ESP with Remote Desktop (RD) Web Access

Scope

Enable the Edge Security Pack (ESP) with RD Web Access.

Currently the Load Master does not officially support ESP for Microsoft's RD Web Access. This is due to the request methods Microsoft use (RDG_IN_DATA and RDG_OUT_DATA) when launching the downloaded RDP file.   

Solution

To overcome this incompatibility, the Load Master can separate the initial HTTPS authentication request using content rules and forward that to a SubVS where ESP will be enabled. Subsequent requests will then be routed to another SubVS that will handle the RPC Connections

 

Note: When you connect to your RD Web App you will be forced to Re-authenticate when connecting to your Remote Application. This is the same behavior as when connecting with Chrome or FireFox. You won't achieve true Singe Sign On behaviour that you experience with Internet Explorer or Edge. 

 

Configuration

Create Two Content Rules

In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New Rule.

  • Rule 1

Match String = RDG_IN_DATA

 

  • Rule 2

Match String = RDG_OUT_DATA

 

Set "Add HTTP Headers" to "None"

Navigate to your VS > Advanced Properties >  Add HTTP Headers = "none"

 

 

Create Two SubVSs

In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly. 

Configure ESP Sub VS as a regular RD Web Access Virtual Service with ESP Enabled. See ESP Guide Guide

https://support.kemptechnologies.com/hc/en-us/articles/203125029-Edge-Security-Pack-ESP-

 

Enable Content Switching

To enable content switching, follow the steps below:

    1. In the WUI, go to Virtual Services > View/Modify Services > Modify.
    2. Expand the Advanced Properties section.
    3. Enable Content Switching

    4. In the SubVSs section there will be a new column called Rules. Click None and assign the Default rule to the First ESP SubVS. You will then assign your two RDG_IN_DATA & RDG_OUT_DATA Rules to your Second Sub VS

 

Configure SubVS's

  • Sub VS-1 (ESP) will be your RD Web Access VS, Sub VS-2 will handle your RDP traffic. Within Sub VS-2 you will also be required to Set "Add HTTP Headers" to "None" Found under Advanced Properties. 
  • Your ESP SubVS will be configured with whatever authentication methods that your environment supports on the backend. The Load Master can only send the user credentials to the RD servers using Basic Authentication or Kerberos, for this KB we will use Basic Authentication.

 

 

Enable Basic Authentication for RDWeb Access

Forms Based Authentication is enabled by default for RDS. It must be disabled or RDS will prompt the user to authenticate again. To do this, follow the steps below:

  1. On the RD Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the left pane of the IIS Manager, expand the server name, expand Sites, expand Default Web Site, expand RDWeb, and then click Pages.
  3. In the middle pane, under IIS, double-click Authentication.
  4. Click Basic Authentication and click the Enable button in the Actions pane on the right.
  5. Disable Anonymous Authentication
  6. Run a standard IISReset (IISReset /noforce if desired) in the command prompt to apply these changes.

 

For more information on configuring ESP, please refer to our ESP Feature Description: https://support.kemptechnologies.com/hc/en-us/articles/203125029

 

Was this article helpful?

1 out of 2 found this helpful

Comments

Avatar
abelenkiy

Please include the steps in "Create Two SubVSs" the section is not shown as such.

Avatar
ryan.mangan

The Configuration shown in this example looks to be for RDweb and Gateway, as the screenshot shows RPC in IIS ? Is this configuration required for RDWeb without the Gateway Role installed ?