Forum Discussion

Andy_Ellison_26's avatar
Andy_Ellison_26
Icon for Nimbostratus rankNimbostratus
Jan 15, 2013

Irules, RDP, HTTP Host and File Share

Hi

 

 

First time on these blogs, so I apologies if I've put the question i'm about to ask in the wrong place etc or am missing out on vital information.

 

 

We have a long list of servers that belong to vips, but we also create individual vips to access individual servers, mainly via http:80 I 'm creating a VIP that contains multiple servers, but I want to redirect users to a specific node within the pool. I can do the first part of redirecting a user to a specific node based on on the http::host entered and checks this to a datagroup if the http::host is a match to a name in the datagroup then it redirects them to thats specific nodes ip address.

 

however, I also need to be able to RDP to the servers and also connect via file share. I'm a bit stuck on how to achieve this. Basically I need to capture the FQDN name entered into the rdp client and then use that to compare the name to the datagroup and redirect acoordingly

 

and to do the same when accessing the server by share name e.g \\fileserver.msdn.net\e$

 

does anybody know if this is possible?

 

Thanks

 

Andy

 

3 Replies

  • It depends is probably the best answer at this stage. In the first instance you should capture some packets of an RDP connection and see where the FQDN appears. Then you can collect data when a client initially connects, search for the relevant detail and route traffic accordingly.

    Here's an example Nitass and I worked on recently in relation to POP3 and IMAP connections and usernames. It just logs but obviously we can do anything required.

    
    when CLIENT_ACCEPTED {
     if { ([TCP::local_port] == 143) or ([TCP::local_port] == 110) } {
      Collect data if client is using unencrypted IMAP or POP3
      TCP::collect 0 0
     }
    }
    when CLIENT_DATA {
     if { [TCP::local_port] == 143 } {
     Only do the following if client is using unencrypted IMAP and presumably 
     data has been collected
      if { [TCP::payload] contains "login" } {
       scan [TCP::payload] {%*s login %s} imapusername
       log local0. "Unencrypted IMAP connection established by $imapusername"
       Release and flush collected data
       TCP::release
       Stop processing the iRule for this event here
       return
      }
     }
     elseif { [TCP::local_port] == 110 } {
     Only do the following if client is using unencrypted POP3 and presumably data has been collected
      if { [TCP::payload] contains "USER" } {
       Look for text 'USER', skip forward 1 character and match up to the end 
       of the line
       set pop3username [findstr [TCP::payload] "USER" "1"]
       log local0. "Unencrypted POP3 connection established by $pop3username"
       Release and flush collected data
       TCP::release
       Stop processing the iRule for this event here
       return
      }
     }
     Release the data collected (if not match above)
     TCP::release
     Collect data for subsequent packets
     TCP::collect
    }
    
  • Thanks Steve

     

     

    I'll dig out wireshark and capture some packets from the client machine sending the rdp request.

     

     

    the aboveis really usefull to help see what I can capture.

     

     

    many thanks

     

    Andy
  • You're welcome. Post back if you need assistance on your specific use case. Hopefully you're not encrypting RDP.