Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Hey guys.
I know this is kinda old, but it's actually working with 9.404 (or 9.405).
Pretty much follow https://sophserv.sophos.com/repo_kb/120454/file/Configuring%20UTM%20firewall%20for%20Remote%20Desktop.pdf.
I did some modifications to suit my needs and to get it working with RD Client for Android and IOS.
Basically at URL hardening in Firewall Profile, I added:
/rpc
/prcWithCert
/rdweb
/RDWeb
/RDweb
/rpc/rpcproxy.dll?localhost:3388
Those different RDWeb stuff are for allowing users to not worry so much about typing the URL exactly as /RDWeb. That last line, however, was necessary for RD Client on IOS to work. I know it should be covered by /rpc, but for some reason it is not. It only worked after I added the whole thing. For windows clients, however, that was not needed.
Again, in Exceptions, I added a few things to make life easier:
/rpc/*
/rpcWithCert/*
/RDWeb/*
/RDweb/*
/rdweb/*
What happens here is that first the RD Client will try to reach RD Gateway using the /remoteDesktopGateway/ path. If allowed access, using that path will activate RDG_IN_DATA and RDG_OUT_DATA protocol, that won't work with WAF and Outlook Anywhere, because it's a different protocol than RPC over HTTPS. Since in the recommended configuration /remoteDesktopGateway/ is not allowed by URL Hardening, the client will fallback to RPC over HTTPS (hence rpcproxy.dll) and it will just work.
At least, it's working very well for me, and for some time now. The RD Client for IOS was the only piece of the puzzle missing, for two reasons: the previous versions added :443 at the end of the URL, which cause URL Hardening to block access, after all, it did not match the exceptions. This was fixed on the latest client build. Even after that, for some reason, requests coming from RD Client for IOS was still blocked by URL Hardening. I figured out last night that adding that last line at URL Hardening in Firewall Profile made everything work. Go figure.
So give it a try and let me know how it works.
Regards - Giovani
Hey guys.
I know this is kinda old, but it's actually working with 9.404 (or 9.405).
Pretty much follow https://sophserv.sophos.com/repo_kb/120454/file/Configuring%20UTM%20firewall%20for%20Remote%20Desktop.pdf.
I did some modifications to suit my needs and to get it working with RD Client for Android and IOS.
Basically at URL hardening in Firewall Profile, I added:
/rpc
/prcWithCert
/rdweb
/RDWeb
/RDweb
/rpc/rpcproxy.dll?localhost:3388
Those different RDWeb stuff are for allowing users to not worry so much about typing the URL exactly as /RDWeb. That last line, however, was necessary for RD Client on IOS to work. I know it should be covered by /rpc, but for some reason it is not. It only worked after I added the whole thing. For windows clients, however, that was not needed.
Again, in Exceptions, I added a few things to make life easier:
/rpc/*
/rpcWithCert/*
/RDWeb/*
/RDweb/*
/rdweb/*
What happens here is that first the RD Client will try to reach RD Gateway using the /remoteDesktopGateway/ path. If allowed access, using that path will activate RDG_IN_DATA and RDG_OUT_DATA protocol, that won't work with WAF and Outlook Anywhere, because it's a different protocol than RPC over HTTPS. Since in the recommended configuration /remoteDesktopGateway/ is not allowed by URL Hardening, the client will fallback to RPC over HTTPS (hence rpcproxy.dll) and it will just work.
At least, it's working very well for me, and for some time now. The RD Client for IOS was the only piece of the puzzle missing, for two reasons: the previous versions added :443 at the end of the URL, which cause URL Hardening to block access, after all, it did not match the exceptions. This was fixed on the latest client build. Even after that, for some reason, requests coming from RD Client for IOS was still blocked by URL Hardening. I figured out last night that adding that last line at URL Hardening in Firewall Profile made everything work. Go figure.
So give it a try and let me know how it works.
Regards - Giovani
Thank you this has help me as well, I already added /rpc/* /RPCWithcert/* but still I could not access my RD gateway from IOS and mac, untill I did add the /rpc/rpcproxy.dll?localhost:3388 to firewall profile and now my users can access the servers from Iphone and mac.
Thanks you