Manual Chapter : Authenticating Standalone View Clients with APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.0.0
Manual Chapter

Authenticating Standalone View Clients with APM

Overview: Authenticating View Clients with APM

Access Policy Manager® can present VMware View logon pages on a View Client, perform authentication, and load-balance VMware View Connection Servers. APM™ supports the PCoIP (PC over IP) display protocol for the virtual desktop.

A View Client makes connections to support different types of traffic between it and a View Connection Server. APM supports these connections with two virtual servers that share the same destination IP address. You must configure one virtual server to serve each of these purposes:

  • View Client authentication and View Connection Server load-balancing
  • Handle PCoIP traffic

Task summary

About the iApp for VMware Horizon View integration with APM

An iApps® template is available for configuring Access Policy Manager® and Local Traffic Manager™ to integrate with VMware Horizon View. The template can be used on the BIG-IP® system to create an application service that is capable of performing complex configurations. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at https://devcentral.f5.com/wiki/iApp.VMware-Applications.ashx. A deployment guide is also available there.

Creating a pool of View Connection Servers

You create a pool of View Connection Servers to provide load-balancing and high-availability functions.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add each View Connection Server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. In the Service Port field, type 443 (if your View Connection Servers use HTTPS), or type 80 (if your View Connection Servers use HTTP).
      By default, View Connection Servers use HTTPS. However, if you configure your View Connection Servers for SSL offloading, they use HTTP.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Configuring a VMware View remote desktop resource

Configure a VMware View remote desktop resource so that you can log on to a View Connection Server and gain access to a standalone View Client, or launch a View desktop from an Access Policy Manager® (APM®) webtop, depending on the access policy.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List .
    The Remote Desktops list opens.
  2. Click Create.
    The New Resource screen opens.
  3. For the Type setting, select VMware View.
  4. For the Destination setting, select Pool and from the Pool Name list, select a pool of View Connection Servers that you configured previously.
  5. For the Server Side SSL setting:
    • Select the Enable check box if your View Connection Servers use HTTPS (default).
    • Clear the Enable check box if your View Connection Servers use HTTP; that is, they are configured for SSL offloading.
  6. In the Single Sign-On area, select the Enable SSO check box for single sign-on to a View Connection Server after logging in to APM®.
    Additional fields display. The SSO Method list displays Password-based; you must also configure credential sources.
    1. In the Username Source field, accept the default or type the session variable to use as the source for the SSO user name.
    2. In the Password Source field, accept the default or type the session variable to use as the source for the SSO user password.
    3. In the Domain Source field, accept the default or type the session variable to use as the source for the SSO user domain.
  7. In the Customization Settings for language_name area, type a Caption.
    The caption is the display name of the VMware View resource on the APM full webtop.
  8. Click Finished.
    All other parameters are optional.
This creates the VMware View remote desktop resource. To use it, you must assign it along with a full webtop in an access policy.

Configuring a full webtop

You can use a full webtop to provide web-based access to VMware View and other resources.
  1. On the Main tab, click Access Policy > Webtops .
    The Webtops screen displays.
  2. Click Create.
    The New Webtop screen opens.
  3. In the Name field, type a name for the webtop.
  4. From the Type list, select Full.
    The Configuration area displays with additional settings configured at default values.
  5. Click Finished.
The webtop is now configured and appears in the webtop list.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one these options:
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    • SSO: Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication: Select to configure administrator access to the BIG-IP® system (when using APM as a pluggable authentication module).
    • Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Creating an access policy for View Client authentication

Before you can create this access policy, configure the AAA server (or servers) to use for authentication.
Note: The View Client supports authentication with Active Directory domain credentials (required) and with an RSA SecureID PIN (optional).
Create an access policy so that a View Client can use a View desktop after logging on and authenticating with Access Policy Manager® (APM®).
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type client in the search field, select Client Type from the results list, and click Add Item.
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  5. Click Save.
    The properties screen closes. The visual policy editor displays the Client Type action. A VMware View branch follows it. Add the remaining actions on the VMware View branch.
  6. Configure logon and authentication actions for Active Directory:
    Active Directory authentication is required.
    1. Click the (+) sign on the VMware View branch. An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on
    2. On the Logon tab, select VMware View Logon Page, and click Add Item.
      A properties screen displays.
    3. From the VMware View Logon Screen Type list, retain the default setting Windows Password.
    4. In the VMware View Windows Domains field, type domain names separated by spaces to use for Active Directory authentication.
      Type at least one domain name. These domains names are displayed on the View Client.
    5. Click Save.
      The properties screen closes and the visual policy editor displays.
    6. Click the plus (+) icon after the previous VMware View Logon Page action.
      A popup screen opens.
    7. On the Authentication tab, select AD Auth, and click Add Item.
    8. From the Server list, select an AAA server and click Save.
      The properties screen closes.
  7. Assign a full webtop and the VMware View remote desktop resource that you configured previously.
    1. Click the (+) sign after the previous action.
    2. Type adv in the search field, select Advanced Resource Assignment from the results, and click Add Item.
      A properties screen displays.
    3. Click Add new entry.
      A new line is added to the list of entries.
    4. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    5. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured previously.
    6. On the Webtop tab, select a full webtop and click Update.
      The properties screen closes and the resources you selected are displayed.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
  8. To use RSA SecurID authentication in addition to Active Directory authentication, insert logon and authentication actions for RSA SecurID:
    1. Click the (+) icon anywhere in your access profile to add a new action item.
      A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. On the Logon tab, select VMware View Logon Page, and click Add Item.
      A properties screen displays.
    3. From the VMware View Logon Screen Type list, select RSA SecurID.
    4. In the VMware View Windows Domains field, type the domain names to use for logon.
    5. Click Save.
      The properties screen closes and the visual policy editor displays.
    6. Click the plus (+) icon after the previous VMware View Logon Page action.
      A popup screen opens.
    7. On the Authentication tab, select RSA SecurID, and click Add Item.
    8. From the Server list, select the AAA server that you created previously and click Save.
      The properties screen closes.
  9. Optional: If you want to display a message to the user inside of the View Client (for example, a disclaimer or acceptable terms of use), this is how you do it:
    1. Click the (+) icon anywhere in your access profile to add a new action item.
      A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. On the Logon tab, select VMware View Logon Page, and click Add Item.
      A properties screen displays.
    3. From VMware View Logon Screen Type, select Disclaimer
    4. In the Customization area from the Language list, select the language for the message.
    5. In the Disclaimer message field, type the message to display on the logon page.
    6. Click Save.
      The properties screen closes and the visual policy editor displays.
    You have configured a logon page that displays a logon page with a message on a View Client.
  10. On the fallback branch between the last action and Deny, select the Deny check box, click Allow, and click Save.
  11. Click Apply Access Policy.

You have an access policy that displays at least one logon page, and authenticates a View Client against Active Directory before assigning resources to the session. At most, the policy displays three logon pages and performs two-factor authentication before assigning resources to the session.

Sample access policy with single-factor authentication for VMware View

Example access policy with single-factor authentication for View Client

Sample access policy with two-factor authentication for VMware View

Example access policy with two-factor authentication for View Client

To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click Access Policy > Secure Connectivity .
    A list of connectivity profiles displays.
  2. Click Add.
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. Select a Parent Profile from the list.
    APM® provides a default profile, connectivity.
  5. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Verifying the certificate on a View Connection Server

Before you start, obtain the CA certificate that was used to sign the SSL certificate on View Connection Servers and obtain a Certificate Revocation List (CRL).
You install the CA certificate and CRL, then update the server SSL profile to use them only if you want the BIG-IP system to check the validity of the certificate on the View Connection Server.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name from the list.
  5. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server.
  6. Click Import.
    The SSL Certificate List screen displays. The certificate is installed.
  7. Click the Import button.
  8. From Import Type list, select Certificate Revocation List.
  9. For Certificate Revocation List Name, type a name.
  10. For Certificate Revocation List Source, select Upload File and browse to select the CRL you obtained earlier.
  11. Click Import.
    The SSL Certificate List screen displays. The CRL is installed.
  12. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The SSL Server profile list screen opens.
  13. Click the name of the server SSL profile you created previously.
    The Properties screen displays.
  14. Scroll down to the Server Authentication area.
  15. From the Server Certificate list, select require.
  16. From the Trusted Certificate Authorities list, select the name of the certificate you installed previously.
  17. From the Certificate Revocation List (CRL) list, select the name of the CRL you installed previously.
  18. Click Update.
The BIG-IP system is configured to check the validity of the certificate on the View Connection Server.

Configuring an HTTPS virtual server for View Client authentication

Before you start configuring an HTTPS virtual server for View Client authentication, create a connectivity profile in Access Policy Manager®. (Default settings are acceptable.)
Create this virtual server to support View Client authentication. This is the virtual server that users will specify in the View Client.
Note: This is one of two virtual servers that you must configure for View Client connections. Use the same destination IP address for each one.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
    Use this same IP address for the virtual servers you create to handle PCoIP and UDP traffic.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the HTTP Profile list, select http.
  7. For the SSL Profile (Client) setting, in the Available box, select a profile name, and using the Move button, move the name to the Selected box.
  8. For the SSL Profile (Server) setting, select pcoip-default-serverssl.
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  11. From the Connectivity Profile list, select the connectivity profile.
  12. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  13. Locate the Resources area of the screen and from the Default Persistence Profile list, select one of these profiles:
    • cookie - This is the default cookie persistence profile. Cookie persistence is recommended.
    • source_addr - This is the default source address translation persistence profile. Select it only when the cookie persistence type is not available.
  14. Click Finished.
A virtual server handles View Client access and handles XML protocol data.

Configuring a UDP virtual server for PCoIP traffic

Create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address.
    Note: Type the same IP address as the one for the View Client authentication virtual server.
  5. In the Service Port field, type 4172.
  6. From the Protocol list, select UDP.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Access Policy area, from the VDI Profilelist, select a VDI profile.
    You can select the default profile, vdi.
  9. Click Finished.
This virtual server is configured to support PCoIP transport protocol traffic for VMware View Clients.

Configuring virtual servers that use a private IP address

If you configured the HTTPS and UDP virtual servers with a private IP address that is not reachable from the Internet, but instead a publicly available device (typically a firewall or a router) performs NAT for it, you need to perform these steps.
You update the access policy by assigning the variable view.proxy_addr to the IP address that the client uses to reach the virtual server. Otherwise, a View Client cannot connect when the virtual servers have a private IP address.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. Click the change link next to the empty entry.
    A popup screen displays two panes, with Custom Variable selected on the left and Custom Expression selected on the right.
  6. In the Custom Variable field, type view.proxy_addr.
  7. In the Custom Expression field, type expr {"proxy address"} where proxy address is the IP address that the client uses to reach the virtual server.
  8. Click Finished to save the variable and expression and return to the Variable Assign action popup screen.
  9. Click Save.
    The properties screen closes and the visual policy editor displays.
  10. Click the Apply Access Policy link to apply and activate the changes to the access policy.