How to configure ESP for Remote Desktop Web Access
Scope
Enable the Edge Security Pack (ESP) with RD Web Access.
Currently, the LoadMaster does not officially support ESP for Microsoft's RD Web Access. This is due to the request methods Microsoft use (RDG_IN_DATA and RDG_OUT_DATA) when launching the downloaded RDP file.
Solution
To overcome this incompatibility, the LoadMaster can separate the initial HTTPS authentication request using content rules and forward that to a SubVS where ESP will be enabled. Subsequent requests will then be routed to another SubVS that will handle the RPC Connections
Note: When you connect to your RD Web App you will be forced to Re-authenticate when connecting to your Remote Application. This is the same behavior as when connecting with Chrome or Firefox. You won't achieve true Single Sign-On behavior that you experience with Internet Explorer or Edge.
We currently don't support Forms Based Server Side. This is because RD Web Access Form expects specific information such as RD Broker certificate thumbprint and RD Broker Name etc..
This leaves you with Basic and Kerberos. If traffic is re-encrypted then we recommend Server Side Basic.
Configuration
Create Two Content Rules
In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New Rule.
- Rule 1
Match String = RDG_IN_DATA
- Rule 2
Match String = RDG_OUT_DATA
Set "Add HTTP Headers" to "None"
Navigate to your VS > Advanced Properties > Add HTTP Headers = "none"
Create Two SubVSs
In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly.
Configure ESP SubVS as a regular RD Web Access Virtual Service with ESP Enabled. See ESP Guide Guide
https://support.kemptechnologies.com/hc/en-us/articles/203125029-Edge-Security-Pack-ESP-
Enable Content Switching
To enable content switching, follow the steps below:
- In the WUI, go to Virtual Services > View/Modify Services > Modify.
- Expand the Advanced Properties section.
- Enable Content Switching
- In the SubVSs section there will be a new column called Rules. Click None and assign the Default rule to the First ESP SubVS. You will then assign your two RDG_IN_DATA & RDG_OUT_DATA Rules to your Second Sub VS
Configure SubVS's
- Sub VS-1 (ESP) will be your RD Web Access VS, Sub VS-2 will handle your RDP traffic. Within Sub VS-2 you will also be required to Set "Add HTTP Headers" to "None" Found under Advanced Properties.
- Your ESP SubVS will be configured with whatever authentication methods that your environment supports on the backend. The LoadMaster can only send the user credentials to the RD servers using Basic Authentication or Kerberos, for this KB we will use Basic Authentication.
Enable Basic Authentication for RDWeb Access
Forms Based Authentication is enabled by default for RDS. It must be disabled or RDS will prompt the user to authenticate again. To do this, follow the steps below:
- On the RD Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the left pane of the IIS Manager, expand the server name, expand Sites, expand Default Web Site, expand RDWeb, and then click Pages.
- In the middle pane, under IIS, double-click Authentication.
- Click Basic Authentication and click the Enable button in the Actions pane on the right.
- Disable Anonymous Authentication
- Run a standard IISReset (IISReset /noforce if desired) in the command prompt to apply these changes.
For more information on configuring ESP, please refer to our ESP Feature Description.
Related KB Articles:
How to Enable the Edge Security Pack (ESP) With ADFS on the LoadMaster
How to Enable ESP with Remote Desktop Gateway
Comments
The Configuration shown in this example looks to be for RDweb and Gateway, as the screenshot shows RPC in IIS ? Is this configuration required for RDWeb without the Gateway Role installed ?
abelenkiy
Please include the steps in "Create Two SubVSs" the section is not shown as such.