This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft Remote Desktop Gateway with 9.509

Hi,

I have UTM 9.5 in my lab at home and I'm using it as a proxy (single net adapter) to forward traffic on ports 80 and 443 to specific internal servers based on header. Ports 443 and 80 are redirected from my main router to the UTM appliance and everything works except Microsoft RDG. My internal lab servers are running server 2016.

I have followed all the articles I could find on the Internet about this, but looks like is still not working. I have also set the Firewall Profile to Monitor only, but no luck.

I will appreciate any idea. Thanks

This thread was automatically locked due to age.

0 reag over 5 years ago

The Firewall Profile is currently set to Reject - is that intentional?

Besides that, what does the log server say?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago

Salut Adrian and welcome to the UTM Community!

That all looks good - just as the Sophos KB article recommends. Did you make an Exception for URL Hardening for all of the paths listed in 'Entry URLs'?

Cheers - Bob
PS Moving this thread to the Web Server Security forum.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

0 Costea Adrian over 5 years ago in reply to BAlfson

Hi,

Did you make an Exception for URL Hardening for all of the paths listed in 'Entry URLs'?

Where are these exceptions created?

@reag

I have set up with just monitoring only, and is still not working. I don't need security for now, just to work, then I will slowly implement the security I need and also learn the product in the process.

Fullscreen 1.txt Download

2018:08:14-17:02:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 4113025904] [client -HOME IP-:11659] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:02:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="620" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhCcCoCgoAAJQZvg4AAAAC"
2018:08:14-17:02:55 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="237" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhD8CoCgoAAJQZvg8AAAAV"
2018:08:14-17:03:03 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="657" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhF8CoCgoAAJQZvhAAAAAo"
2018:08:14-17:03:04 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3777317744] [client -HOME IP-:60496] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:04 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="603" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhGMCoCgoAAJQZvhEAAAAq"
2018:08:14-17:03:19 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3718568816] [client -HOME IP-:54653] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:19 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="580" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhJ8CoCgoAAJQZvhIAAAAx"
2018:08:14-17:03:34 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3760532336] [client -HOME IP-:51079] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:34 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="589" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhNsCoCgoAAJQZvhMAAAAs"
2018:08:14-17:03:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3869637488] [client -HOME IP-:46501] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:03:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="572" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhRcCoCgoAAJQZvhQAAAAf"
2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3819281264] [client -REMOTE IP-:26258] No signature found, URI: https://hello.DOMAIN.COM/remoteDesktopGateway/
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy"] [data "Last Matched Data: RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=): Method is not allowed by policy"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="230" user="-" host="-REMOTE IP-" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy" exceptions="-" time="969796" url="/remoteDesktopGateway/" server="hello.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhSsCoCgoAAJQZvhUAAAAl"
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="71750" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhS8CoCgoAAJQZvhYAAAAr"
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
2018:08:14-17:03:56 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="72024" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhTMCoCgoAAJQZvhcAAAAY"
2018:08:14-17:04:05 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3919993712] [client -HOME IP-:13570] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
2018:08:14-17:04:05 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="705" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhVcCoCgoAAJQZvhgAAAAZ"

Attached is the log. I have replaced the public domain withe DOMAIN.COM, my home IP with -HOME IP-, and the IP of the system from which I'm connecting with -REMOTE IP-.

Also, when is set to reject, it keeps prompting for the RD Gateway credentials, and when is set to monitoring it just gives an error that it could not connect to the RD Gateway server.

Thanks,

0 BAlfson over 5 years ago in reply to Costea Adrian

Where are these exceptions created?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 5 years ago in reply to Costea Adrian

have you also setup a DNAT rule for the RDP session? (usually port 3389 or 3391).

as MS used to use RDP over HTTP, but changed it back to its' original.

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to Argo

How is usually port 3391?
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 5 years ago in reply to Ol Deda

I believe the recommendation is to use this port as an alternative to 3389, and all the installations I have been involved in have been set to 3391.

But this port is configurable, so in reality can be any port.

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel
0 Costea Adrian over 5 years ago in reply to Argo

Hi,

I managed to figure this out and the problem was from my RDS Gateway server. I just re-deployed and it worked. The firewall profile needs to be on Reject, if it's set on Monitor it will not work. The Exceptions list is not needed, it works without it.

@JasonFell

Why create a DNAT rule? RDS Gateway will automatically forward traffic to the internal specified server in the RD Client.

So sorry for the confusion guys, but I appreciate the help. Nice product :-).
Cancel
Vote Up 0 Vote Down

Cancel