How to execute an iRule before VMware View Logon Page is presented to the user?

Hi,

In my APM policy I start with a "Client Type" box with two branches, first one being VMware View, second the default fallback. Following the first branch, the next box is "VMware View Logon Page" where I ask user to enter credentials. Then the policy continues..

Everything worked just fine but only until I decided to add another box with iRule Event right at the start of the whole chain, so in front of the "Client Type" box. It does not matter what the iRule contains, the error is still the same. It looks like the iRule box somehow changes headers sent by the VMware Horizon Client to F5, because in the APM log I get the following error:

Jul 1 19:11:53 scainli err vdi[11022]: 01490000: {87.C} Failed sending headers with error 5 : 'InvalidData'

While the VMware Horizon View Client shows error: The View Connection Server connection failed. An HTTP error occurred: status code = 500.

And the iRule looks like this at the moment:

when ACCESS_POLICY_AGENT_EVENT {
  if {[ACCESS::policy agent_id] == "testRule"} {

  }
}

As you can see I removed all actions from the iRule to make sure it does not alter variables or write into log file. But the result is still the same error.

LTM log file shows no errors at all. Actually when I add some logic to the iRule, the rule is executed successfully, log written in LTM log file, but then the APM kills the session.

Is there a way how to execute an iRule prior the VMware Horizon View Logon screen is shown to the client?

Thanks for any ideas.

12 Replies

Kevin_Stewart
Employee
Jul 01, 2014
That's a very interesting observation. Can you elaborate on what you're trying to do? Perhaps there's a workaround.
Michael_Koyfma1
Cirrus
Jul 01, 2014
Unfortunately, there is an issue today which prevents iRules in the VPE to work successfully in conjunction with using View Logon page. Please open a case with F5 support and request it to be linked to bug id 461919 in order to track the demand for this issue to be addressed.
- amolari
  Cirrus
  Mar 25, 2019
  This issue is, 5 years later, not fixed.
Michael_Koyfman
Cirrocumulus
Jul 01, 2014
Unfortunately, there is an issue today which prevents iRules in the VPE to work successfully in conjunction with using View Logon page. Please open a case with F5 support and request it to be linked to bug id 461919 in order to track the demand for this issue to be addressed.
- amolari
  Cirrus
  Mar 25, 2019
  This issue is, 5 years later, not fixed.
Martin_Vlasko
Altocumulus
Jul 02, 2014
Hi Michael,

Thanks for your feedback.

I am trying to establish remote access by deploying only VMware Horizon View Client (PCoIP proxy solution). And as a first thing when the session starts I want to perform geocheck, which I can only trigger via iRule.

Reading Michael's reply, now I understand why I am getting these errors. It's not pleasant situation while it makes my solution unusable, because I must use the iRules in my policy.

I will open the case with the F5 support, hopefully there will be a fix soon.
Kevin_Stewart
Employee
Jul 02, 2014
You can still use an iRule, you just apparently cannot spawn it from within an access session.

when CLIENT_ACCEPTED { log local0. [whereis [IP::client_addr]] }

The above, and any IP logic inside this event should not block the View client.
Sven_Leupold_85
Cirrus
Jul 02, 2014
Pls. provide a snapshot of your policy - if possible.
Martin_Vlasko
Altocumulus
Jul 02, 2014
Kevin, you are right.

It works fine when I remove the iRule Event object from APM policy and instead trigger the iRule directly in LTM with CLIENT_ACCEPTED event.

This solved my issue.

On the other hand it would be great to have the iRule triggered via APM policy, to have everything in one place. Let's see whether F5 comes back with the bug fix.

Now when I don't access APM variables in my iRule ([ACCESS::session data get session.user.sessionid]), what would be the best solution for pairing the LTM and APM logs of each particular session? Until now I was relying on APM session ID but I am not sure I could get it in the current iRule.
Michael_Koyfma1
Cirrus
Jul 02, 2014
You can so GeoIP checks in the VPE it is the action under Endpoint-Checks(Server-side). So no need for an iRule at all
Martin_Vlasko
Altocumulus
Jul 03, 2014
Thanks for the tip Michael, it works as suggested. My policy finally looks usable :)
Michael_Ebbels
Nimbostratus
Dec 10, 2015
Came across this issue today when setting up Yubikey 2FA for vmware view.

Essentially following this technical article but modify for vmware view.

The article requires you configure a irule event but unfortunately this is not support after a vmware view logon screen as per the bug listed above.

I ended up creating a vmware view disclaimer screen and setting the domain to 'YUBIKEY'

When the view client accesses the disclaimer screen its generated this URI

HttpRequest[GET /renderer/agent_logon_page_view.eui?view-screen=2&view-domains=YUBIKEY&view-auth-label= HTTP/1.0]

Notice how the domain is set to 'YUBIKEY'

I then create an iRule looking for this info....

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "yubikey" }

This allow the yubikey modex hex irule to run, but obviously creates another screen for the end user to click on.