Can the Edge client be configured to actually display a webtop post connected state?
I can autostart a local application with https://webtop.name.com/specialurl. This will display a webtop for me but this fails to be secure as anyone can call it and does not carry any SSO credentials through to the webtop's VDI elements which need it.
We have an Edge client configured to automatically connect to the VPN when detecting the right conditions. In certain scenarios where the client does not comply with requirements we would like a webtop to appear instead of having a full VPN connection.
If you are not stuck with using the Edge Client you can use the browser components and either present them with a "Full" or "Portal" webtop without the network access resources or you can give them a "Network Access Webtop" that will auto launch the SSLVPN tunnel. This is all based on using the browser instead of the Standalone Edge Client.
You pretty much confirmed what I thought. It has given me an idea though... if I can use an iRule to redirect them to a webtop, conceivably I can save their credentials in a table referenced with a hash of them, I can and pick them up with an iRule in the new webtop using a preauth=hashkey on the redirected URI. Really depends if I can set the network access application strings dynamically from an iRule. Note: You can specify "http://string" as the application, I have tested. It loads using the default browser on the client side after the VPN connection has completed.
iRule SaveHashCookie
Key Value
Hash Username Password
Redirect URI
http://webtop.site.com/?preauth=hash
iRule EatHashCookie
Get preauth hash key
Lookup table using key
Load credentials
Proceed...
Think of it as VPN launching a Webtop as its final action. The SSO is done using tables. I tried to comprehend the APM documentation on layered virtual's providing single sign on but didn't get anywhere. If there is another way to do this I am all ears.
when HTTP_REQUEST {
log local0. "...in HTTP_REQUEST"
if {[HTTP::uri] eq "/preauth"} {
retrieve credentials from table storage
set key [URI::query [HTTP::uri] key]
set username [table lookup $key:user]
set password [table lookup $key:pass]
log local0. "Retrieved credentials"
}
}
when ACCESS_SESSION_STARTED {
log local0. "...in ACCESS_SESSION_STARTED"
inject credentials into session
if {[info exists username]} {
ACCESS::session data set session.logon.last.username $username
ACCESS::session data set session.logon.last.password $password
log local0. "Assigned credentials"
}
}
when ACCESS_POLICY_AGENT_EVENT {
log local0. "...in ACCESS_POLICY_AGENT_EVENT"
get current credentials
set user [ACCESS::session data get session.logon.last.username]
set pass [ACCESS::session data get session.logon.last.password]
store them in a table
set key [crc32 "$user:$pass"]
table set $key:user $user
table set $key:pass $pass
log local0. "Saved credentials user=$user pass=$pass key=$key"
define customer parameter used in Launch Applications under Network Access
ACCESS::session data set session.myapp "https://192.168.86.11/preauth?key=$key"
unset user pass key
}
The problem at the moment is the app won't launch after the VPN connects. Also "pass" appears to come up empty.