NimbostratusRemote Desktop Web Access and Remote Desktop Gateway SSO Through APM
I'm a relatively new BIG-IP admin (we purchased BIG-IP to replace our TMG 2010 solution). I'm attempting to configure Remote Desktop Web Access and Remote Desktop Gateway services (2008 R2) utilizing APM. The pre-sales engineer we spoke to indicated this should be a "simple" configuration, but it's certainly kicked me in the rear.
I've created what I assumed would be a good configuration:
1: Virtual server with a pool for the RD web access and gateway server services, and an iRule to bypass APM for /rpc/rpcproxy.dll (see below, similar to rules I've seen for Exchange clients connecting using RPC over HTTPS).
2: APM configuration with forms-based SSO to the Web Access (which works perfectly), which allows us to integrate authentication to the web access page from our primary web portal.
Now, normally using RD Web Access you login to the RD Web Access page, and it automatically connects your client to the RD Gateway, so launching a RemoteApp published application is seamless. When we apply an APM configuration to the virtual server, however, even with the rpcproxy.dll APM bypass in place, the automatic login to the RD Gateway doesn't happen. If we remove the APM config from the virtual server and publish directly without APM, it works fine, so I'm pretty sure the problem is with APM.
In short, what should happen is:
1: Client lands on BIG-IP APM login page (works) 2: Client logs into BIG-IP APM login page, which passes credentials to RD Web Access form (works) 3: On login to RD Web Access, the client should automatically login to RD Gateway using same credentials used to login to RD Web Access (does NOT work)
I haven't found anything on configuring APM SSO for RPC over HTTPS, so I'm finally at a loss and asking here. Any suggestions? Pointers?
when HTTP_REQUEST {
if {[string tolower [HTTP::uri]] contains "/rpc/rpcproxy.dll"} {
COMPRESS::disable
CACHE::disable
ACCESS::disable
pool
}
}
If you are going to 11.6, we are going to be publishing an iApp template that uses the new VDI profile to replace the RDG functionality. I've tested with RDWA publishing resources that go through this new proxy and it seems to work fine.
As far as trying to pre-auth connections to the RDG servers, I wouldn't recommend disabling APM for requests for the RPC proxy, as that leaves a giant security hole that defeats the purpose of using APM. Although I haven't tested it, it should be possible to pre-auth the RDP clients by creating an NTLM machine account (aka, joining the BIG-IP to the domain), creating an NTLM auth config that references that machine account, manually attaching an ECA profile to the APM virtual server, and creating an iRule to enable clientless mode for the RD client connections. You wouldn't be getting SSO with the credentials used in RDWA, however you shouldn't get prompted for credentials either as long as the client machines are joined to the domain.
Basically, if you are going to 11.6 anyway, I recommend going with the new VDI profile iApp, since it will take care of all the configuration for you.
