This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway 2019 WON'T work with Sophos UTM WAF

Hi Guys,

 

So I have been reading/trying many things to get RDG to work with Sophos UTM WAF. I tried all possible combinations that I can think of however no luck. I know Sophos doesn't support RDG beyond 2008 but I saw other people posts that they successfully got it to work. I have followed their steps but still no luck. If I use DNAT it works perfectly fine but I don't want to use DNAT for security reasons.

So far I'm able to get to the portal but when I get to lunch a RemoteApp or using Remote Desktop Gateway service it won't find the gateway server and I can see some errors in the logs which I couldn't figure out how to fix.


What I have setup in the firewall profile:

- Mode: Reject
- Static URL hardening with these entries: /rpc - /rdweb - /RDWeb - /rpcWithCert - /rpc/rpcproxy.dll?localhost:3388 (I tried with "*" as well)
- Pass Outlook Anywhere enabled

In the firewall profile exceptions: 

- Static URL hardening with these entries: /rpc* - /rdweb* - /RDWeb* - /rpcWithCert*


I also tried adding /remoteDesktopGateway in both. Pass host header is enabled in the virtual server. These are the errors I see in WAF logs:

2019:11:01-00:01:52 sukafun-utm httpd[47818]: [url_hardening:error] [pid 47818:tid 4085513072] [client 49.196.174.232:36278] No signature found, URI: https://GATEWAY.MYDOMAIN.com/ remoteDesktopGateway/


2019:11:01-00:01:52 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="230" user="-" host="49.196.174.232" method="RDG_OUT_DATA" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="640" url="/remoteDesktopGateway/" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="SQbVmEwoeogs4R/P96wrOg==" websocket_version="13" uid="XbsFcIvYPlsAALrKAZsAAAAF"
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="13" user="-" host="49.196.174.232" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="26890" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZwAAAAJ"
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="13" user="-" host="49.196.174.232" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="25989" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ4AAAAH"
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4068727664] [client 49.196.174.232:36281] RPC_OUT_DATA: server 192.168.1.66:443 (GATEWAY.MYDOMAIN.com) did not accept initial PDU (HTTP status code 302)
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4051942256] [client 49.196.174.232:36280] RPC_IN_DATA: Failed to sync Outlook Session 5a1ad305-aa9e-dd91-f2be-3de5b769d9fe: 2
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="155" user="-" host="49.196.174.232" method="RPC_OUT_DATA" statuscode="302" reason="-" extra="-" exceptions="SkipURLHardening" time="10175" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ8AAAAH"
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4051942256] [client 49.196.174.232:36280] RPC_IN_DATA: The registered Outlook Session 5a1ad305-aa9e-dd91-f2be-3de5b769d9fe is in unexpected state 'BROKEN'
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="0" user="-" host="49.196.174.232" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="396921" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ0AAAAJ"

 

 

I appreciate if anyone can help me with this one.

 

Cheers
Mo



This thread was automatically locked due to age.
Parents
  • I have had the same problem trying to setup the WAF to publish Remote Desktop Gateway for server2019 and the issue, in the end, was two tick boxes in the site Path Routing

    Now everything is working :) 

    This is after spending 6 hours on the phone to Sophos level 1 & 2 and not getting anywhere and still waiting on a call from level 3

  • Hi Jack,


    I Tried ticking them both but no luck :(


    Do you mind if you share your firewall profile & exception list you are using?


    I tried several combinations but can't get one right.

  • These are all the settings we have which work with our 2019 setup 

    Firmware on our UTM is 9.605-1

     

     

    Static URL Hardening

    /rpc/*
    /rpcWithCert/*
    /rpc/rpcproxy.dll?localhost:3388
    /rpc/rpcproxy.dll
    /remoteDesktopGateway/*
    /KdcProxy/*
    /rpc/rpcproxy.dll?localhost:3389

     

    Skip Filter Rules

    960032
    960035
    960911
    981172

     

     

     

    /rpc/*
    /rpcWithCert/*
    /RDWeb/*
    /RDweb/*
    /rdweb/*
    /KdcProxy/*
    /KdcProxy
    /remoteDesktopGateway/*
    /remoteDesktopGateway
    /remoteDesktopGateway/

     

    Hope this helps you get it resolved

Reply
  • These are all the settings we have which work with our 2019 setup 

    Firmware on our UTM is 9.605-1

     

     

    Static URL Hardening

    /rpc/*
    /rpcWithCert/*
    /rpc/rpcproxy.dll?localhost:3388
    /rpc/rpcproxy.dll
    /remoteDesktopGateway/*
    /KdcProxy/*
    /rpc/rpcproxy.dll?localhost:3389

     

    Skip Filter Rules

    960032
    960035
    960911
    981172

     

     

     

    /rpc/*
    /rpcWithCert/*
    /RDWeb/*
    /RDweb/*
    /rdweb/*
    /KdcProxy/*
    /KdcProxy
    /remoteDesktopGateway/*
    /remoteDesktopGateway
    /remoteDesktopGateway/

     

    Hope this helps you get it resolved

Children
  • AWESOME!!


    I got my gateway working! Thanks mate...

    The portal comes up however breaks when I log in. Do you use RemoteApps?

    Also why are you using https & redirect? If I'm using IIS redirect I don't need Sophos redirect correct? 

    I'm trying to figure out how I can just type in my portal URL and it redirects to the full RDWeb URL. This is how I have it working with DNAT.

  • Don't worry about the RemoteApp portal. I guess my problem is I'm using Duo MFA which changes the URL after authenticating. I'll try to work it out.


    Do you have RDG working on IOS or Andriod? Mine doesn't seem to work.

  • FYI, 

    I got my mac to work and still working on getting my Andriod working with gateway.

    I found out that as soon I added those three:

    /remoteDesktopGateway
    /remoteDesktopGateway/
    /RemoteDesktopGateway/*

    To the firewall profile and firewall exception everything started to work for me. All those other things you have enabled I found them not needed for me. Gateway works whether they are enabled or not.


    If anyone can help me with the Andriod issue that would be great. This is what I see in the logs:

    2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="254830" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84UAAAAK"
    2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="255404" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84YAAAAI"
    2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="219445" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84gAAAAI"
    2019:11:02-00:32:32 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="13" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="228215" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84cAAAAK"
    2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="155" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="302" reason="-" extra="-" exceptions="-" time="223668" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84oAAAAK"
    2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="155" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="302" reason="-" extra="-" exceptions="-" time="231956" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIIvYPlsAAN4A84kAAAAI"
    2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="1293" user="-" host="49.196.9.220" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="253576" url="/RDWeb" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIYvYPlsAAN4A84sAAAAL"
    2019:11:02-00:32:33 sukafun-utm httpd: id="0299" srcip="49.196.9.220" localip="139.xxx.62.91" size="1293" user="-" host="49.196.9.220" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="252065" url="/RDWeb" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbxeIYvYPlsAAN4A84wAAAAO"

  • If anyone still reading...still can't get my Andriod RDP working using Remote Desktop Manager app.

  • Consider your threat profile.   

    • The most important requirement is to ensure that only the right people are getting in.   This means that 2-factor authentication is critical.   Adding in country blocking or some other form of IP filtering would be an extra measure of protection.
         
    • If the wrong people can log in, the consequences of what they do from the desktop session are much more worrisome than what they might try to push through the http-rdp protocol combination.

    • Even if an authorized person decides to attack your environment, he is going to do it from the RDP session.

    • So the final risk is malware on the remote device that somehow attacks after the authorized user gets his session established.  If such malware is present, what are the chances that your proposed WAF configuration will detect it?   Seems pretty low to me.   I think it requires a nation-state level of sophistication, and if you are up against that type of attack, UTM content filtering is probably not the solution.

    Assuming that you have 2-factor authentication in place, I predict that you could run this WAF in monitor mode forever, and you will only see false positives in the logs.

  • Hi Douglas,

     

    Thanks a lot for the golden tips.


    I totally agree with you that WAF won't give you 100% protection against malware coming from users' computers. At my work environment I'm using Citrix NetScaler to publish RDS farm which is used by thousands of users and we know that our biggest threat is infected computers that get connected to our RDS. 


    Of course there are some security measurements that can be followed to minimize the threat just as disabling remote computer devices redirection, keeping servers up to date, installing smart antivirus on all servers, etc.


    In my situation I have Home Sophos and my home RDS so my best is to use 2FA and apply country filtering as you mentioned. I've been using DNAT and I don't like but it was easier than Sophos WAF which I always wanted to configure for my RDS and I'm almost have it configured just trying to get my Andriod RDP working. It's very strange to me how Sophos doesn't have a solution for RDG 2012 and beyond! This's the main reason I've been lacking configuring WAF.

     

    Cheers
    Mo

  • Hello!

     

    Could you Confirm, that you can Connect with the Windows 10 mstsc Application?

    I'm not able to get this Method working.

    When i add the following url Hardening entries:

    /remoteDesktopGateway
    /remoteDesktopGateway/
    /RemoteDesktopGateway/*

    The ios App starts working. All otherc Settings are like posted here.

    But when the ios App works, the Windows Application is not able to connect anymore. When i remove the three entries, it seems like the Windows App does a fallback and works, but no ios.

    Here are the Logs from a Connect from a Windows PC with the three Lines for ios Enabled:

    2019:12:05-15:42:06 firewall-1 httpd[10319]: [security2:error] [pid 10319:tid 3793615728] [client xxx] [client xxx] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxx"] [uri "/KdcProxy"] [unique_id "XekXPsqN6R7tt0QAERousgAAASI"]
    2019:12:05-15:42:06 firewall-1 httpd: id="0299" srcip="xxx" localip="xxx" size="326" user="-" host="xxx" method="POST" statuscode="503" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="18002" url="/KdcProxy" server="xxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XekXPsqN6R7tt0QAERousgAAASI"
    2019:12:05-15:42:06 firewall-1 httpd[9269]: [security2:error] [pid 9269:tid 3944684400] [client xxx] [client xxx] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxx"] [uri "/remoteDesktopGateway/"] [unique_id "XekXPuhiMOIVS1sKWorgdQAAAN4"]
    2019:12:05-15:42:06 firewall-1 httpd: id="0299" srcip="xxx" localip="xxx" size="0" user="-" host="xxx" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="41515" url="/remoteDesktopGateway/" server="xxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="wss" websocket_protocol="-" websocket_key="Xa85jx815fXAL8nwDBuuDQ==" websocket_version="13" uid="XekXPuhiMOIVS1sKWorgdQAAAN4"
     
    On the RDG Server i get a Error 312 Microsoft-Windows-TerminalServices-Gateway/Operational
     
    When i disable the three Lines in the url hardening Section, the Connect works from Windows but not from ios.
    Another Thread here says - that's what i can confirm:
     
    What happens here is that first the RD Client will try to reach RD Gateway using the /remoteDesktopGateway/ path. If allowed access, using that path will activate RDG_IN_DATA and RDG_OUT_DATA protocol, that won't work with WAF and Outlook Anywhere, because it's a different protocol than RPC over HTTPS. Since in the recommended configuration /remoteDesktopGateway/ is not allowed by URL Hardening, the client will fallback to RPC over HTTPS (hence rpcproxy.dll) and it will just work.
     
    Could please anyone confirm the RDG_OUT_DATA Protocol works with the UTM?
  • Hi Andreas,

     

    I had the same issue I think and ended up putting the firewall profile on monitor mode which isn't good anyway but I gave up trying to get my IOS working. Everything was working except IOS with these URLs: 

    /remoteDesktopGateway
    /remoteDesktopGateway/
    /RemoteDesktopGateway/*

  • I tried your soloution, but it doesn't work. When /remoteDesktopGateway is accessible, i can't connect with Windows.

    Now i have 2 WAF Profiles with different subdomains - one for ios (with the three exceptions available) and one without them.

    The first is useable with IOS, the Second with Windows.

    Can you use both Methods with one Profile? If yes, could you give me more Information about your Config?

    Does anyone know, if the MacOS Client works the same way as the Windows Client or the IOS Client?

  • Do you have these entries in skip filter rules:

    Also how about