Manual Chapter : Windows Registry Reference

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Windows Registry Reference

Overview: Policy branching based on Windows Registry values

You can create access policy branches using the values of Windows Registry keys on the client. You can use the GET operator in the Windows Registry action to fetch values from the client. To ensure client security, you must first configure the Windows registry on each client to allow trusted BIG-IP systems to fetch specific Windows Registry values. Without client configuration, the GET operator fails.

Task summary

Registry screenshot: Allowed keys for a trusted server

Registry Allowed keys for a trusted server

Example: Allowed registry key value fetched

Windows Registry expression in the visual policy editor
The expression uses the GET (>>) operator to fetch the value of the registry key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs"."blank"
, into the user-defined session variable
test
.

Configuring clients for Windows Registry GET operation

To ensure that only Access Policy Manager (APM) can fetch a value from the Windows Registry on a client, you must create registry entries on the client. The entries must specify the BIG-IP systems that are trusted servers and the specific registry key values that each server is allowed to fetch.
Use Microsoft Group Policy or any other client desktop management system to populate the entries.
  1. For the trusted servers, create this registry location:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers
    .
  2. Add subkeys that specify the trusted server locations.
    A subkey name can be a fixed server location, such as
    www.siterequest.com
    , or a regular expression that begins with a wildcard, such as
    *.siterequest.com
    . The asterisk (*) is the only supported wildcard.
    When server names are defined with wildcards, the Windows Registry action selects the most specific server name. For example, for a client configured with these trusted servers: computer.subd.domain.com, *.subd.domain.com, and *.domain.com, Windows Registry prefers: computer.subd.domain.com over *.subd.domain.com and *.domain.com
    Here is an example subkey for a trusted server location:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*.site1.com
    .
    Here is another example subkey:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\www.site2.com
    .
  3. For each trusted server location, add this subkey:
    AllowedKeys
    .
    Here is an example:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*site1.com\AllowedKeys
    Here is another example:
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\www.site2.com\AllowedKeys
  4. Add values to each AllowedKeys subkey; populate each value with a specific registry key value that the server is allowed to fetch.
    The format for the value is
    registry path
    .
    value
    .
    When specifying values, bear in mind that the Windows Registry action supports fetching only these Windows Registry data types: REG_DWORD, REG_SZ, and REG_MULTI_SZ.
    Here are two example values:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters.Domain
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip.Group
    If the example values exist for the
    HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\TrustedServers\*.site1.com\AllowedKeys
    key, it implies that any server that matches *.site1.com can fetch the value
    Domain
    , from this registry location
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters.Domain
    and can fetch the value
    Group
    from this registry location
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip.Group
    .

Viewing trusted server registry keys and subkeys on a client

You can verify the trusted servers and allowed key values on a client by running a diagnostic report using BIG-IP Edge Client. If present on the client, the
HKEY_LOCAL_MACHINE\SOFTWARE\F5 Networks\RemoteAccess\TrustedServers
Windows Registry key and its subkeys are included in the report.
As an alternative, you can use the Client Troubleshooting Utility to verify trusted server and allowed key values.
  1. Open the BIG-IP Edge Client user interface.
    On a client with a
    Start
    button, you can type
    BIG-IP
    in the search field and, in the results, click
    BIG-IP Edge Client
    .
  2. Click the
    View Details
    button.
    The Details popup screen displays.
  3. Click the
    Diagnostics Report
    button.
    A Save As popup screen opens.
  4. Select a location, specify a file name, and click
    Save
    .
    A Collecting data popup screen remains open until the report completes.
  5. Navigate to the location with the downloaded file, extract the files to a folder, and click the HTML file in the folder.
    The F5 Report displays in a browser screen.
  6. Scroll down to the
    MS Remote Access Diagnostic
    section of the table of contents.
  7. Look for a link that includes the word
    TrustedServers
    .
    If you do not find such a link, then trusted servers and allowed keys are not configured on the client.
    The link in the table of contents should include this path:
    HKLM\Software\F5 Networks\RemoteAccess\TrustedServers
    .
  8. If the link exists, click it to view the subkeys and values configured on the client.

Fetching the value of a Windows Registry key from a client

Before this access policy can run successfully, clients must be configured to allow trusted BIG-IP systems to fetch specific Windows Registry key values.
You can use a Windows Registry action to fetch values from the Windows Registry on the client.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Click the Endpoint Security (Client-Side) tab.
  5. Select
    Windows Registry
    and click
    Add Item
    .
    A popup properties screen opens.
  6. In the
    Expression
    field, type an expression that includes these items: the name of a Windows Registry key value, the >> operator, and a name for use as a variable.
    The Windows Registry key value used in the expression must match a registry key value that the client allows a trusted server to fetch.
    Here is an example expression:
    "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters"."Domain" >> "variable_name"
    where
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
    is the registry key,
    Domain
    is the name of the value to fetch and
    >>
    is the GET operator. If GET is successful, then
    variable_name
    is used to store the value in a session variable formatted like this:
    session.windows_check_registry.last.data.
    variable_name
    .
  7. Click
    Finished
    .
    The popup screen closes.
  8. Click
    Save
    .
    The properties screen closes and the policy displays.
You added an action to fetch a registry key value from the Windows Registry on the client. This is not a complete access policy.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.