64189, length 33 in slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.435452 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 638, win 5017, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.435458 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [.], ack 671, win 5050, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=224 inslot=0 inport=0 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
> 16:44:44.436649 IP 10.128.10.100.443 > 10.128.10.10.50147: Flags [R.], seq 2044, ack 671, win 0, length 0 out slot1/tmm0 lis=/Common/VS-RDP-WEBTOP-443 flowtype=64 flowid=5600012D6D00 peerid=0 conflags=800224 inslot=0 inport=0 haunit=1 priority=3 rst_cause="[0x28a318e:6247] iRule execution (reject command)" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

I don't have any irule in use. The virtual server settings again: Image Text

0
Comments on this Answer
Comment made 13-May-2018 by Kevin Davies 3030

Turn on SNAT. You require it. If you turn off SSO is simply means the RDP connection will prompt you for login details.

1
Comment made 13-May-2018 by Kevin Davies 3030

So I built this again using 13.0.0. Was prompted for RDP auth and logged in fine. Still tweaking the SSO pieces. Will know more tonight. Server SSL and VDI profiles are required

1
Comment made 17-Oct-2018 by OM 423

Hi Kevin, did you ever get the sso working ?

thanks.

om

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Did you configure bigip host file for your resource or does the bigip use dns?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi folks,

if I try to configure those settings on a f5 ltm+apm deployment with Partitions and Route Domains I got the error message again.

I configured every step which is working in the default partition within a partition which uses route domains. Any concerns to this configuration? Are "Route Domains" in the rdp connectitiy profile supported? How does it work if I use the host name?

Thank you & Kind regards

0
Comments on this Answer
Comment made 23-May-2018 by NetCohort 106

I did an assigment in the Access Policy of "Route Domain" and "SNAT Selection". It is working but just every other attempt.

0
Comment made 16-Oct-2018 by OM 423

hi NetCohort, did you ever get this working with the routing domain ? I am facing the same issue and all objects are in a RD.

thanks.

om

0