Manual Chapter : Configuring clients for Windows Registry GET operation

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Configuring clients for Windows Registry GET operation

To ensure that only Access Policy Manager (APM) can fetch a value from the Windows Registry on a client, you must create registry entries on the client. The entries must specify the BIG-IP systems that are trusted servers and the specific registry key values that each server is allowed to fetch.
Use Microsoft Group Policy or any other client desktop management system to populate the entries.
  1. For the trusted servers, create this registry location:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers
    .
  2. Add subkeys that specify the trusted server locations.
    A subkey name can be a fixed server location, such as
    www.siterequest.com
    , or a regular expression that begins with a wildcard, such as
    *.siterequest.com
    . The asterisk (*) is the only supported wildcard.
    When server names are defined with wildcards, the Windows Registry action selects the most specific server name. For example, for a client configured with these trusted servers: computer.subd.domain.com, *.subd.domain.com, and *.domain.com, Windows Registry prefers: computer.subd.domain.com over *.subd.domain.com and *.domain.com
    Here is an example subkey for a trusted server location:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*.site1.com
    .
    Here is another example subkey:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\www.site2.com
    .
  3. For each trusted server location, add this subkey:
    AllowedKeys
    .
    Here is an example:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*site1.com\AllowedKeys
    Here is another example:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\www.site2.com\AllowedKeys
  4. Add values to each AllowedKeys subkey; populate each value with a specific registry key value that the server is allowed to fetch.
    The format for the value is
    registry path
    .
    value
    .
    When specifying values, bear in mind that the Windows Registry action supports fetching only these Windows Registry data types: REG_DWORD, REG_SZ, and REG_MULTI_SZ.
    Here are two example values:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters.Domain
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip.Group
    If the example values exist for the
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*.site1.com\AllowedKeys
    key, it implies that any server that matches *.site1.com can fetch the value
    Domain
    , from this registry location
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters.Domain
    and can fetch the value
    Group
    from this registry location
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip.Group
    .