Manual Chapter :
Using APM as a Remote
Desktop Gateway
Applies To:
Show VersionsBIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Using APM as a Remote
Desktop Gateway
Overview: Configuring
APM as a remote desktop gateway for Microsoft RDP clients
Access Policy Manager (APM®) can act as a gateway
for Microsoft RDP clients, authorizing them on initial access and authorizing access to resources
that they request after that. The APM configuration includes these elements.
- APM as gateway
- From a configuration point of view, this is a virtual server that accepts SSL traffic from Microsoft RDP clients and is associated with an access policy that authorizes the client.
- Client authorization access policy
- This access policy runs when the RDP client initiates a session with the gateway (APM). Only NTLM authentication is supported. This access policy should verify that NTLM authentication is successful and must assign an additional access policy to use for resource authorization throughout the session.
- Resource authorization access policy
- This access policy runs when the authorized RDP client requests access to a resource. The access policy must contain logic to determine whether to allow or deny access to the target server and port.
Notice the RDG Policy Assign item; it is used to specify the resource authorization
policy.
Task summary
If you already have configured them, you can use existing configuration objects: a machine
account, an NTLM authentication configuration, a VDI profile, a connectivity profile, and a
client SSL profile.
About supported Microsoft RDP clients
Supported Microsoft RDP clients can use APM as a gateway. The configuration supports Microsoft RDP clients on Windows, Mac, iOS, and Android.
Refer to
BIG-IP APM Client Compatibility Matrix
on the AskF5 web site at http://support.f5.com/kb/en-us.html
for the supported platforms and operating system versions for Microsoft RDP clients.About Microsoft RDP client login to APM
On a Microsoft RDP client, a user types in settings for a gateway and a connection. The names
for the settings vary depending on the Microsoft RDP client.
- RDP client gateway settings
- Hostname setting: The hostname or IP address of the virtual server must be specified.
- Port setting: If requested,443must be specified.
- Credentials: Selection of specific logon method and entry of a user name and password should be avoided. In this implementation, APM supports only NTLM authentication.
- RDP client connection settings
- Gateway setting: On some clients, you must configure a name and address for the gateway and at login type the gateway name. If requested, the gateway name must be specified as configured on the client.
- Hostname setting: Hostname of the target server.
- Port setting: Port on the target server.
Configure an
access profile for resource authorization
Configure an RDG-RAP type of access profile for
Access Policy Manager (APM) before you create an access policy to authorize resource
requests from Microsoft RDP clients.
After APM
authorizes a Microsoft RDP client, subsequent resource requests are sent to APM.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, selectRDG-RAP.
- ClickFinished.The new access profile displays on the list.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
You must configure an access policy that
determines whether to deny or allow access to a resource.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Configure an access
policy for resource authorization
Configure this access policy to perform resource authorization every time an RDP client requests
access to a new resource.
The requested resource is specified in these session variables:
session.rdg.target.host
and session.rdg.target.port
. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Access Policy column, click theEditlink for the RDG-RAP type access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- To restrict the target port to the RDP service only, perform these substeps:F5 strongly recommends this action.
- In the search field, typeemp, selectEmptyfrom the result list, and then clickAdd Item.A popup Properties screen opens.
- Click the Branch Rules tab.
- ClickAdd Branch Rule.A new entry withNameandExpressionsettings displays.
- In theNamefield, replace the default name by typing a new name.The name appears on the branch in the policy.
- Click thechangelink in the new entry.A popup screen opens.
- Click the Advanced tab.
- In the field, type this expression:expr{ [mcget{session.rdg.target.port}] == 3389 }
- ClickFinished.The popup screen closes.
- ClickSave.The properties screen closes and the policy displays.
- To verify group membership for the requested host, add anLDAP Queryto the access policy and configure properties for it:Adding an LDAP Query is one option. The visual policy editor provides additional items that you can use to determine whether to allow the client to access the resource.
- From theServerlist, select an AAA LDAP server.An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
- Type queries in theSearchFilterfield.This query matches hosts with the fully qualified domain name (FQDN) of the host.(DNSHostName=%{session.rdg.target.host})When clients request a connection, they must specify the FQDN.This query matches hosts with the host name or with the FQDN of the host.(|(name=%{session.rdg.target.host})(DNSHostName=%{session.rdg.target.host}))When clients request a connection, they can specify a host name or an FQDN.
- ClickSave.The properties screen closes and the policy displays.
- To verify that the target host is a member of an Active Directory group, add a branch rule to the LDAP query item:
- In the visual policy editor, click theLDAP Queryitem that you want to update.A popup Properties screen displays.
- Click the Branch Rules tab, clickAdd Branch Rule, and type a descriptive name for the branch in theNamefield.
- Click thechangelink in the new entry.A popup screen displays.
- Click the Advanced tab.
- Type an expression in the field.This expression matches the last LDAP memberOf attribute with an Active Directory group,RDTestGroup.The hypothetical members of the group in this example are the hosts to which access is allowed.expr{ [mcget{session.ldap.last.attr.memberOf}] contains "CN=RDTestGroup" }
- ClickFinished.The popup screen closes.
- ClickSave.The properties screen closes and the policy displays.
- ClickSave.The properties screen closes and the policy displays.
- Add any other items to the access policy and change any appropriate branch ending toAllow.
- ClickApply Access Policyto save your configuration.
Do
not specify this access policy in a virtual server definition. Select it from an RDG Policy
Assign item in an access policy that authorizes Microsoft RDP clients.
Create an access profile for RDP client authorization
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, select one of these options.
- LTM-APM: Select for a web access management configuration.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- ALL: Select to support LTM-APM and SSL-VPN access types.
Additional settings display. - Select theCustomcheck box.
- In theAccess Policy Timeoutfield, type the number of seconds that should pass before the access profile times out because of inactivity.The timeout needs to be at least 15 minutes long because an RDP client sends a keepalive to the gateway every 15 minutes.To prevent a timeout, type0to set no timeout or type900or greater. 900 indicates a 15-minute timeout, which is enough time for the keepalive to prevent the timeout.
- ClickFinished.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Configure an
access policy for an RDP client
Configure an access policy to authorize Microsoft
RDP clients and to specify the access policy that APM should use to authorize access to
resources as the client requests them.
NTLM
authentication occurs before an access policy runs. If NTLM authentication fails, an
error displays and the access policy does not run.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Endpoint Security (Server-Side) tab, selectClient Type, and then clickAdd Item.The Client Type action identifies clients and enables branching based on the client type.A properties screen opens.
- ClickSave.The properties screen closes; theClient Typeitem displays in the visual policy editor with aMicrosoft Client RDPbranch and branches for other client types.
- On a policy branch, click the(+)icon to add an item to the policy.
- To verify the result of client authentication:
- TypeNTLMin the search field.
- SelectNTLM Auth Result.
- ClickAdd Item.
A properties screen opens. - ClickSave.The properties screen closes and the policy displays.
- Select the RDG-RAP access policy you configured earlier:
- Click the[+]sign on the successful branch after the authentication action.
- TypeRDGin the search field.
- SelectRDG Policy Assignand clickAdd Item.
- To display available policies, click theAdd/Deletelink.
- Select a policy and clickSave.
Without an RDG policy, APM denies access to each resource request. - Click theApply Access Policylink to apply and activate the changes to the policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Configure a
machine account
You configure a machine account so that Access
Policy Manager (APM) can establish a secure channel to a domain controller.
- On the Main tab, click.A new Machine Account screen opens.
- In the Configuration area, in theMachine Account Namefield, type a name.
- In theDomain FQDNfield, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join.
- In theDomain Controller FQDNfield, type the FQDN for a domain controller.
- In theAdmin Userfield, type the name of a user who has administrator privilege.
- In theAdmin Passwordfield, type the password for the admin user.APM uses these credentials to create the machine account on the domain controller. However, APM does not store the credentials and you do not need them to update an existing machine account configuration later.
- ClickJoin.
This creates a machine account and joins it to the specified domain. This also creates
a non-editable
NetBIOS Domain
Name
field that is automatically populated. If the
NetBIOS Domain Name
field on the machine account is empty, delete the configuration and recreate it. The
field populates.Create an NTLM Auth configuration
Create an NTLM Auth configuration to specify the domain controllers that a machine
account can use to log in.
- On the Main tab, click.A new NTLM Auth Configuration screen opens.
- In theNamefield, type a name.
- From theMachine Account Namelist, select the machine account configuration to which this NTLM Auth configuration applies.You can assign the same machine account to multiple NTLM authentication configurations.
- For each domain controller, type a fully qualified domain name (FQDN) and clickAdd.By specifying more than one domain controller, you enable high availability. If the first domain controller on the list is not available, Access Policy Manager tries the next domain controller on the list, successively.You should add only domain controllers that belong to one domain.
- ClickFinished.
This specifies the domain controllers that a machine account can use to log
in.
Maintain a machine account
In some networks, administrators run scripts to find and delete outdated machine
accounts on the domain controllers. To keep the machine account up to date, you can
renew the password periodically.
- On the Main tab, click.The Machine Account screen opens.
- Click the name of a machine account.The properties screen opens and displays the date and time of the last update to the machine account password.
- Click theRenew Machine Passwordbutton.The screen refreshes and displays the updated date and time.
Configure a VDI
profile
Configure a VDI profile to specify NTLM authentication for Microsoft RDP clients that use APM as
a gateway.
- On the Main tab, click.The VDI Profiles list opens.
- ClickCreate.A popup screen opens withGeneral Informationselected in the left pane and settings displayed in the right pane.
- In theProfile Namefield, type a name.
- From theParent Profilefield, select an existing VDI profile.A VDI profile inherits properties from the parent profile. You can override them in this profile.
- In the left pane, clickMSRDP Settings.Settings in the right pane change.
- From theMSRDP NTLM Configurationlist, select an NTLM authentication configuration.
- From the left pane, clickCitrix Settings.
- For theEnable StoreFront Functionality on APMsetting, enable or disable the native StoreFront protocol. The default value isDisabled, which continues to use the PNAgent protocol.
- In the left pane, clickVMware View Settings.Settings in the right pane change.
- From theTransport Protocol (UDP-only)list, select a protocol.SelectBlast ExtremeorPCoIPto proxy the remote desktop protocol supported by VMware Horizon View.
- ClickOK.The popup screen closes.
To
apply the VDI profile, you must specify it in a virtual server.
Creating a connectivity profile
You create a connectivity profile to configure client connections.
- On the Main tab, click.A list of connectivity profiles displays.
- ClickAdd.The Create New Connectivity Profile popup screen opens and displays General Settings.
- Type aProfile Namefor the connectivity profile.
- Select aParent Profilefrom the list.APM provides a default profile,/Common/connectivity.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
Create a custom Client SSL profile
You create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of:
- Authenticating and decrypting ingress client-side SSL traffic
- Re-encrypting egress client-side traffic
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Selectclientsslin theParent Profilelist.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- Next to Client Authentication, select theCustomcheck box.The settings become available.
- From theConfigurationlist, selectAdvanced.
- Modify the settings, as required.
- ClickFinished.
Create a virtual server for SSL traffic
Define a virtual server to process SSL traffic from Microsoft RDP clients that use
APM as a gateway.
Users must specify the IP
address of this virtual server as the gateway or RDG gateway from the RDP client
that they use.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- For theService Port, do one of the following:
- Type443in the field.
- SelectHTTPSfrom the list.
- In theSSL Profile (Client)list, select an SSL profile.
- In the Access Policy area, from theAccess Profilelist, select the access profile for RDP client authorization that you configured earlier.
- From theConnectivity Profilelist, select a profile.
- From theVDI Profilelist, select the VDI profile you configured earlier.
- ClickFinished.
Implementation result
Supported Microsoft RDP clients can specify a virtual server on the BIG-IP system to use as a remote desktop gateway. APM can authorize the clients and authorize access to target servers as the clients request them.