Native RDP sessions used in Full Webtop does not work (BIG-IP 13.1.0.6 Build 0.0.3)
Hi folks,
I have to secure RDP session to Windows Server 2008 R2 and 2012. I want to use the APM and an appropriate Webtop but it does not work. I got the error :
I am running in my testlab a Windows 7 client and a Windows 2008 R2 Server.
The access profile does have a simple VP:
I am using a simple RDG-RAP with Start -> Allow
I am using following RDP connection settings:
Everything seems to be quiet simple but it does not work.
I don't see any attempt on tcp port 3389 in a tcpdump.
My virtual server settings are:
Any hints are welcome!
Does your MS RDS setup also contain a connection broker and web access services? I also notice that you didn’t configure Auto Map or SNAT, is that correct?
Update: A separate RDP-RAP policy is only required if your destination is dynamic. This means in the RDP profile you specify the destination as "User Defined"
The key piece here is when APM creates the RDP file for the Remote Access Webtop link, it digitally signs this with the SSL certificate of the virtual server running the APM policy. For Microsoft RDP client to accept this signed file you MUST be using a valid SSL certificate. Inside the file it will include a token which is valid for about 20 seconds. Microsoft RDP will open the session using the APM as the gateway and present this token for authentication to APM.
Now if you want SSO you need select it inside the RDP profile you created. This is completely independent and distinctly separate to ANY OTHER SSO configuration inside APM. The variables you specify here can be left as defaults but you need to include a SSO variable assignment object in the VPE before it hits the Webtop so these variables are populated for RDP configuration to use.
Note that NTLM is not required or needed for any of this to work. The username and password from the login to the Webtop is sufficient as long as it matches the credentials for the RDP host, your desktop should appear. When you first click the remote desktop link it will download the RDP file, it is here you tell your browser to always open these files with the right application. Next time it will open the link on download and connect immediately.
Hi,
at first thank you for your help, but it won't run. I insalled a win10 client and I got the same messsage. I tried the remote desktop app and the mstsc client:
The VP is broken down to:
I disabled the SSO credentials mapping and SSO settings in the remote desktop connectivity profile, but the same messages.
The certificate is valid. The browser trusts the website.
I got with each attempt the error:
/Common/ACC-PROF-WEBTOP:Common:00000000: VDI profile on /Common/VS-RDP-WEBTOP-443 does not have associated NTLM Auth profile or ECA profile is missing
But I have to use a vdi profile, and I am using the default one.
The tcpdump tells me that the virtual server reseted my connection. This is the section where I try to access the server via rdp
So I built this again using 13.0.0. Was prompted for RDP auth and logged in fine. Still tweaking the SSO pieces. Will know more tonight. Server SSL and VDI profiles are required
if I try to configure those settings on a f5 ltm+apm deployment with Partitions and Route Domains I got the error message again.
I configured every step which is working in the default partition within a partition which uses route domains.
Any concerns to this configuration? Are "Route Domains" in the rdp connectitiy profile supported? How does it work if I use the host name?
Nimbostratus
