Enable the Edge Security Pack (ESP) with RD Web Access.
Currently the Load Master does not officially support ESP for Microsoft's RD Web Access. This is due to the request methods Microsoft use (RDG_IN_DATA and RDG_OUT_DATA) when launching the downloaded RDP file.
To overcome this incompatibility, the Load Master can separate the initial HTTPS authentication request using content rules and forward that to a SubVS where ESP will be enabled. Subsequent requests will then be routed to another SubVS that will handle the specific RDG request methods.
Create Two Content Rules
In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New Rule.
- Rule 1
Match String = RDG_IN_DATA
- Rule 2
Match String = RDG_OUT_DATA
Create Two SubVSs
In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly.
Configure ESP Sub VS as a regular RD Web Access Virtual Service with ESP Enabled. See ESP Guide Guide
Configure RDP-Web-App Sub VS as regular RD-Gateway VS with No ESP enabled.
Enable Content Switching
To enable content switching, follow the steps below:
- In the WUI, go to Virtual Services > View/Modify Services > Modify.
- Expand the Advanced Properties section.
- Enable Content Switching.
- In the SubVSs section there will be a new column called Rules. Click None and assign the default rule to the ESP SubVS.
- Assign the two previously created rules to the RDP-Web-App SubVS.
- Sub VS-1 (ESP) will be your RD Web Access VS, and Sub VS-2 (RD Web-App) will be your RD Gateway VS. Please note that this assumes you have forced your RD Gateway traffic over port 443, and not UDP 3391.
- Your ESP SubVS will be configured with whatever authentication methods that your environment supports on the backend. The Load Master can only send the user credentials to the RD servers using Basic Authentication or Kerberos, for this KB we will use Basic Authentication.
Enable Basic Authentication for RDWeb Access
Forms Based Authentication is enabled by default for RDS. It must be disabled or RDS will prompt the user to authenticate again. To do this, follow the steps below:
- On the RD Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the left pane of the IIS Manager, expand the server name, expand Sites, expand Default Web Site, expand RDWeb, and then click Pages.
- In the middle pane, under IIS, double-click Authentication.
- Click Basic Authentication and click the Enable button in the Actions pane on the right.
- Disable Anonymous Authentication
- Run a standard IISReset (IISReset /noforce if desired) in the command prompt to apply these changes.
For more information on configuring ESP, please refer to our ESP Feature Description: https://support.kemptechnologies.com/hc/en-us/articles/203125029