ESP with Remote Desktop (RD) Web Access

Scope

Enable the Edge Security Pack (ESP) with RD Web Access.

Currently the LoadMaster does not officially support ESP for Microsoft's RD Web Access. This is due to the request methods Microsoft use (RDG_IN_DATA and RDG_OUT_DATA) when launching the downloaded RDP file.   

Solution

To overcome this incompatibility, the Load Master can separate the initial HTTPS authentication request using content rules and forward that to a SubVS where ESP will be enabled. Subsequent requests will then be routed to another SubVS that will handle the specified request methods. 

Configuration

Create Two Content Rules

In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New Rule.

  • Rule 1

Match String = RDG_IN_DATA

  • Rule 2

Match String = RDG_OUT_DATA

 

Create Two SubVSs

In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly. 

Configure ESP Sub VS as a regular RD Web Access Virtual Service with ESP Enabled. See ESP Guide Guide

https://support.kemptechnologies.com/hc/en-us/articles/203125029-Edge-Security-Pack-ESP-

Configure RDP-Web-App Sub as regular RD-Gateway VS with No ESP enabled.

 

       

Enable Content Switching

To enable content switching, follow the steps below:

    1. In the WUI, go to Virtual Services > View/Modify Services > Modify.
    2. Expand the Advanced Properties section.
    3. Enable Content Switching.

    4. In the SubVSs section there will be a new column called Rules. Click None and assign the default rule to the ESP SubVS.

    5. Assign the two previously created rules to the RDP-Web-App SubVS.

 

Configure the SubVSs

  • Each SubVS will be configured as a normal RD Web Access Virtual Service. No persistence is required in either SubVS.
  • Your ESP SubVS will be configured with whatever authentication methods that your environment supports on the backend. The LoadMaster can only send the user credentials to the RD servers using Basic Authentication or Kerberos (after the user is authenticated to the authentication provider).

Enable Basic Authentication for RDWeb Access

Forms Based Authentication is enabled by default for RDS. It must be disabled or RDS will prompt the user to authenticate again. To do this, follow the steps below:

  1. On the RD Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the left pane of the IIS Manager, expand the server name, expand Sites, expand Default Web Site, expand RDWeb, and then click Pages.
  3. In the middle pane, under IIS, double-click Authentication.
  4. Click Basic Authentication and click the Enable button in the Actions pane on the right.
  5. Disable Anonymous Authentication
  6. Run a standard IISReset (IISReset /noforce if desired) in the command prompt to apply these changes.

For more information on configuring ESP, please refer to our ESP Feature Description: https://support.kemptechnologies.com/hc/en-us/articles/203125029

 

Was this article helpful?

1 out of 2 found this helpful

Comments

Avatar
abelenkiy

Please include the steps in "Create Two SubVSs" the section is not shown as such.

Avatar
ryan.mangan

The Configuration shown in this example looks to be for RDweb and Gateway, as the screenshot shows RPC in IIS ? Is this configuration required for RDWeb without the Gateway Role installed ?