Forum Discussion

Laurence1's avatar
Laurence1
Icon for Nimbostratus rankNimbostratus
Dec 15, 2023

F5 APM Webtop - RDP Session Logging

Hello F5 Experts,

I am relatively new to the F5 advanced ecosystem, am trying to generate useful logs from our APM Webtop environment and am hoping that someone can point me in the correct direction.

I am trying to log the following things from our environment:

  • Initial login's to the Webtop including ClientIP, Webtop portal address, Browser UserAgent, Client Username.
  • (Optional) Client group membership/published resources when they log into Webtop.
  • When a client opens a Web Portal Access from within Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, Web Portal Access Address. (It would be good to get their session duration for this but that might not be fesable).
  • When a client opens a RDP link from within the Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, RDP Address, SessionCookie(?).
  • When a client connects to a RDP session though the Webtop using one of the downloaded links, ClientIP, Webtop portal address, Client Username, RDP Address, SessionCookie(?), Session start and end time (Maybe two different log events?).

From what I can tell this is likely to be an iRule. I think I have an idea how to do the Webtop portal logging, but what is really eluding me is how to log the RDP session connection and duration.

Any help or a direction where to look would be greatly appreciated. 

Thank you,

  • It's great that you have such a detailed list. APM stores user session data in "session variables" that are available for user-display, logging, rule evaluation, etc. The user's truncated session ID is automatically included in all system-generated logs (except for some at the very beginning of a native mode RDP/Citrix connection where we don't know what the session is yet) 

    Let's talk about each one of your requirements.

    • Initial login's to the Webtop including ClientIP, Webtop portal address, Browser UserAgent, Client Username.

    APM has an Informational-level "New session from..." message that you have probably seen, it includes the BIG-IP Virtual server that services the connection, a user-agent, a client ip. The username is unknown until the session executes and obtains that information, so you'll have to put logging agents or irules in for such. If you use iRules, fire those after the session has been fully started. The iRule event for this is called ACCESS_POLICY_COMPLETED.

     

    • When a client opens a RDP link from within the Webtop including, ClientIP, Webtop portal address, Browser UserAgent, Client Username, RDP Address, SessionCookie(?).
    • When a client connects to a RDP session though the Webtop using one of the downloaded links, ClientIP, Webtop portal address, Client Username, RDP Address, SessionCookie(?), Session start and end time (Maybe two different log events?).

    This is a little more tricky. If you enable VDI informational level logging, you'll see a lot of data that IIRC includes most of this information. Check it out and see if it works for you. If you want to do timing, you'll have to record a "start time" associated with that link, then figure out what happens at the end of the RDP session. This could vary greatly depending on if users timeout or force-close, or allow their session to expire, or log out, etc. A local proxy like Fiddler or an equivalent can help you figure out what URLs exactly that your client accesses during different usage. Once you know these URLs, you can use a technique with iRules like this to detect and log (you'd substitute log statements and the RDP URL for the VPN URL)

    https://my.f5.com/manage/s/article/K27804015