Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 12230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clientless Access VPN Error when using RDP Bookmark

Josh Rogalski

We recently purchased Sophos XG450 firewalls, and with one of them we will be using the VPN product.  I have started to configure the VPN for clientless access, and have run into an error.  When a user clicks a RDP bookmark, they get an error which states "Error: Protocol Security Negotiation Failure".  The remote desktop session does not function at all on those particular machines unless I go to the machine, and uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".  Obviously I want to be able to keep that RDP setting checked for security reasons.  But when it is checked, the RDP session simply does not work at all.  Works great right after I uncheck it. 

 

I should mention I am running version SFOS 16.05.7 MR-7 and also that this particular unit is not in production yet.  I am logging into the unit via the LAN address, and that is the only interface configured.  I assume that isn't interfering at all and that there is a setting some place I need to change.  So to recap, how do I configure RDP bookmarks and keep the "network Level Authentication" setting checked?  Thank you for any assistance you can provide.

 



This thread was automatically locked due to age.
  • 0

    Just to be sure, how do you have the bookmarks 'Security Protocol' configured? did you choose NLA there?

  • 0 in reply to dna

    I tried both RDP and TLS as those are the only two that don't force you to put in a username and password.  Since these bookmarks will be used by individual staff members, I don't have their username and passwords and they should be inputting those credentials when they click the bookmarks and it creates the RDP session.  Is there a workaround that will allow it to just work in the way I think it should or will I end up needing to uncheck that box on all their machines?

  • 0 in reply to Josh Rogalski

    There is a good reason why the NLA setting forces you to enter the credentials during boomark configuration. NLA technically first authenticates before presenting any screen. Since we have not implemented any formular popup to enter the credentials when connecting the bookmark you cannot use NLA without providing the credentials.

    You will need to disable the NLA enforcement on all machines you want to connect to, or you need to create bookmarks with credentials saved. It is currently not planned to extend this feature ( e.g. add the formular popup to ask for the credentials upfront )

Unfiltered HTML