I am running UTM 9.506-2 and RD 2016, but cannot get clients to connect to the RD Gateway I've tried using the RDG template for Server 2008 but this no longer seems to be compatible. Followed various walkthru's online to no avail.. A few of the WAF errors: AH01614: client used wrong authentication scheme: /remoteDesktopGateway/ Failed to sync Outlook Session & The registered Outlook Session is in unexpected state 'BROKEN' Errors on RDG_IN_DATA and RDG_OUT_DATA (401, 503, 502, 503 codes) Closest I got was greeted with this WEV error message: "The user user@domain, on client computer "xxx.xxx.xxx.xxx:xxxx", has initiated an outbound connection. This connection may not be authenticated yet." I have tried following the advice at the end of this article, but it does not seem to work either now https://community.sophos.com/products/unified-threat-management/f/web-server-security/50160/publishing-microsoft-remote-desktops-server-gateway-with-sophos-utm/304076 Wondering if there has been a change in how the RDG works in 2016 or if UTM just doesn't support it correctly

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF: Unable to publish Remote Desktop Gateway 2016

I am running UTM 9.506-2 and RD 2016, but cannot get clients to connect to the RD Gateway
I've tried using the RDG template for Server 2008 but this no longer seems to be compatible.

Followed various walkthru's online to no avail..

A few of the WAF errors:

AH01614: client used wrong authentication scheme: /remoteDesktopGateway/
Failed to sync Outlook Session & The registered Outlook Session is in unexpected state 'BROKEN'
Errors on RDG_IN_DATA and RDG_OUT_DATA (401, 503, 502, 503 codes)

Closest I got was greeted with this WEV error message:

"The user user@domain, on client computer "xxx.xxx.xxx.xxx:xxxx", has initiated an outbound connection. This connection may not be authenticated yet."

I have tried following the advice at the end of this article, but it does not seem to work either now

https://community.sophos.com/products/unified-threat-management/f/web-server-security/50160/publishing-microsoft-remote-desktops-server-gateway-with-sophos-utm/304076

Wondering if there has been a change in how the RDG works in 2016 or if UTM just doesn't support it correctly

This thread was automatically locked due to age.

0 MartinBozko over 5 years ago

Same here.

Only RD gateway on Windows 2008 was working through WAF.

Windows 2012 and newer has something different and WAF cannot be used to publish RD gateway.

I tryied Sophos XG too and same result.

Predefined policy is for RDgateway 2008 and it is useless.

Only way to get it work is to use DNAT, not WAF. So port 443 on one public IP address is gone for this.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gatt over 5 years ago in reply to MartinBozko

I did find a workaround that does get it working

Login to the UTM over SSH and, as root:

cd /var/storage/chroot-reverseproxy/usr/apache/conf/

vi reverseproxy.conf

Find your WAF rule

eg:

<VirtualHost x.x.x.x:443>

ServerrName rdgateway.fqdn.here

Go down to the </Location> tag

and enter the following lines underneath:

<Location "/remoteDesktopGateway">

ProxyPass "wss://rdgateway.fqdn.here/remoteDesktopGateway"

</Location>

Save the files and run:

/var/mdw/scripts/reverseproxy restart

This should then get irt working again (Works for me - especially with the new HTML Remote Desktop Web Client

Down side?
Any future WAF changes or system restart will REMOVE the above code, so will need to be repeated after every reboot or WAF change
Cancel
Vote Up 0 Vote Down

Cancel
0 JoeStern over 5 years ago

I publish RDG on Server 2016 from behind my Sophos SG UTM. Like you, I found the WAF rule didn't work, so I set up DNAT rules.

The RDP UDP service is 1:65535->3391
Cancel
Vote Up 0 Vote Down

Cancel
0 Louis-M over 5 years ago in reply to JoeStern

I have RDG working via WAF with the full desktop and apps, so it does work.
Cancel
Vote Up 0 Vote Down

Cancel
0 MartinBozko over 5 years ago in reply to Louis-M

Hi

What version of Windows server is RDGW?

What WAF rules are used?

Martin
Cancel
Vote Up 0 Vote Down

Cancel
0 Louis-M over 5 years ago in reply to MartinBozko

We're using Windows Server 2016.

Create your real webserver

1. Type = https
2. Port = 443

Create your Virtual Server

1. Type = https
2. Domain = your server FQDN
3. Real webservers = Your internal server
4. Advanced = Pass host header

Create your own WAF filter with:

1. Static URL hardening:

/rpc
/rdweb
/RDWeb
/RDweb
/rpc/rpcproxy.dll?localhost:3388
/favicon.ico
/rpcWithCert

2. Block clients with bad reputation
3. Pass Outlook anywhere

Then create an exception for your URL:

1. Static URL hardening:

/rpc/*
/rpcWithCert/*
/RDWeb/*
/RDweb/*
/rdweb/*

Apply the above filter to the virtual webserver and test. It does work. We have a UTM going to 2 RDGW's (active & failover) which in turn go to 3 connection brokers.

We also have another UTM at our secondary site doing the same in reverse and we load balance using a failover DNS service as round robin on the outside didn't quite work.
So we have:
Internet > SITE A UTM > SITE A RDGW or SITE B RDGW(failover) > 3 CONBKRS > SESSION HOSTS
Internet > SITE B UTM > SITE B RDGW or SITE A RDGW(failover) > 3 CONBKRS > SESSION HOSTS

We did have a bit of a job with the "common threats filter" which seemed to be blocking things but didn't report it in the logs. When we disabled it, everything worked. We did try elimination eg disabling each common threat one at at time but we never got to the bottom of it so we've just left it off for now.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mohamed Hassan over 4 years ago in reply to Louis-M

Hey Louis,

I have got UTM 9 and RDG 2019. I followed your steps and my portal works fine however I can't get open RemoteApp. Also I can't get my gateway to work if I wanted to connected to a computer behind it :(

It works fine if I use DNAT but when i switch to WAF it won't work.

This is what I see from the logs:

2019:10:28-19:26:56 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4102298480] [client 49.196.171.79:48229] [client 49.196.171.79] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/FeedLogin/WebFeedLogin.aspx"] [unique_id "XbbQf4vYPlsAABZoEbAAAAAD"]
2019:10:28-19:26:57 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4102298480] [client 49.196.171.79:48229] [client 49.196.171.79] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing a User Agent Header"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/FeedLogin/WebFeedLogin.aspx"] [unique_id "XbbQf4vYPlsAABZoEbAAAAAD"]
2019:10:28-19:26:57 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="380" user="-" host="49.196.171.79" method="GET" statuscode="302" reason="-" extra="-" exceptions="SkipURLHardening" time="1580200" url="/RDWeb/FeedLogin/WebFeedLogin.aspx" server="PORTAL.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbbQf4vYPlsAABZoEbAAAAAD"
2019:10:28-19:26:58 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4093905776] [client 49.196.171.79:48230] [client 49.196.171.79] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/duo/duo.aspx"] [unique_id "XbbQgYvYPlsAABZoEbEAAAAE"]
2019:10:28-19:26:58 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4093905776] [client 49.196.171.79:48230] [client 49.196.171.79] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\$\\\$\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:params. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: | found within ARGS:params: params|ZGVzdD0lMkZSRFdlYiUyRkZlZWRMb2dpbiUyRldlYkZlZWRMb2dpbi5hc3B4JnRpbWVPZmZzZXQ9NzYmdXNlcm5hbWU9c3VrYWZ1biU1Q3N1a2FmdW4=|1572265542|SmkSW2HPmqkD8BiAkIftXtIpdedxvXOnhGR/5OpuXJ0="] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/duo/duo.aspx"] [unique_id "XbbQgYvYPlsAABZoEbEAAAAE"]
2019:10:28-19:26:58 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="1341" user="-" host="49.196.171.79" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="271670" url="/RDWeb/duo/duo.aspx" server="PORTAL.MYDOMAIN.com" port="443" query="?params=params%7CZGVzdD0lMkZSRFdlYiUyRkZlZWRMb2dpbiUyRldlYkZlZWRMb2dpbi5hc3B4JnRpbWVPZmZzZXQ9NzYmdXNlcm5hbWU9c3VrYWZ1biU1Q3N1a2FmdW4%3D%7C1572265542%7CSmkSW2HPmqkD8BiAkIftXtIpdedxvXOnhGR%2F5OpuXJ0%3D" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbbQgYvYPlsAABZoEbEAAAAE"
2019:10:28-19:27:29 sukafun-utm httpd[5736]: [url_hardening:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] URI prefix does not match, URI: PORTAL.MYDOMAIN.com:443/.../
2019:10:28-19:27:29 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] [client 49.196.171.79] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/remoteDesktopGateway/"] [unique_id "XbbQoIvYPlsAABZoEbIAAAAF"]
2019:10:28-19:27:29 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] [client 49.196.171.79] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "PORTAL.MYDOMAIN.com"] [uri "/remoteDesktopGateway/"] [unique_id "XbbQoIvYPlsAABZoEbIAAAAF"]
2019:10:28-19:27:29 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="0" user="-" host="49.196.171.79" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="495885" url="/remoteDesktopGateway/" server="PORTAL.MYDOMAIN.com:443" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="WJimkodLX0Wh+S+ZuRJFUw==" websocket_version="13" uid="XbbQoIvYPlsAABZoEbIAAAAF"

I removed my actual domain and replaced it with portal.mydomain.com

I appreciate your help.

Cheers
Mo
Cancel
Vote Up 0 Vote Down

Cancel