Microsoft RDWeb and RDG

Question

I have no experience with Microsoft's RDWeb and RDG so I am looking for some help.  I am trying to publish a customers RDWeb instance through APM which I can log into successfully and all remote desktop instances show up after authenticating successfully though when I select an rdp instance RDP launches and attempts to connect though I am never able to connect successfully.  I simply receive the typical error when any RDP destination is unavailable.  I am running 13.1.1 and the Windows server is 2012R2.  RDWeb and RDG are on the same box though there is a seperate session host which is a completely seperate Windows server.  I have enabled VDI debug logging through APM but dont see any errors.  TCPdump shows me talking to the rdweb/rdg server as well as the session host but no resets retransmissions or what seems to be other issues.  I don't have access to obtain logs from the RDWeb or RDG server though I can connect directly to it and successfully launch an RDP session to a host when bypassing the BIG-IP.  I see the iApps F5 has and I have attempted to configure and RAP policy and assign it to the main APM policy though it still fails.  I dont even know if those iApps are really what I am looking for since they don't go into details about a RDG, RDWeb and session hosts.  If anyone has experience with this I would appreciate any feedback.  In the meantime I will be deploying in my lab to try and reproduce this. 
Oh, and one more note. Just trying LTM with no APM fails with the same result.  Thanks!&nbsp;

steve_lyons · Answer

I just labed my use case out and it worked just as expected. An RDP profile with a server type of remote desktop web access which connects directly to my RDG/RDWeb server. The only issue I ran into was that the host name requested must be the same as what is in the certificate. Once I changed that, everything worked like a champ. Will test with the customer and provide feedback.

steve_lyons · Answer

Still not working in the customer environment.  Trying to understand the differences between RDWeb, RDG and RD Session Host.  Below is what I have so far from using Google.  From what I understand at this point is that RDWeb is a portal and nothing more, RDG is performing the same function as the BIG-IP to allow 443 versus 3389 and the RD Session Host simply hosts applications users will access.  
&nbsp;
Remote Desktop Session Host (RDSH) is a role in Remote Desktop Services (RDS), which was known as or Terminal Services prior to Windows Server 2008 R2. RDSH servers host Windows applications or desktops that are accessed by remote users over a network connection.&nbsp;
The RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel. A Remote Desktop Gateway Provides The following Benefits: Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN).&nbsp;
Microsoft Remote Desktop Web Access (Microsoft RD Web Access) is a Remote Desktop Services role in Windows Server 2008 R2 and Windows Server 2012 that allows users to access RemoteApp and Desktop Connection through the Start menu or a Web browser.&nbsp;

steve_lyons · Answer

Note: When implementing Connection Authorization Policies the RD gateway server provides an error stating you are not authorized. When implementing Resource Authorization Policies, only the generic RDP unable to connect is presented to the user. Not sure if this is the issue I am running into on the customers network but if we get that far it should make troubleshooting much easier.

steve_lyons · Answer

Well, even with a performance layer 4 in place I get nothing. RDP session just sits there Initiating Remote Connection and then ends with Remote Desktop can't connect to the remote computer for one of these reasons.....

steve_lyons · Answer

When successfully connecting, within the TerminalServices-Gateway log within Windows I see The user "steve.lyons@demo.lab", on client computer "10.1.20.29:52846", has initiated an outbound connection. This connection may not be authenticated yet.  
&nbsp;
Then immediately after I see The user "demo\steve.lyons", on client computer "10.1.20.29", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".&nbsp;
During unsuccessful attempts I only see The user "steve.lyons@demo.lab", on client computer "10.1.20.29:52846", has initiated an outbound connection. This connection may not be authenticated yet.  &nbsp;

Forum Discussion

Microsoft RDWeb and RDG

7 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Microsoft Powershell with iControl

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Microsoft SharePoint and Microsoft Exchange December 2020 Security Update

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)

Microsoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security