This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft Remote Desktop Gateway with 9.509

Hi,

I have UTM 9.5 in my lab at home and I'm using it as a proxy (single net adapter) to forward traffic on ports 80 and 443 to specific internal servers based on header. Ports 443 and 80 are redirected from my main router to the UTM appliance and everything works except Microsoft RDG. My internal lab servers are running server 2016.

I have followed all the articles I could find on the Internet about this, but looks like is still not working. I have also set the Firewall Profile to Monitor only, but no luck.

      

I will appreciate any idea. Thanks



This thread was automatically locked due to age.
Parents
  • Salut Adrian and welcome to the UTM Community!

    That all looks good - just as the Sophos KB article recommends.  Did you make an Exception for URL Hardening for all of the paths listed in 'Entry URLs'?

    Cheers - Bob
    PS Moving this thread to the Web Server Security forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    Did you make an Exception for URL Hardening for all of the paths listed in 'Entry URLs'?

    Where are these exceptions created?

    @

    I have set up with just monitoring only, and is still not working. I don't need security for now, just to work, then I will slowly implement the security I need and also learn the product in the process.

    2018:08:14-17:02:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 4113025904] [client -HOME IP-:11659] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:02:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="620" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhCcCoCgoAAJQZvg4AAAAC"
    2018:08:14-17:02:55 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="237" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhD8CoCgoAAJQZvg8AAAAV"
    2018:08:14-17:03:03 rocjvkr-sop01 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="218" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="657" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhF8CoCgoAAJQZvhAAAAAo"
    2018:08:14-17:03:04 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3777317744] [client -HOME IP-:60496] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:03:04 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="603" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhGMCoCgoAAJQZvhEAAAAq"
    2018:08:14-17:03:19 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3718568816] [client -HOME IP-:54653] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:03:19 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="580" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhJ8CoCgoAAJQZvhIAAAAx"
    2018:08:14-17:03:34 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3760532336] [client -HOME IP-:51079] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:03:34 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="589" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhNsCoCgoAAJQZvhMAAAAs"
    2018:08:14-17:03:49 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3869637488] [client -HOME IP-:46501] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:03:49 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="572" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhRcCoCgoAAJQZvhQAAAAf"
    2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
    2018:08:14-17:03:54 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3819281264] [client -REMOTE IP-:26258] No signature found, URI: https://hello.DOMAIN.COM/remoteDesktopGateway/
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy"] [data "Last Matched Data: RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3819281264] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=): Method is not allowed by policy"] [hostname "hello.DOMAIN.COM"] [uri "/remoteDesktopGateway/"] [unique_id "W3LhSsCoCgoAAJQZvhUAAAAl"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="230" user="-" host="-REMOTE IP-" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Method is not allowed by policy" exceptions="-" time="969796" url="/remoteDesktopGateway/" server="hello.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhSsCoCgoAAJQZvhUAAAAl"
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3768925040] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhS8CoCgoAAJQZvhYAAAAr"]
    2018:08:14-17:03:55 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="71750" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhS8CoCgoAAJQZvhYAAAAr"
    2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
    2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
    2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
    2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
    2018:08:14-17:03:56 rocjvkr-sop01 httpd[37913]: [security2:error] [pid 37913:tid 3928386416] [client -REMOTE IP-] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "hello.DOMAIN.COM"] [uri "/rpc/rpcproxy.dll"] [unique_id "W3LhTMCoCgoAAJQZvhcAAAAY"]
    2018:08:14-17:03:56 rocjvkr-sop01 httpd: id="0299" srcip="-REMOTE IP-" localip="192.168.10.10" size="225" user="-" host="-REMOTE IP-" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="-" time="72024" url="/rpc/rpcproxy.dll" server="hello.DOMAIN.COM" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W3LhTMCoCgoAAJQZvhcAAAAY"
    2018:08:14-17:04:05 rocjvkr-sop01 httpd[37913]: [url_hardening:error] [pid 37913:tid 3919993712] [client -HOME IP-:13570] Hostname in HTTP request (cloud.DOMAIN.COM) does not match the server name (webmail.DOMAIN.COM)
    2018:08:14-17:04:05 rocjvkr-sop01 httpd: id="0299" srcip="-HOME IP-" localip="192.168.10.10" size="770" user="-" host="-HOME IP-" method="SSTP_DUPLEX_POST" statuscode="413" reason="-" extra="-" exceptions="-" time="705" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="webmail.DOMAIN.COM" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W3LhVcCoCgoAAJQZvhgAAAAZ"
    

    Attached is the log. I have replaced the public domain withe DOMAIN.COM, my home IP with -HOME IP-, and the IP of the system from which I'm connecting with -REMOTE IP-.

    Also, when is set to reject, it keeps prompting for the RD Gateway credentials, and when is set to monitoring it just gives an error that it could not connect to the RD Gateway server.

     

    Thanks,

  • Where are these exceptions created?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • have you also setup a DNAT rule for the RDP session? (usually port 3389 or 3391).

    as MS used to use RDP over HTTP, but changed it back to its' original.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • How is usually port 3391?

  • I believe the recommendation is to use this port as an alternative to 3389, and all the installations I have been involved in have been set to 3391.

    But this port is configurable, so in reality can be any port.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Reply
  • I believe the recommendation is to use this port as an alternative to 3389, and all the installations I have been involved in have been set to 3391.

    But this port is configurable, so in reality can be any port.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Children
No Data