Strange ASM block

Question

Hi,&nbsp;
I have an application that works through UAG and publishes RDP connections through SSL (remote desktops and remote apps like Adobe reader , CLI SHELL etc.) &nbsp;
For example , when you press the link it publishes the app through RDP (if you know how JETRO works with IE then it's something like that).&nbsp;
Any way , i'm trying to protect that site with ASM . The policy is pretty generic and works on my other sites. Now this specific site , when I put it behind the ASM , the RDP publishing stops working. Each time you press the link the RDP window pops out in order for you to press "connect" and right after that I get an error message that doesn't give me anything (believe me I searched).&nbsp;
Support didn't give me anything. it looks like when I press the "connect" button the traffic is not HTTP but I think it's pure RDP so for some reason the ASM blocks it with no error messages or logs to be seen.&nbsp;
To make the issue more difficult , it happens only on Windows XP , Windows 7 works perfect (both with IE8 which is what the clients have).&nbsp;
1) has anyone , anywhere encounered such an issue ?
2) What I want to try doing is to bypass the ASM when it sees the RDP connection to the specific RDP publishing server. What iRule will help me with that ?&nbsp;
Regards,&nbsp;
Nir&nbsp;

samstep · Answer

First of all: did you follow the F5 RDP Deployment Guide?&nbsp;
https://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf&nbsp;
Also, are you seeing this issue when the ASM policy is in Blocking mode? What happens if the policy is in Transparent mode? Anything at all in the logs (/var/log/ltm /var/log/asm)?? If ASM has blocked a request there must be something in the logs - I expect at least an "INVALID METHOD" or an "HTTP Protocol Compliance Violation" to be present (provided you have a logging profile assigned).&nbsp;
I am not surprised Windows XP clients don't work with RDP - the legacy clients do not support the authentication levels introduced since Windows7, so if you are only having issues with legacy clients that might give you a clue that the outdated version of RDP authentication protocol used by these clients is causing this. Finding the differences and tuning the policy is non-trivial in this case.&nbsp;
From the security point of view - do you really want to disable ASM? What was the rationale for enabling it in the first place for this service? Is the virtual server public facing? You need to protect access from certain countries/malicious IP addresses?&nbsp;
RDP/RDWeb is not a traditional web application - it uses RDP protocol encapsulated in HTTP requests, so creating a meaningful ASM policy is not easy. It is bound to trigger lots of false positives and will require careful configuration and tuning. &nbsp;
If you do believe that you want to keep ASM on, but bypass it for specific IP addresses then: &nbsp;
check out this solution for bypassing ASM:
https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14709.html&nbsp;
and also this DevCentral thread:&nbsp;
https://devcentral.f5.com/questions/bypass-asm&nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

nirsham_178691 · Answer

Hi,&nbsp;
I'm not trying to publish RDP through F5 . The customer already has is published via UAG. We just put an ASM in in front of it.&nbsp;
The issue happens even when the ASM is in transparent mode . There are no alerts or logs anywhere. It looks like some kind of HTTP parsing issue with the RDP over HTTP but I don't know why it just work in Win7 and not WinXP.&nbsp;
I thought I could bypass the ASM through HTTP_METHOD or URL but it just doesn't work.&nbsp;
I'm trying to work with our F5 SE representative here to see if he can see what is the issue.&nbsp;
Thanks.&nbsp;
Regards,&nbsp;
Nir&nbsp;

Forum Discussion

Strange ASM block

2 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Block IP after a number of ASM Blocks

ASM block page for use with API waf policy

Can't upload msg file - ASM block

ASM blocked request contains & (ampersand) symbol in parameter value

Block traffic