Manual Chapter : Configuring Remote Desktop Access

Applies To:

Show Versions Show Versions


  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

What are remote desktops?

Remote desktops in Access Policy Manager allow users to access the following types of internal servers in virtual desktop sessions:

  • Microsoft Remote Desktop servers
  • Citrix servers
  • VMware View Connection servers

You can configure remote desktops by name or by their internal IP addresses, and grant or deny users the ability to set up their own favorites.

What is Microsoft remote desktop?

Using an Access Policy Manager ( APM) RDP type remote desktop, clients can access a server that runs Microsoft Remote Desktop Services. Microsoft Remote Desktop servers run the Microsoft Remote Desktop Protocol (RDP) server. RDP is a protocol that provides a graphical interface to another computer on a network.

To provide Microsoft RDP connections natively, APM provides these alternatives.

Java Client
APM provides a Java Client option in the remote desktop configuration. The option supports native connections for Windows, Mac, and Linux clients. When this option is selected, a user on any compatible platform is presented with a simple Java Client interface to the Microsoft RDP server with reduced visual display features.
APM as a gateway for RDP clients
With proper BIG-IP system configuration, Microsoft RDP clients can use APM as a gateway. The configuration supports Microsoft RDP clients on Windows, Mac, iOS, and Android. When a user types the address or hostname of the gateway into an RDP client and specifies a particularly configured virtual server for it, APM authorizes the client. When the client requests connections to resources on backend servers, APM authorizes the access.

For support information, refer to BIG-IP APM Client Compatibility Matrix on AskF5 at

What is Citrix remote desktop?

Citrix remote desktops are supported by Citrix XenApp and ICA clients. With Access Policy Manager you can configure clients to access servers using Citrix terminal services. You provide a location from which a client can download and install a Citrix client for a Citrix ICA connection.

Task summary for remote desktops

To set up remote desktops, perform the procedures in the task list.

Task list

Configuring a resource for Citrix or Microsoft remote desktops

Depending on whether you choose to configure a Microsoft or Citrix remote desktop, some options may not be available. Refer to the online help for more information about the parameters you can configure for remote desktops.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List. The Remote Desktops list opens.
  2. Click Create. The General Properties screen opens.
  3. Configure the following settings:
    Option Description
    For Citrix Specify an IP address as your Destination, accept or change the Port, and select the ACL Order.
    For RDP Specify your Destination and Port. All other settings are optional. To provide a cross-platform Java client for this RDP tunnel, select the Java Client check box.
    Note: If you specify a hostname for your destination, make sure that it is DNS-resolvable. After the remote desktop is assigned to a full webtop in an access policy, the remote desktop does not appear on the full webtop if the hostname is not DNS-resolvable.
  4. Under the Default Customization Settings section, type a Caption. The caption identifies the remote desktop and enables it to appear on a full webtop.

Configuring an access policy to include a remote desktop

This procedure is applicable if you want to configure Access Policy Manager for Citrix or Microsoft RDP terminal services.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  5. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. On the Assignment tab, select the Resource Assign agent, and click Add Item. The Resource Assignment screen opens.
  7. Next to each type of resource that you want assign (Network Access, Portal Access, App Tunnel, Remote Desktop, or SAML), click the Add/Delete link, and select from available resources.
  8. Click Update.
  9. Click Save.
Your remote desktop is assigned to the session.
To complete the process, you must assign a webtop, apply the access policy, and associate the access policy and connectivity profile with a virtual server so users can launch the remote desktop session.

Attaching an access policy to a virtual server for remote desktops

When creating a virtual server for an access policy, specify an IP address for a single host as the destination address.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Destination Address field, type the IP address for a host virtual server. This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  4. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  5. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  6. If you are using a connectivity profile, from the Connectivity Profile list, select the connectivity profile.
  7. If you are creating a virtual server to use with portal access resources in addition to remote desktops, from the Rewrite Profile list, select the default rewrite profile, or another rewrite profile you created.
  8. If you want to provide connections to Java RDP clients for application access, allow Java rewriting for portal access, or support a per-app VPN connection that is configured on a mobile device, select the Application Tunnels (Java & Per-App VPN) check box. You must enable this setting to make socket connections from a patched Java applet. If your applet doesn't require socket connections, or only uses HTTP to request resources, this setting is not required.
  9. If you want to provide native integration with an OAM server for authentication and authorization, select the OAM Support check box. You must have an OAM server configured in order to enable OAM support.
  10. Click Update.
The access policy is now associated with the virtual server.