We have recently built a RDS solution and have put BIG-IP LTM infront of the web access server (which is also the gateway & connection server). I have two iApp built HTTP virtual servers currently in use - one for internally connected devices and one for externals. The idea being we could leverage APM to put 2FA in place for the external connections. All other authentication is handled by the RDS server - not the F5. The problem I have is that whilst the internal vs works fine the external does not. As soon as I place an access policy on the vs (even just a blank one) I can no longer get a desktop. I still get to the web access RDS logon page and desktop selection, etc but everytime I launch a desktop I get... Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

Did you assign the RAP policy in the VPE?? Cheers, Kees

Hi, We also have that same trouble here currently, using Big-IP 13.1.0 and Remote Desktop on a set of 2019 Servers. We can easily create the Virtual Server/Pool/Node setup and then, we can successfully use the Remote Desktop Environment, either by using the HTML5 client or a RDP client. However, when we create an Application Security Policy (Brand new simple policy, setup as transparent) and apply it the the virtual server, connection immediatly stops working. As it is non-blocking, this should in theory work perfectly fine. There seems to be an issue with code injection in the HTTPS traffic as described in these posts: https://devcentral.f5.com/questions/do-anyone-know-which-feature-in-asm-module-inject-these-scripts-and-how-to-change-it- https://devcentral.f5.com/questions/how-transparent-is-transparent-mode-in-asm My first guess looks like that Remote Desktop detects the changes and starts refusing the packets because they are altered. I did go around the system and deactivate all the features mentionned in those posts (Most of them where already off, there was one on but I can't remember which one) but none changed the end result.

We also found this yesterady that seems to point that if your servers are not running on Server 2012 R2 and lower, they are not supported, although it isn't clear if it is through the Application Security or through the Web Access feature in the Big-IP: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-clientcompatmatrix-12-1-3.html We are currently working on starting a service request with F5 to have this checked out. We'll post updates here when we have some, but in the meantime, if someone here has a solution or can confirm this will never work, it would be appreciated. Thanks

Was there any update to this issue? I am running into the same exact problem, I have one vip with APM and sso internally the Remote Desktop works fine externally it does not.

Hi, Do you use the BIG-IP as the RDgateway or only for MFA??

Remote Desktop Web Access & APM

12 Replies

KeesvandenBos
MVP
Jan 28, 2019
Did you assign the RAP policy in the VPE??

Cheers,

Kees
- Thomson_Thomas
  Cirrus
  Feb 19, 2020
  Was there any update to this issue? I am running into the same exact problem, I have one vip with APM and sso internally the Remote Desktop works fine externally it does not.
rivardma_383867
Nimbostratus
Feb 15, 2019
Hi,

We also have that same trouble here currently, using Big-IP 13.1.0 and Remote Desktop on a set of 2019 Servers. We can easily create the Virtual Server/Pool/Node setup and then, we can successfully use the Remote Desktop Environment, either by using the HTML5 client or a RDP client.

However, when we create an Application Security Policy (Brand new simple policy, setup as transparent) and apply it the the virtual server, connection immediatly stops working. As it is non-blocking, this should in theory work perfectly fine.

There seems to be an issue with code injection in the HTTPS traffic as described in these posts:

https://devcentral.f5.com/questions/do-anyone-know-which-feature-in-asm-module-inject-these-scripts-and-how-to-change-it-

https://devcentral.f5.com/questions/how-transparent-is-transparent-mode-in-asm

My first guess looks like that Remote Desktop detects the changes and starts refusing the packets because they are altered. I did go around the system and deactivate all the features mentionned in those posts (Most of them where already off, there was one on but I can't remember which one) but none changed the end result.
- rivardma_383867
  Nimbostratus
  Feb 15, 2019
  We also found this yesterady that seems to point that if your servers are not running on Server 2012 R2 and lower, they are not supported, although it isn't clear if it is through the Application Security or through the Web Access feature in the Big-IP:
  
  https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-clientcompatmatrix-12-1-3.html
  
  We are currently working on starting a service request with F5 to have this checked out. We'll post updates here when we have some, but in the meantime, if someone here has a solution or can confirm this will never work, it would be appreciated.
  
  Thanks
KeesvandenBos
MVP
Feb 19, 2020
Hi,

Do you use the BIG-IP as the RDgateway or only for MFA??
- Thomson_Thomas
  Cirrus
  Feb 19, 2020
  Only MFA
KeesvandenBos
MVP
Feb 19, 2020
When launching an RDP session, does your RDP client use 443 or 3389 for the connection??
Thomson_Thomas
Cirrus
Feb 19, 2020
it uses 443 for the connection.
KeesvandenBos
MVP
Feb 19, 2020
I don't have a Web RD gateway to play with, but could you enable a vdi profile on the virtual server hosting the external connection? I think APM is breaking RDP over HTTPS.
Also, did you add a RDG-RAP policy to your APM policy??

Kees
- Thomson_Thomas
  Cirrus
  Feb 19, 2020
  yes I can try that, forgive my ignorance how do you create a RDG-RAP profile?
KeesvandenBos
MVP
Feb 19, 2020
No problem.
You can create it under Access -> Profiles/Policies. After you click on create you get the profile type option. One of the options is RDG-RAP (others are Full, LTM-APM, SSO).
Once you have created it, edit the policy to make sure you have start -> allow. (don't forget to click on apply policy).
After this you can assign in in the original policy containing the MFA.

Kees
Thomson_Thomas
Cirrus
Feb 19, 2020
Thanks but no luck unfortunately, still getting the same error with the RAP and VDI enabled.

Forum Discussion

Remote Desktop Web Access & APM

12 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Two-Factor Authentication – Remote Desktop Gateway

Remote Desktop Protocol (RDP) using an SSL VPN

Lightboard Lessons: Remote Desktop Solution Using BIG-IP APM and Remote Spark

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Auto-launch Remote Desktop Sessions with APM