Windows Server 2012 R2 Remote Desktop Gateway, Windows 10 Pro 1803 client and UTM 9.510-5 WAF

Good day,

I have been using Sophos UTM for a number of years now and know my way around the solution and its features reasonably well. I have several applications using the WAF feature including MS Exchange (Outlook Anywhere and ActiveSync), and until recently Remote Desktop Gateway (RDG) without any issues. Today I am struggling with RDG installed on Windows Server 2012 R2, and Windows 10 Pro 1803 clients trying to access the service via UTM 9.510-5 WAF.

Examining the WAF logs, I'm finding entries referencing URLs that are non-existent on the RDG server:

2018:09:10-14:26:30 #redacted# httpd[27345]: [url_hardening:error] [pid 27345:tid 3741174640] [client #redacted#:49501] No signature found, URI: https://#redacted#/KdcProxy 2018:09:10-14:26:30 #redacted# httpd[27345]: [url_hardening:error] [pid 27345:tid 3900636016] [client #redacted#:49497] No signature found, URI: https://#redacted#/remoteDesktopGateway/

Thing is, "/KdcProxy" and "/remoteDesktopGateway/" do not exist on the IIS site included in RDG, only "/Rpc" and "/RpcWithCert" are. Adding the URLs to the exceptions list is pointless as this simply results in 404 status codes being returned instead (because they don't exist).

Curiously, using an older Windows version seems to work fine, which leads me to suspect that something changed with the way Remote Desktop clients on Windows 10 communicate with the RDG via WAF; I don't run into any issues when accessing RDG on the internal network, only when accessing via WAF. I'm stumped and would appreciate any guidance from more experienced UTM admins.

  • HI, i have just started seeing the same issue, did you ever find a solution to this?

  • In reply to Andrew Mullins:

    Hi Andrew, unfortunately I did not and had to revert to using our older TS Gateway Server on 2008. We are planning on retiring this form of remote access in favour of SSL VPN and SD-WAN remote access clients, helps me sleep much better at night :-)

  • In reply to SEFIT:

    Hi,

    this problem is old.

    Sophos UTm is not supporting RDG Protkoll with

    Windows 2012, Windows 2016 and i think Windows 2019 Remote desktop gateway passthrough.

    They are not going to support this in 2019 ...

    You can find more information here in the community.

    You canˋt use RDG with Sophos UTM.

    Jürgen

  • In reply to JuergenB:

    Hallo Jürgen,

    Could you show us the words Sophos used to tell you this?  Kann eben auf Deutsch sein.

    Member Louis-M posted instructions on doing this with WAF with 2016.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    da muss ich mal schauen, es ist so 2 Jahre (13.09.2017) her.
    Ich hatte da auch ein Ticket beim Dienstleister zu gehabt.

    Mein Dienstleister hat das mit Sophos geklärt, mit der UTM geht´s nicht. Bei der XG sei sowas nicht geplant.

    "Leider gibt es seitens Sophos zum aktuellen Zeitpunkt keine Möglichkeit dies nativ über die WAF umzusetzen."

    Ich hatte dann auch mal bei Andrea (Sophos) per mail angefragt, aber es gab wohl keine Rückmeldung von ihr.

    Hier gabs auch mal einen Beitrag  *no plan to implement new features in the upcoming Releases*

    community.sophos.com/.../server-2016-remote-web-workplace-and-remote-desktop-gateway-using-waf

    ABER es ist doch Aussagekräftig genug,

    das in der XG 17.5.3 keine Windows 2012 oder 2016 oder 2019 Remote Desktop in den Business app rules vorhanden ist...
    Naja, von den anderen 

    Windows 2012 und 2016 nutzen RDG , die Info von Louis-M ist mir auch neu (5.3.2019).

    Aber es wird auch zwischen Remote Web und Remote Gateway unterschieden...

  • In reply to JuergenB:

    JuergenB

    Hi,

    this problem is old.

    Sophos UTm is not supporting RDG Protkoll with

    Windows 2012, Windows 2016 and i think Windows 2019 Remote desktop gateway passthrough.

    They are not going to support this in 2019 ...

    You can find more information here in the community.

    You canˋt use RDG with Sophos UTM.

    Jürgen

     

     

    Oh yes you can and we do. See here:

    community.sophos.com/.../waf-unable-to-publish-remote-desktop-gateway-2016

  • In reply to Louis-M:

    Hi Louis,

    you needed to disable the common threat filtering.

    The last time i tried this, the RDG_Out Data was not known to the Firewall and it was blocked.

  • In reply to JuergenB:

    I did need to disable the commons threat filter as it wasn't logging what was being blocked. By the process of elimination, we discovered it was something within it but never got around to nailing it down as we ran out of time. For now, we're happy that it's running using WAF rather than DNAT although I do appreciate it could do with tightening up a little to bring the common threats filter into play.