Remote Desktop Gateway 2019 WON'T work with Sophos UTM WAF

Hi Mohamed Hasan 

I'd suggest checking this post once Sophos UTM: Securing Web Application Firewall (WAF) and also check this post for Remote Desktop Gateway 2016 https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/74448/running-remote-desktop-gateway-using-waf/409790

I have had the same problem trying to setup the WAF to publish Remote Desktop Gateway for server2019 and the issue, in the end, was two tick boxes in the site Path Routing

Now everything is working :) 

This is after spending 6 hours on the phone to Sophos level 1 & 2 and not getting anywhere and still waiting on a call from level 3

Hi Jaydeep,

I followed this post before and unfortunately did not work for me. I also gone tho the troubleshooting & other post with no luck.

So this is what I have setup under the firewall profile:

And under firewall exception:

Still get same errors. I also tried adding /remoteDesktopGateway into exception list and didn't make any difference. I'm sure it's something around the firewall and exception list but can't figure it out. I can confirm it's working with DNAT.

Hi Jack,

I Tried ticking them both but no luck :(

Do you mind if you share your firewall profile & exception list you are using?

I tried several combinations but can't get one right.

These are all the settings we have which work with our 2019 setup 

Firmware on our UTM is 9.605-1

Static URL Hardening

/rpc/*
/rpcWithCert/*
/rpc/rpcproxy.dll?localhost:3388
/rpc/rpcproxy.dll
/remoteDesktopGateway/*
/KdcProxy/*
/rpc/rpcproxy.dll?localhost:3389

Skip Filter Rules

960032
960035
960911
981172

/rpc/*
/rpcWithCert/*
/RDWeb/*
/RDweb/*
/rdweb/*
/KdcProxy/*
/KdcProxy
/remoteDesktopGateway/*
/remoteDesktopGateway
/remoteDesktopGateway/

Hope this helps you get it resolved

AWESOME!!

I got my gateway working! Thanks mate...

The portal comes up however breaks when I log in. Do you use RemoteApps?

Also why are you using https & redirect? If I'm using IIS redirect I don't need Sophos redirect correct? 

I'm trying to figure out how I can just type in my portal URL and it redirects to the full RDWeb URL. This is how I have it working with DNAT.

Don't worry about the RemoteApp portal. I guess my problem is I'm using Duo MFA which changes the URL after authenticating. I'll try to work it out.

Do you have RDG working on IOS or Andriod? Mine doesn't seem to work.

FYI, 

I got my mac to work and still working on getting my Andriod working with gateway.

I found out that as soon I added those three:

/remoteDesktopGateway
/remoteDesktopGateway/
/RemoteDesktopGateway/*

To the firewall profile and firewall exception everything started to work for me. All those other things you have enabled I found them not needed for me. Gateway works whether they are enabled or not.

If anyone can help me with the Andriod issue that would be great. This is what I see in the logs:

2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="254830" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84UAAAAK"
2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="255404" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84YAAAAI"
2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="219445" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84gAAAAI"
2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="228215" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84cAAAAK"
2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="155" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="302" reason="-" extra="-" exceptions="-" time="223668" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84oAAAAK"
2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="155" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="302" reason="-" extra="-" exceptions="-" time="231956" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84kAAAAI"
2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="1293" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="253576" url="/RDWeb" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIYvYPlsAAN4A84sAAAAL"
2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="1293" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="252065" url="/RDWeb" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIYvYPlsAAN4A84wAAAAO"

If anyone still reading...still can't get my Andriod RDP working using Remote Desktop Manager app.

Consider your threat profile.   

• The most important requirement is to ensure that only the right people are getting in.   This means that 2-factor authentication is critical.   Adding in country blocking or some other form of IP filtering would be an extra measure of protection.
     
• If the wrong people can log in, the consequences of what they do from the desktop session are much more worrisome than what they might try to push through the http-rdp protocol combination.
  
  
• Even if an authorized person decides to attack your environment, he is going to do it from the RDP session.
  
  
• So the final risk is malware on the remote device that somehow attacks after the authorized user gets his session established.  If such malware is present, what are the chances that your proposed WAF configuration will detect it?   Seems pretty low to me.   I think it requires a nation-state level of sophistication, and if you are up against that type of attack, UTM content filtering is probably not the solution.

Assuming that you have 2-factor authentication in place, I predict that you could run this WAF in monitor mode forever, and you will only see false positives in the logs.