v11: RDP Access via BIG-IP APM-Part 2

In the first article in this series, I configured a full Webtop in APM with a static RDP host.  In this article, I’ll make some changes to the original configuration to allow users to specify an RDP host destination.

Modify the Access Policy

Immediately after the active directory authentication on the successful branch, click the “+” and add a logon page.



In the logon page configuration, change the name (optional) to RDP Hostname, set the field 1 post variable and session variable names to hostname, change the type for field two to none, then add some explanatory text to the Form Header Text field and specify Hostname in the text box for field 1. I also changed the Logon Button text to Continue instead of Logon since the logon has already occurred.


 Click save. Now the policy should look like the image in Figure 3.


Modify the RDP Resource

After closing the policy editor, I open the Remote Desktop (Access Policy->Application Access->Remote Desktops->Remote Desktops) and change the destination from the static resource I assigned in part 1 to the variable I created in the policy: %{session.logon.last.hostname}

Optional Customization

To provide a description on the button that includes the user configured RDP host name, go to Access Policy->Customization and select the configured Remote Desktop, select the Localization tab in the menu and configure the Caption and Detailed Descriptions.  Use the same session variable from above in the description field.

Make sure the caption is configured for each of the languages you support. I only changed the English one in this example.  Next, apply the policy.

Testing the Changes

Now that my changes are complete, I can test them. Same initial login screen as part 1:

Now I’m presented with the second logon page, this time asking for the host I'd like to connect to:

Note the continue I modified in the policy instead of it being labeled Logon.  Now, My Webtop shows the Caption (RDP Connection) and the Description (ad01.devcen…) that I defined in the customizations in the policy.

Finally, clicking on the button takes me to my desired resource:


This solution extended the functionality in part 1 to allow for dynamic configuration of the RDP host destination for user access.  In part 3, I’ll explore an iRules option for providing session history as part of the solution.



Published Sep 15, 2011
Version 1.0

Was this article helpful?


  • Excellent series!



    Do you know if there is any use a session variable (similar to the hostname) to determine the port on the RDP resource ? (some people insist on setting their RDP servers up on non-standard ports)



    Trying to use an extra field for the port and modifiying the RDP resource results in a database error.



    Could this be done via iRule?



  • Is there a way to have a user click on a rdp on an existing webtop and then get prompted to change the destination host. like a way to redirect to a login page to make the change. I don't want users to enter a hostname before they get to the webtop. but only if they need to use the rdp connection.
  • Also, if using two factor authentication rather then domain the RDP session starts but it fails to pass through Creds and password.
  • SLGizmo - If you do Two Factor Auth, be sure to capture the original login credentials. When you do two factor auth, the session.logon.last.password typically gets overwritten with the TFA passcode. Set up a step in your policy to set session.custom.last.username = session.logon.last.username after the login, but before the TFA. Do the same for password. When in your RDP profile under SSO, reference the session.custom.last.username and password.