Manual Chapter : Smart Card Authentication for VMware View Clients

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.0.0
Manual Chapter

Smart Card Authentication for VMware View Clients

Overview: Supporting smart card authentication for VMware View

On a BIG-IP® system configured as a SAML Identity Provider (IdP), APM® supports smart card authentication for VMware View Horizon Server browser-based clients and View Clients. The configuration uses SSL client certificate validation mechanisms. For a successful configuration, use these instructions and the settings specified in them.

Task summary

About virtual servers required for View Client traffic

A View Client makes connections to support different types of traffic between it and a View Connection Server. For APM to support these connections, it requires two virtual servers that share the same destination IP address. One virtual server processes HTTPS traffic and performs authentication for the View Client. An addition virtual server processes PC over IP (PCoIP) traffic.

Creating a client SSL profile for certificate inspection

Before you start this task, import the CA certificate for VMware View Horizon server to the BIG-IP® system certificate store.
You create a custom client SSL profile to request an SSL certificate from the client at the start of the session. This enables a Client Cert Inspection item in an access policy to check whether a valid certificate was presented.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
    The default settings for the profile specify a 10-second SSL handshake timeout. Some users with smart cards cannot authenticate within that time. You can increase the timeout if this is the case at your site.
  5. From the Configuration list, select Advanced.
  6. If you have VMware View clients on Mac OS X, disable TLS 1.2 in the Options List area:
    1. In the Available Options list, select No TLS 1.2.
    2. Click Enable.
  7. If you change the values for the Cache Size or the Cache Timeout setting, do not specify a value of zero (0) for either setting.
    When these values are 0, the client must supply a PIN on each browser page refresh.
  8. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  9. To limit the timeout to a number of seconds, select Specify from the list, and type the desired number in the seconds field.
    In the list, the value Indefinite specifies that the system continue trying to establish a connection for an unlimited time. If you select Indefinite, the seconds field is no longer available.
  10. Scroll down to the Client Authentication area.
  11. Select the Custom check box for Client Authentication.
    The settings become available.
  12. From the Client Certificate list, select request.
    Do not select require.
  13. From the Trusted Certificate Authorities and Advertised Certificate Authorities, select the certificates you imported previously.
  14. Click Finished.

Creating a virtual server for a BIG-IP (as SAML IdP) system

Specify a host virtual server to use as the SAML IdP.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, select pcoip-default-serverssl.
  9. From the Source Address Translation list, select Auto Map.
  10. Click Finished.
The virtual server for the BIG-IP® system configured as an IdP now appears on the Virtual Server List. The virtual server destination is available for use in the SAML IdP service configuration.

Configuring IdP service for VMware View smart card SSO

Configure a SAML Identity Provider (IdP) service for Access Policy Manager® (APM®), as a SAML IdP, to provide single sign-on authentication to VMware View clients with a smart card.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Click Create.
    The Create New IdP Service popup screen displays.
  3. In the IdP Service Name field, type a unique name for the SAML IdP service.
  4. In the IdP Entity ID field, type a unique identifier for the IdP (this BIG-IP® system).
    Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, the Host field is required.
    For example, type https://siterequest.com/idp, where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
  5. If the IdP Entity ID field does not contain a valid URI, you must provide one in the IdP Name Settings area:
    1. From the Scheme list select https or http.
    2. In the Host field, type a host name.
      For example, type siterequest.com in the Host field.
  6. Select SAML Profiles from the left pane and select the Enhanced Client or Proxy Profile (ECP) check box.
  7. To specify an artifact resolution service, click Endpoint Settings from the left pane and select a service from the Artifact Resolution Service list.
    Note: APM does not use the artifact resolution service, but one must be included in the IdP metadata. If you leave the Artifact Resolution Service list blank, you can edit the IdP metadata later to add an artifact resolution service to it.
  8. Select Assertion Settings from the left pane.
    The applicable settings display.
    1. From the Assertion Subject Type list, select Persistent Identifier.
    2. From the Assertion Subject Value list, type the name of the custom session variable into which you stored the user principal name (UPN).
      You must type a percent sign (%) first and then enclose the session variable name in curly braces ({}).
      For example, type %{session.custom.certupn}.
    3. In the Authentication Context Class Reference field, select a URI reference that ends with PasswordProtectedTransport.
      The URI reference identifies an authentication context class that describes an authentication context declaration.
    4. In the Assertion Validity (in seconds) field type the number of seconds for which the assertion is valid.
  9. From the left pane, select SAML Attributes.
    1. Click Add.
      A Create New SAML Attribute popup screen displays.
    2. In the Name field, type disclaimer.
    3. Click Add.
      Entry fields display in the table.
    4. In the Value(s) field, type false and click Update.
      This value must not be encrypted.
    5. Click OK.
      The Create New SAML Attribute popup screen closes.
    The disclaimer attribute set to false is required. You can add additional attributes if needed.
  10. From the left pane, select Security Settings and select a certificate and a key from the BIG-IP system store to use for signing the assertion.
    1. From the Signing Key list, select the key from the BIG-IP system store.
      None is selected by default.
    2. From the Signing Certificate list, select the certificate from the BIG-IP system store.
      When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so the service provider can verify the assertion. None is selected by default.
  11. Click OK.
    The popup screen closes. The new IdP service appears on the list.

Exporting unsigned SAML IdP metadata from APM

You need to convey the SAML Identity Provider (IdP) metadata from APM to the external service providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP service to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the table and click Export Metadata.
    A popup screen opens, with No selected on the Sign Metadata list.
  3. Select OK.
    APM downloads an XML file.
An XML file that contains IdP metadata is available.

Editing the IdP metadata for VMware Horizon View

You need to edit the SAML Identity Provider (IdP) metadata XML file that you exported from APM® to make it conform to the requirements of the VMware View Connection Server (VCS).
  1. Locate the IdP metadata XML file that you downloaded onto your system.
  2. Use a text editor to open the file.
  3. If you did not create an artifact resolution service, add a line to the file to define the service.
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://165.160.15.20:443/saml/idp/profile/soap/ars" index="0" isDefault="true"></ArtifactResolutionService>
    APM does not use the artifact resolution service, but the VCS requires it.
  4. Find the <Key Descriptor> element and copy and paste its contents.
    VCS requires two <Key Descriptor> elements.
  5. Edit each <Key Descriptor> element; add use="signing" to one (<KeyDescriptor use="signing">) and use="encryption" to the other.
     <KeyDescriptor use="signing">
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate><key_data></ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>
            <KeyDescriptor use="encryption">
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate><key_data></ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>  
  6. Save the XML file and exit the text editor.
Example edited IdP metadata file for VMware Horizon View

The metadata contains two KeyDescriptor elements, one for use in signing and one for use in encryption. It also includes an ArtifactResolutionService element.

 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="Ie662e22302a165c" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://siterequest.com/idp">
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <KeyDescriptor use="signing">
    <ds:KeyInfo>
     <ds:X509Data>
      <ds:X509Certificate>key_data</ds:X509Certificate>
     </ds:X509Data>
    </ds:KeyInfo>
   </KeyDescriptor>
   <KeyDescriptor use="encryption">
    <ds:KeyInfo>
     <ds:X509Data>
      <ds:X509Certificate>key_data</ds:X509Certificate>
     </ds:X509Data>
    </ds:KeyInfo>
   </KeyDescriptor>
   <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://165.160.13.20:443/saml/idp/profile/soap/ars" index="0" isDefault="true">
   </ArtifactResolutionService>
   <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://siterequest.com/saml/idp/profile/post/sls" ResponseLocation="https://siterequest.com/saml/idp/profile/post/slr" isDefault="true">
   </SingleLogoutService>
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
   <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://siterequest.com/saml/idp/profile/ecp/sso">
   </SingleSignOnService>
   <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="disclaimer">
   </saml:Attribute>
  </IDPSSODescriptor>
 </EntityDescriptor>

Creating an iRule to respond with IdP metadata to a URI

You can use iRules® to respond with SAML Identity Provider (IdP) XML metadata for a particular URI.
Note: For complete and detailed information iRules syntax, see the F5® Networks DevCentral™ web site (http://devcentral.f5.com).
  1. On the Main tab, click Local Traffic > iRules .
    The iRule List screen opens, displaying any existing iRules.
  2. Click Create.
    The New iRule screen opens.
  3. In the Name field, type a unique name for the iRule.
    The full path name of the iRule cannot exceed 255 characters.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    This example specifies a URI, /SAAS/API/1.0/GET/metadata/, and includes the content of the SAML IdP metadata in the response. (The example elides the metadata for brevity.)
    when HTTP_REQUEST {
    if { [HTTP::path] contains "/SAAS/API/1.0/GET/metadata/" and [HTTP::method] equals "GET" } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8" ?>
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="Ie662e22302a165c" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://siterequest.com/idp">
        <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
           . 
           .
           .
        </IDPSSODescriptor>
    </EntityDescriptor>}
        }
    }                    
  5. Click Finished.
    The new iRule appears in the list of iRules on the system.
You must add this iRule to the virtual server that processes the traffic from the SAML service provider (SP).

Establishing APM as a trusted SAML IdP for VMware Horizon View

From VMware View Connection Server (VCS), create a SAML Authenticator that points to APM® so that VCS can recognize APM as a trusted SAML Identity Provider (IdP).
  1. Using the VMware software that you use to administer a VCS, create a new SAML Authenticator with these properties:
    1. For SAML Authenticator, type the FQDN of your virtual server.
    2. For Metadata URL, type the URI where VCS can get the SAML IdP metadata.
      Normally, the VCS should attempt to request the metadata and verify it.
      For example, type https://sitrerequest.com/SAAS/API/1.0/GET/metadata/, where https://siterequest.com is the virtual server for the SAML IdP service, and /SAAS/API/1.0/GET/metadata/ is the URI for which the iRule on the virtual server responds with SAML IdP metadata.
  2. To apply the changes after choosing a new SAML Authenticator, you must restart VCS.

Configuring a SAML SP connector for VMware VCS

Configure a SAML service provider (SP) connector with settings specified here so that APM® can recognize the VMware View Connection Server (VCS) as a supported consumer of SAML assertions.
Note: Do not import the SAML service provider metadata file from the VCS in place of performing these steps. The metadata file does not meet the requirements for this configuration.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. On the menu bar, click External SP Connectors.
    A list of SAML SP connectors displays.
  3. Click Create.
    The Create New SAML SP Connector screen opens.
  4. In the Service Provider Name field, type a unique name for the SAML SP connector.
  5. In the SP Entity ID field, type a unique identifier for the service provider.
    This is usually a unique URI that represents the service provider. You should obtain this value from the service provider.
  6. Select Endpoint Settings from the left pane.
    The appropriate settings are displayed.
  7. In the Assertion Consumer Services area, specify one assertion consumer service with PAOS binding.
    1. Click Add.
      A new row displays in the table.
    2. In the Index field, type the index number, zero (0) or greater.
    3. Select the Default check box.
    4. In the Assertion Consumer Service URL field, type the URL where the IdP can send an assertion to this service provider.
    5. From the Binding list, select PAOS.
    6. Click Update.
  8. Select Security Settings from the left pane.
    1. Clear the Require Signed Authentication Request check box.
    2. Select the Response must be signed and Assertion must be signed check boxes, and then select an algorithm from the Signing Algorithm list.
  9. Click OK.
    The popup screen closes.
The new SAML SP connector is available to bind to the SAML IdP service.

Binding a SAML IdP service to one SP connector

Bind a SAML Identity Provider (IdP) service and a SAML service provider (SP) connector so that the BIG-IP® system can provide authentication (SAML IdP service) to the external SAML service provider.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the list.
    Select an IdP service that you configured for use with one particular SP connector only.
  3. Click Bind/Unbind SP Connectors.
    The screen displays a list of available SAML SP connectors.
  4. Select the one SAML SP connector that you want to pair with this IdP service.
  5. Select OK.
    The screen closes.
The SAML SP connector that you selected is bound to the SAML IdP service.

Configuring a SAML resource for VMware View clients

To support users that log in using the VMware View client, you must configure a SAML resource.
  1. On the Main tab, click Access Policy > SAML > SAML Resources .
    The SAML Resources list screen opens.
  2. Click the Create button.
    The SAML Resource New Resource screen opens.
  3. In the Name field, type a unique name for the SAML resource.
  4. Clear the Publish on Webtop check box.
    You must clear the check box to support VMware View smart card authentication with this SAML resource.
  5. In the Configuration area from the SSO Configuration list, select the SAML IdP service that is bound to the SAML SP connector with the resources you want.
  6. In the Customization Settings for English area, and in the Caption field, type a caption for this SAML resource.
  7. Click Finished.
    The SAML resource is created and associated with a SAML IdP service.

Configuring a VMware View resource for SAML SSO

Configure a VMware View remote desktop resource for SAML SSO to support smart card authentication.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List .
    The Remote Desktops list opens.
  2. Click Create.
    The New Resource screen opens.
  3. For the Type setting, select VMware View.
  4. For the Destination setting, select Pool and from the Pool Name list, select a pool of View Connection Servers that you configured previously.
  5. For the Server Side SSL setting, select the Enable check box.
    View Connection Servers must use HTTPS (default) to support smart card authentication.
  6. In the Single Sign-On area, select the Enable SSO check box.
    Enable SSO to a View Connection Server after logging in to APM®.
  7. From the SSO Method list, select SAML.
  8. From the SAML Resource list, select the SAML resource that you configured previously.
  9. In the Customization Settings for the language_name area, type a Caption.
    The caption is the display name of the VMware View resource on the APM full webtop.
  10. Click Finished.
    All other parameters are optional.
This creates the VMware View remote desktop resource. To use it, you must assign it along with a full webtop in an access policy.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select All.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Example access policy: smart card authentication for VMware View

VMware View Smart Card Logon Screen

Access Policy requires Smart Card authentication with SAML SSO for VMware View

1 Agent properties specify Smart Card for VMware View Logon Screen property.
2 Extracts the User Principal Name from SSL certificate information and stores it in a custom session variable.
3 Assigns a full webtop and a VMware View remote desktop resource configured for SAML SSO.

Creating an access policy for VMware View smartcard authentication

Access Policy Manager® (APM®) supports this configuration when the BIG-IP® system, configured as a SAML Identity Provider (IdP), provides SSO authentication service that is consumed by a VMware View Connection Server (VCS), configured as a SAML service provider.
Create an access policy so that a VMware View client can use a smart card for authenticating with Access Policy Manager.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type client in the search field, select Client Type from the results list, and click Add Item.
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  5. Click Save.
    The properties screen closes. The visual policy editor displays the Client Type action. The VMware View branch applies to VMware View client access and the Full/Mobile branch applies to HTML-based access.
  6. To accept Smart Card logon from the VMware View client, add a smart card logon screen:
    1. Add a VMware View Logon Page action to the policy.
      A properties screen opens.
    2. From the VMware View Logon Screen list, select Smart Card.
    3. Click Save.
      The properties screen closes and the visual policy editor displays.
  7. Add Client Cert Inspection agent to the access policy on one or more branches as appropriate.
    The agent verifies the result of the SSL handshake request that occurs at the start of the session and makes SSL certificate information available to the policy.
  8. Add an action to the access policy to obtain the User Principal Name (UPN) on one or more branches as appropriate.
    You might add a Variable Assign action and configure it to extract the UPN from the certificate information or configure an AD Query that retrieves the UPN.
  9. After successful authentication and successful retrieval of the UPN, assign resources to the session.
    1. Click the (+) sign after the previous action.
    2. Type adv in the search field, select Advanced Resource Assignment from the results, and click Add Item.
      A properties screen displays.
    3. Click Add new entry.
      A new line is added to the list of entries.
    4. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    5. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured for SAML SSO previously.
    6. On the Webtop tab, select a full webtop and click Update.
      The properties screen closes and the resources you selected are displayed.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
  10. To grant access at the end of any branch, change the ending from Deny to Allow:
    1. Click Deny.
      The default branch ending is Deny.
      A popup screen opens.
    2. Select Allow and click Save.
      The popup screen closes. The Allow ending displays on the branch.
  11. Click Apply Access Policy.

Depending on the access policy branches that you configured, you have an access policy that supports Smart Card authentication for a VMware View client or for a HTML-based client accessing VMware of for both.

To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Using variable assign to extract the UPN from the SSL certificate

You must supply the User Principal Name (UPN) as the Assertion Subject Value for the SAML Identity Provider (IdP) service.
Note: This example adds a Variable Assign action to the access policy. The action uses a Tcl expression that extracts the UPN from the X509 certificate for the client and stores it in a user-defined session variable.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On an access policy branch, click the (+) icon
    The Variable Assign action must occur after a Client Cert Inspection action runs successfully. The Variable Assign action relies on X509 information that the Client Cert Inspection action provides.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. On the left side of the variable assign properties screen, select Custom Variable from the list and in the field, type the name of a custom session variable.
    For example, type session.custom.certupn.
    Remember the session variable name; you must use it as the assertion subject value for the IdP. You will need to enter it into the IdP service configuration later.
  6. On the right side of the variable assignment properties screen, select Custom Expression from the list and in the field, type a Tcl expression to extract the UPN from the X509 certificate as shown here.
    foreach x [split [mcget {session.ssl.cert.x509extension}] "\n"] { 
      if { [string first "othername:UPN" $x] >= 0 } { 
        return [string range $x [expr { [string first "<" $x] + 1 }] [expr { [string first ">" $x] - 1 }]]; 
      } 
    }; 
    return "";
  7. Click Save.
    The properties screen closes and the visual policy editor displays.
The Variable Assign action is added to the access policy. You probably need to configure additional actions in the access policy.

Updating the Access Policy settings and resources on the virtual server

You associate an access profile, connectivity profile, VDI profile, and an iRule with the virtual server so that Access Policy Manager® can apply them to incoming traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that you want to update.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. From the Connectivity Profile list, select a connectivity profile.
  5. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  6. In the Resources area, for the iRules setting, from the Available list, select the name of the iRule that you want to assign, and move the name into the Enabled list.
  7. Click Update.
Your access policy and the iRule are now associated with the virtual server.

Configuring a UDP virtual server for PCoIP traffic

Create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address.
    Note: Type the same IP address as the one for the View Client authentication virtual server.
  5. In the Service Port field, type 4172.
  6. From the Protocol list, select UDP.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Access Policy area, from the VDI Profilelist, select a VDI profile.
    You can select the default profile, vdi.
  9. Click Finished.
This virtual server is configured to support PCoIP transport protocol traffic for VMware View Clients.

Configuring virtual servers that use a private IP address

If you configured the HTTPS and UDP virtual servers with a private IP address that is not reachable from the Internet, but instead a publicly available device (typically a firewall or a router) performs NAT for it, you need to perform these steps.
You update the access policy by assigning the variable view.proxy_addr to the IP address that the client uses to reach the virtual server. Otherwise, a View Client cannot connect when the virtual servers have a private IP address.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. Click the change link next to the empty entry.
    A popup screen displays two panes, with Custom Variable selected on the left and Custom Expression selected on the right.
  6. In the Custom Variable field, type view.proxy_addr.
  7. In the Custom Expression field, type expr {"proxy address"} where proxy address is the IP address that the client uses to reach the virtual server.
  8. Click Finished to save the variable and expression and return to the Variable Assign action popup screen.
  9. Click Save.
    The properties screen closes and the visual policy editor displays.
  10. Click the Apply Access Policy link to apply and activate the changes to the access policy.

Overview: Giving APM users time to enter a Smart Card PIN

If you have configured Access Policy Manager® for smart card authentication and your users cannot enter a PIN before the SSL handshake times out, they can experience problems such as browser failure or errors because the BIG-IP® system sends a TCP reset after the SSL handshake times out. You can mitigate this problem by increasing the handshake timeout in the client SSL profile.

Updating the handshake timeout in a Client SSL profile

By default, a client SSL profile provides a 10-second SSL handshake timeout. You might need to modify the timeout to give users more or less time for the SSL handshake to complete.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. In the Name column, click the name of the profile you want to modify.
  3. From the Configuration list, select Advanced.
  4. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  5. To limit the timeout to a number of seconds, select Specify from the list, and type the desired number in the seconds field.
    In the list, the value Indefinite specifies that the system continue trying to establish a connection for an unlimited time. If you select Indefinite, the seconds field is no longer available.
  6. Click Update.