HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM - · PDF fileHOBLink JWT is an advanced RDP Client for F5 BIG-IP Access Policy Manager (APM) deployments. This solution provides all BIG-IP

How to Install and Configure

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Software version: 1.0

Document version: 1.0

Issue: March 2014

HOB GmbH & Co. KGSchwadermühlstraße 390556 CadolzburgGermany

Phone: +49 9103 715 0Fax: +49 9103 715 3271

E-mail: [email protected]: www.hob.de

HOB, Inc.Headquarters NY245 Saw Mill River Road Suite # 106Hawthorne, NY 10532, USA

Phone: +1 866 914 9970

Fax: +49 9103 715 3299

E-mail: [email protected]: www.hobsoft.com

http://www.hob.de

HOBLink JWT 3.3 Plug-in 3.3 Plug-in for F5 BIG-IP APM APM Software and Documentation – Legal Notice

Contact: HOB GmbH & CO. KG. KG

Schwadermuehlstr. 3

90556 Cadolzburg

Represented by: Klaus Brandstätter, Zoran Adamovic

Phone: 0049‐91037150

Fax: 0049‐9103715271

E‐mail: [email protected]

Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180

Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002

Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic,

Schwadermuehlstr. 3, 90556 Cadolzburg

Disclaimer

All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited.

HOBLink JWT 3.3 Plug‐in 3.3 Plug‐in for F5 BIG‐IP APM APM software and documentation have been tested and reviewed. Nevertheless,

HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or

omission from this document. All information in this document is subject to change without notice, and does not represent a

commitment on the part of HOB.

Liability for content

The contents of this publication were created with great care and diligence. While we keep it as up‐to‐date as practicable, we cannot

take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for

our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10

of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate

circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain

unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such

violations, the content will be removed immediately.

Liability for links

This publication may contain links to external websites over which we have no control. Therefore we can not accept any responsibility

for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content

of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created

in this publication, no illegal or harmful contents had been identified. A continuous and on‐going examination of the linked pages is

unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately.

Copyright

The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying,

adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the

respective author or creator. The downloading of, and making copies of, these materials is only permitted for private, non‐commercial

use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these

contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright

infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the

concerned content will be removed immediately.

Trademarks

Microsoft Windows is a trademark of Microsoft Corporation. All other product names, company names and service names may be

trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked

as such.

Issued: March 19, 2014

2 Connectivity Solutions by HOB

mailto:[email protected]

Purpose of this GuideThis guide is designed to provide users with detailed information concerning HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM and to help them make the best possible use of the application.

The procedures for configuring the individual software components are documented in detail with step-by-step instructions.

Symbols and ConventionsThis manual uses certain conventions and abbreviations, which are explained here:

Keys or key combinations are displayed in square brackets, e.g. [Space].

References to program commands and dialog boxes are printed in bold type, e.g. Select the command Open….

Cross-references to Section headings and Figures with numbers are marked in color as follows: Section 1 Overview.

Screen displays, file names and text to be entered by the user are displayed in the font Courier New. This input is – unless otherwise mentioned - case sensitive.

In this documentation, product names are abbreviated as follows:

This symbol indicates useful tips that can make your work easier.

This symbol indicates additional informative text.

This symbol indicates an important tip or procedure that may have far-reaching effects. Please consider carefully the consequences of any changes and settings you make here.

Product name Abbreviation

HOBLink Java Windows Terminal HOBLink JWT 3.3 Plug-in

Connectivity Solutions by HOB 3

4 Connectivity Solutions by HOB

Contents

1. Overview 7

1.1. What is HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM?................................. 7

1.2. JWT Exclusive Features................................................................................. 7

1.3. Advantages at a Glance ................................................................................ 8

1.4. Functions and Way of Operation ................................................................... 8

2. How to Install and Configure HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM 9

2.1. Configuring HOBLink JWT Single Sign-on Feature ....................................... 9

2.2. Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM.... 13

3. Information and Support 33

Security Solutions by HOB 1

2 Security Solutions by HOB

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Overview

1. Overview1.1. What is HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM?

HOBLink JWT is an advanced RDP Client for F5 BIG-IP Access Policy Manager

(APM) deployments. This solution provides all BIG-IP APM users a Remote

Desktop Client which enables communication with Microsoft Windows Remote

Desktop Services. HOB’s RDP is platform-independent and requires no client-side

installation, reducing IT admin efforts and TCO. This is a purely software-based

solution allowing you to leverage your existing physical/virtual IT infrastructure

without sacrificing security. No confidential/sensitive data remains on the remote

device.

Figure 1: HOBLink JWT RDP Client Hosted on an F5 BIG-IP

Figure 2: HOBLink JWT RDP Client Hosted on a Web Server

1.2. JWT Exclusive Features

Easyprint built-in technology is used to handle all your local printers (PCL, IP printer, Port Mapping printers, etc.)

Many installation options: On your local computer, Webserver, and BIG-IP APM deployment

Runs on every Java-capable web browser

Scanner devices, Smartcard authentication and application delivery are also supported when used in combination with HOB RD ES

Multi-monitor support


Overview HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Resolution customization (full screen)

Local drive mapping

Small applet (fastest access)

1.3. Advantages at a Glance

HOBLink JWT iApp available for F5 BIG-IP APM

No installation and administration rights needed on client side – easily and quick-ly deployable

Tailor-made solution according to your needs, independent of operating systems used

Access to desktops is also possible

Perfect use of existing infrastructure for long-term protection of your investments

Scalable solution – adaptation to new circumstances made easy

Realizing trends like mobile workplaces is made simple

1.4. Functions and Way of Operation

HOBLink JWT is an HOB-owned RDP client for accessing remote desktop servers, VDI and desktop systems. It does not matter if you are using Windows-, UNIX-, Linux- or Mac OS applications. Due to the integrated load balancing mechanism all server inquiries are optimally distributed to the available hardware; allowing for perfectly distributed resources. By using this, users can easily and securely access central company resources from any client. The advantage: HOBLink JWT is completely platform-independent on the client side. You can flexibly decide which device is used. The users become more independent and can create an individual working environment according to their needs; significantly enhancing performance. Furthermore, HOBLink JWT requires no installation or administration rights on the client side. This saves time and reduces administration effort. So, even BYOD (Bring Your Own Device) becomes child´s play.


HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM How to Install and Configure HOBLink JWT

2. How to Install and Configure HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

2.1. Configuring HOBLink JWT Single Sign-on Feature

Figure 3: F5 BIG-IP APM Admin WebGUI

On the F5 BIG-IP APM WebGUI select the Main tab (Figure 3). Click the following sequence of options: Access Policy > Application Access > Remote Desktops > Remote Desktops. Then click the Create symbol (Figure 4).

If you would like to enable the Single Sign-on feature for the HOBLink JWT plugin, carefully read the Section 2.1. Configuring HOBLink JWT Single Sign-on Feature on page 9 before installing and configuring the HOBLink JWT for F5 APM. Otherwise, go to Section 2.2. Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM on page 13.


How to Install and Configure HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM HOBLink JWT

Figure 4: Access Policy Detail

Please use the parameters described in the picture below. The ACL Order parameter does not affect the final configuration. Enter the parameters at your convenience depending on your needs. The Auto Logon check box in the Auto Logon section must be activated and available on the F5 BIG-IP APM portal to work properly.

Figure 5: General Properties Parameters to Configure Single Sign-on Detail



Once you have entered the parameters go to Access Policy > Policy Profiles > Access Profiles List. Select the policy you would like to update from the list.

Figure 6: Access Profiles List Detail

In the next screen click Access Policy as shown in the figure below.

Figure 7: Access Policy Button Detail

Click on Edit Access Policy for Profile ... next to the Visual Policy Editor field as displayed in the figure below.

Figure 8: Edit Access Policy for Profile Detail

A new browser window will then appear. Select the Full Resource Assign box from the diagram as shown in the figure below.

Figure 9: Access Policy Diagram



From the new window which is displayed select Add/Delete.

Figure 10: Properties of Full Resources Assign

Select the Remote Desktop tab and check the remote desktop resource you have just created.

Figure 11: Remote Desktop

Click the Update button at the bottom of the window in Figure 11.



Click the Save button at the bottom of the window in Figure 10.

You are now back in the browser window you opened previously. Click Apply Access Policy in the upper-left corner of the page (Figure 12).Then click the green Close button in the upper-right corner of the same browser window.

Figure 12: Apply Access Policy Button

The HOBLink JWT Single Sign-on feature has now been configured on F5. A new resource will be displayed in the portal.

Figure 13: F5 Portal

2.2. Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Download HOBLink JWT plugin for F5 BIG-IP APM.zip file from HOB’s FTP Server. In order to get access to HOB’s FTP Server, please contact your sales representative. This file contains three files.

F5-JWT_Plugin.zip which is the plugin itself.

F5-JWT_Plugin.tmpl, the iApp used to configure the plugin from the F5 BIG-IP APM admin WebGUI.

This guide.



Begin by logging into the F5 BIG-IP Admin WebGUI.

Figure 14: F5 BIG-IP APM Log In

You have now been directed to the F5 BIG-IP Admin WebGUI.

Figure 15: F5 BIG-IP APM Admin WebGUI

On the left side of the screen select Access Policy and click Hosted Content (Fig-ure 4). A new section is displayed.

On the upper-right side of the GUI click Upload.

A new dialog box Create New File is displayed. Click the Browse button and then select F5-JWT_Plugin.zip. Uploading starts automatically (see Figure 16).



Figure 16: Create New File Uploading

Once uploaded, type f5jwtplugin in the File Destination Folder field (see Figure 17). Then choose Upload and extract from the File Action menu.

Figure 17: Create New File

For demo purposes, under Secure Level, select public, otherwise select Session or Profile depending on your security needs. Then click OK

The upload and unzip process starts.

Once done, the uploaded files will be displayed in the F5 BIG-IP APM WebGUI.



Figure 18: F5 BIG-IP APM WebGUI Hosted Contact

Now it is time to upload the HOBLink JWT iApp template (F5-JWT_Plugin.tmpl) to F5 BIG-IP APM. The HOBLink JWT iApp sets up and configures the HOBLink JWT plugin. Multiple HOBLink JWT options and features can be configured (printers, display, drive mapping, etc).

In the Main tab click iApp and select Templates (see Figure 19 below). On the upper-right side click the Import… button.

Figure 19: Import File

Select the F5-JWT_Plugin.tmpl and click the Upload button (see Figure 19 above).

The F5-JWT_Plugin.tmpl is now displayed on the iApp Template List as shown in the figure below.



Figure 20: Template List

The HOBLink JWT 3.3 Plug-in can now be configured. From iApp, select Application Services and click the Create button. Choose a name for the new service (e.g. example) as shown below and select F5-JWT_Plugin from the Template list.

Figure 21: Template Selection

The HOBLink JWT 3.3 Plug-in iApp configuration form is displayed as below. Now set up the different JWT parameters to fit your requirements.



Figure 22: Template Selection Basic

If you have previously configured the HOBLink JWT Single Sing-on feature, go to Logon settings (see Figure 23 below) and set Use HOB Single Sign-On parameter to YES as well as setting the Logon automatically field to YES. Then, type the name of the remote desktop resource you created (e.g my_test) following the steps in Section 2.1. Configuring HOBLink JWT Single Sign-on Feature on page 9. Otherwise, jump to the next step.



Figure 23: Template Selection Basic Logon Settings

Once done, click the Finished button at the end of the page. A new application service has now been deployed (e.g. example).

Figure 24: Application Service

The HOBLink JWT 3.3 Plug-in now needs to be made available on the F5 BIG-IP APM Webtop.

It is assumed that Webtop, Virtual Servers and Policy Profiles were configured previously. For further information, please refer to the Configuration Guide for BIG-IP Access Policy Manager.


http://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/_jcr_content/pdfAttach/download/file.res/Configuration_Guide_for_BIG-IP_Access_Policy_Manager.pdf


On the left side of the screen, click Access Policy. A new section is displayed. Click Portal Access. On the upper right side of the screen click Create….

Figure 25: Create Button

A New Resource… form is now displayed as shown in the figure below.

Figure 26: Portal Access

The HOBLink JWT 3.3 Plug-in iApp produces an html configuration page (e.g. example.html, as displayed in the figure below) which is automatically hosted on the F5 BIG-IP APM Sandbox in the /f5jwtplugin directory. Important: make sure the directory matches!



Figure 27: Static File List

In the Item Type parameter Hosted Content must be selected.The html page previously generated (in our case, example.html) by the iApp should be selected in the Hosted Files parameter as displayed below. Click Create to finish.

Files created by the iApp must be deleted manually.



Figure 28: Plugin Sandbox

A Resource Items section appears automatically as displayed below. Click the Add button to create a new Item.

Figure 29: Resource Items

Point to the HOBLink JWT applet (jwtwebJ2.jar) hosted in the F5 BIG-IP APM sandbox, as described in the picture below.



Figure 30: New Resource Item Detail

The rest of the parameters should be selected as in the picture below. When you are done click Finished.

Figure 31: New Resource Item Complete Detail

Now the Portal Resource configuration looks like this…



Figure 32: Plug-in Sandbox End

Create a rewrite profile to sign the JWT applet as described below.

On the F5 BIG-IP APM menu, select Portal Access then Rewrite.

F5 BIG-IP APM rewrites the HOBLink JWT network API and signs it before it is delivered to the remote client (desktop computer or laptop) so a Portal Access Rewrite Profile must be configured.



Figure 33: Access Policy Rewrite

Now click on Create New Profile to create a new Portal Rewrite Profile (e.g. rewrite-portal). Set General Information section as in the figure below.

Figure 34: Create New Profile Rewrite

Set Portal (Access) section as in the figure below.



Figure 35: Create New Profile Rewrite Portal Access

Continue editing the rewrite profile by clicking on Java Patcher Settings to assign the certificates to this profile which will be used to sign the HOBLink JWT applet. A trusted certificate issued by a trusted certificate authority (Verisign, Thawte, etc) must be selected. Signer and Signing Key fields may be self generated.

Figure 36: Create Profile Rewrite JavaPatcher Settings

Under URI Translation, leave Settings as displayed in the figure below.



Figure 37: Create New Profile Rewrite Settings

Now, we must assign this rewrite profile to the virtual server in charge of serving the Portal. Go to Local Traffic > Virtual Servers > Virtual Server List.

Figure 38: Local Traffic

Select a virtual server and go to the Content Rewrite section. Select the rewriting profile you have just created. Leave HTML Profile as None.



Figure 39: Content Rewrite

Now click Access Policy > Access Profiles > Access Profiles List.

Figure 40: Access Profiles

From the profile list, choose the one you have previously configured.

Click on Access Policy.



Figure 41: Access Policy Button Detail

Under General Properties section click on Edit Access Policy for Profile as shown above.

The Access Policy editor is displayed in a new window.

Figure 42: Access Policy Diagram

Click Full Resource Assign. A new window overlaps the previous one. Click Add/Delete.



Figure 43: Properties of Full Resource Assign

Click Portal Access. The portal objects previously configured are displayed. Check the JWT portal object and then click on Update.

Figure 44: Portal Access Update

The window will then close. Click Save (see Figure 43) to commit changes.

Now, click Apply Access Policy to bring HOBLink JWT 3.3 to life.



Figure 45: Apply Access Policy Button

Figure 46: TMSH

Open a web browser and direct it to the F5 Portal.

Figure 47: F5 BIG-IP APM Log In

Log into the portal. Now the HOBLink JWT link is there. If HOBLink JWT 3.3 Plug-in Single Sign-on feature has been enabled, an additional link (e.g my_test) is also displayed.

Deleting the F5 cache:

F5 caches all previously downloaded HOBLink JWT applets. That means an old version of the HOBLink JWT applet could be downloaded if no Cache deletion is performed. Log into F5 command line as root user. Jump to the tmsh shell and run the command below.This will completely remove all outdated JWT applets hosted on the cache.



Figure 48: F5 Portal HOBLink JWT

Click the JWT_plugin_sandbox link and the application will be automatically launched on your desktop computer or laptop from the F5 BIG-IP APM Sandbox. Now you are ready to reach your corporate remote desktops through an F5 BIG-IP APM appliance.

Figure 49: RDP Window


HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Information and Support

3. Information and SupportIf you would like further information about HOBLink JWT Plugin for F5 BIG-IP APM or if you need product support, please contact us at:

U.S.A. and Canada

Phone: +1 866 914 9970

Fax: + 49 9103 715 3299

E-mail: [email protected]

Germany

Phone: +49 9103 715 3161

Fax: +49 9103 715 3299


From Other Countries

Phone: +49 9103 715 3103

Fax: +49 9103 715 3299



Information and Support HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM


Documents

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM - · PDF fileHOBLink JWT is an advanced RDP Client for F5 BIG-IP Access Policy Manager (APM) deployments. This solution provides all BIG-IP