iRule for APM Ressource Assignment

Question

Hello,
we use our F5 as a gateway for RDP sessions. We have a logon page, a radius authentication and then an Advanced Resource Assign to assign the RDP session. Every user has a different RDP connection. I have configured this via VPE and it works.

Now over 200 users should be added and this is wasteful over VPE. That's why I'm writing an iRule to solve the resource assignment.

In the Advanced Ressource Assign I only assign a webtop.
My iRule:
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
        "do_something" {
        set username [ACCESS::session data get session.logon.last.username]
        set domain "xxx"
        set terminalrdp "/Common/Terminalserver-RDP-pool"
        set c2123 "/Common/C2123"
        set c2124 "/Common/C2124"

if  {$username contains "Testuser"} {
            ACCESS::session data set session.logon.last.domain $domain  
            ACCESS::session data set session.assigned.resources.rd $terminalrdp
            }

if  {$username == "UserX"} {
            ACCESS::session data set session.assigned.resources.rd $c2123
            }

if  {$username == "UserY"} {
            ACCESS::session data set session.assigned.resources.rd $c2124
            }
        }   
    }
}

But this doesn´t work as expected and I hope someone can help me. 
Maybe there is a simpler and better solution for the problem.

stanislas_piro2 · Answer

How many rdp resources do you want to assign to each user?
For a customer we created only one rdp resource with hostname %{session.logon.username}.company.local and we created dns record for each users!

universal-inves · Answer

Are there other ways to solve the problem?
What's wrong with my iRule that it doesn`t work?&nbsp;

iaine · Answer

Where are the rdp resources stored? If in AD then you can query the attribute and parse the response into APM variables. You can then create RDP links using the APM variable and tailor your APM policy so that the RDP icon is only presented to the user if the APM variable has been populated

youssef1 · Answer

Hello,&nbsp;
you could manage your needs in 2 different ways. &nbsp;
-&gt; Populate RDP User's in an AD/LDAP attribute (multivalue). and Using Irule to feed dynamic RDP.&nbsp;
-&gt; Or via an irule using a datagroup in order to store your rdp.&nbsp;
Second point I advise you to create 5 (or more depending on your convenience) Dynamic RDP that you will feed according the number of rdp allocated to the user. &nbsp;
all you have to do is feed your dynamics rdp with the IPs addresses of the user machines. by default if the user has only one machine it will feed the other RDP with a non resolvable fqdn and therefore it will not display them on the portal.&nbsp;
for information, when I speak dynamic RDP, I mean that you create an RDP with instead of the fqdn a session variable that you feed according to the user.&nbsp;
I have already done a similar job at a customer if you want help on the subject let me know.&nbsp;
Regards&nbsp;

universal-inves · Answer

Hello,
I finally found my mistake, why the iRule never worked. The iRule was only assigned to the access policy in the VPE, but not to the virtual server. After that was solved, the iRule also worked. However, I could only assign a value to each user in the data group. That's why I wrote the iRule as follows:
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
    "ui-rdp" {
        set dynrdp "notresolvable.net"
        set username [ACCESS::session data get session.logon.last.username]

ACCESS::session data set session.assigned.resources.dynrd1 $dynrdp
        ACCESS::session data set session.assigned.resources.dynrd2 $dynrdp

switch $username {

User1 {
                    ACCESS::session data set session.assigned.resources.dynrd1 "Client1"
                    ACCESS::session data set session.assigned.resources.dynrd2 "Server1"}
            User2 {
                    ACCESS::session data set session.assigned.resources.dynrd1 "Client2"
                    ACCESS::session data set session.assigned.resources.dynrd2 "Server2"}
            UserX {
                    ACCESS::session data set session.assigned.resources.dynrd1 "ClientX"}

}
        }
    }
}

I still have 2 problems:

even if the client is not resolvable, it will be displayed in the webtop with the name that is not resolvable. Is this possibly a bug in version 13.1, which we use? The function will be described in a Configuration Guide from 11.4

I have an RDP with "user defined", if I enter there the IP of a client, on which the access works I get the error message "Your user account is not listed in the RD Gateway's permission list". Does anyone know this error?

Best Regards Tina

Forum Discussion

iRule for APM Ressource Assignment

6 Replies

Recent Discussions

Enabling AVR and creating Profiles

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

Related Content

Re: Mitigation of OWASP API6: 2019 Mass Assignment vulnerability using F5 Distributed Cloud Platform

Quelle ressource consomme une CCU ?

MAC address assignment in F5

iControl to assign iRule to VIP in partition other than Common

Virtual address from address list is down after assignment to VS