Forum Discussion

tira_li's avatar
tira_li
Icon for Nimbostratus rankNimbostratus
Sep 30, 2024

F5 APM RDP

Hi Guys,

 

Recently we have deployed F5 APM as SSL VPN solution for our company laptops (only for Windows within domain), all runs well.

However, there is a new requirement that if other OS laptops like Mac or non-domain Windows computer clients can also get secure RDP to their company Win laptops and then control the Win laptops to access internal network etc? If yes, how to deploy it in detail?

I tried to add one test laptop into "VDI/RDP" also add the existing Access_Policy as below. After authentication from logon page,  I can this RDP icon and click it, it would automatically download one RDP file, then I clicked it and it will try to connect, and then it failed as below. the last is existing access_policy for non-domail windows for testing RDP.

Please help review and guide me how to configure since I am not familiar with APM product.

Best Regards.

 

 

 

apm.f5
  • tira_li's avatar
    tira_li
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2024

    Hi, 

    Thx for your quick response! Great steps, I would like to use "Client OS" to detect client type with specified domain Win Registry for client restrictions, and I want to check if the RDP host you mentioned is pointing a Windows Terminal Server with Remote Desktop Session Host service, use the terminal server to call end user own company laptop? Or directly pointing to end user's own company laptop?

  • emma698fox's avatar
    emma698fox
    Icon for Mist rankMist
    Sep 30, 2024

    To enable secure RDP access for Mac and non-domain Windows clients using F5 APM, you'll need to ensure that your configuration supports these clients properly. Here’s a detailed approach you can follow:

    Overview of Steps

    1. Access Policy Configuration
    2. RDP Settings in APM
    3. Testing and Troubleshooting
    4. Security Considerations

    1. Access Policy Configuration

    You need to modify your existing access policy to include checks and configurations for non-domain devices. Here’s how to proceed:

    • Add Device Detection: Use the Client Type or User Agent to detect Mac and non-domain Windows devices.
    • Add RDP Access: Create a branch in the access policy that handles RDP connections. You can use the following sequence:
      • Logon Page: Authenticate users.
      • Access Policy Branch: Check if the user is on a non-domain machine and route to the RDP branch.
      • RDP Access: Use the RDP access profile and configure it to serve the RDP file.

    2. RDP Settings in APM

    1. Create an RDP Access Profile:
      • Go to Access > Profiles > RDP Access.
      • Create a new profile or modify an existing one, ensuring it points to the correct internal resources.
    2. Configure RDP Settings:
      • Specify the RDP host (the Windows machine users will connect to).
      • Configure security settings (like SSL/TLS) to secure the RDP session.
      • Ensure that the RDP file generated contains the correct details for the session.
    3. RDP File Generation:
      • The RDP file needs to be formatted correctly to ensure it points to the right target and uses the correct authentication method (e.g., domain credentials).

    3. Testing and Troubleshooting

    • Test Access: Use a Mac or non-domain Windows machine to test access. Ensure the RDP file downloads and attempts to connect correctly.
    • Log Analysis: Check the APM logs to troubleshoot connection issues:
      • Authentication Failures: Ensure users are authenticated correctly.
      • Connection Errors: Look for errors in the RDP connection attempt.

    4. Security Considerations

    • Encryption: Ensure that RDP sessions are encrypted.
    • User Roles: Define roles and permissions clearly in APM to prevent unauthorized access.
    • Client Restrictions: Consider adding restrictions based on the OS type for better security.

    Example Access Policy

    1. Start with Logon Page
    2. Branch for Non-Domain Check (Use Client Type):
      • If it's a non-domain Windows or Mac, allow access.
    3. RDP Access Action:
      • Use the configured RDP profile.

    Final Thoughts

    Setting up F5 APM for non-domain clients requires careful attention to access policies and proper RDP configurations. Test thoroughly with different devices and ensure your access policies are robust enough to handle varying scenarios.