This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway 2019 WON'T work with Sophos UTM WAF

Hi Guys,

 

So I have been reading/trying many things to get RDG to work with Sophos UTM WAF. I tried all possible combinations that I can think of however no luck. I know Sophos doesn't support RDG beyond 2008 but I saw other people posts that they successfully got it to work. I have followed their steps but still no luck. If I use DNAT it works perfectly fine but I don't want to use DNAT for security reasons.

So far I'm able to get to the portal but when I get to lunch a RemoteApp or using Remote Desktop Gateway service it won't find the gateway server and I can see some errors in the logs which I couldn't figure out how to fix.


What I have setup in the firewall profile:

- Mode: Reject
- Static URL hardening with these entries: /rpc - /rdweb - /RDWeb - /rpcWithCert - /rpc/rpcproxy.dll?localhost:3388 (I tried with "*" as well)
- Pass Outlook Anywhere enabled

In the firewall profile exceptions: 

- Static URL hardening with these entries: /rpc* - /rdweb* - /RDWeb* - /rpcWithCert*


I also tried adding /remoteDesktopGateway in both. Pass host header is enabled in the virtual server. These are the errors I see in WAF logs:

2019:11:01-00:01:52 sukafun-utm httpd[47818]: [url_hardening:error] [pid 47818:tid 4085513072] [client 49.196.174.232:36278] No signature found, URI: https://GATEWAY.MYDOMAIN.com/ remoteDesktopGateway/


2019:11:01-00:01:52 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="230" user="-" host="49.196.174.232" method="RDG_OUT_DATA" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="640" url="/remoteDesktopGateway/" server="GATEWAY.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="SQbVmEwoeogs4R/P96wrOg==" websocket_version="13" uid="XbsFcIvYPlsAALrKAZsAAAAF"
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="13" user="-" host="49.196.174.232" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="26890" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZwAAAAJ"
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="13" user="-" host="49.196.174.232" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="25989" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ4AAAAH"
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4068727664] [client 49.196.174.232:36281] RPC_OUT_DATA: server 192.168.1.66:443 (GATEWAY.MYDOMAIN.com) did not accept initial PDU (HTTP status code 302)
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4051942256] [client 49.196.174.232:36280] RPC_IN_DATA: Failed to sync Outlook Session 5a1ad305-aa9e-dd91-f2be-3de5b769d9fe: 2
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="155" user="-" host="49.196.174.232" method="RPC_OUT_DATA" statuscode="302" reason="-" extra="-" exceptions="SkipURLHardening" time="10175" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ8AAAAH"
2019:11:01-00:01:53 sukafun-utm httpd[47818]: [proxy_msrpc:error] [pid 47818:tid 4051942256] [client 49.196.174.232:36280] RPC_IN_DATA: The registered Outlook Session 5a1ad305-aa9e-dd91-f2be-3de5b769d9fe is in unexpected state 'BROKEN'
2019:11:01-00:01:53 sukafun-utm httpd: id="0299" srcip="49.196.174.232" localip="139.xxx.62.91" size="0" user="-" host="49.196.174.232" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="396921" url="/rpc/rpcproxy.dll" server="GATEWAY.MYDOMAIN.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbsFcYvYPlsAALrKAZ0AAAAJ"

 

 

I appreciate if anyone can help me with this one.

 

Cheers
Mo



This thread was automatically locked due to age.
  • Hi Douglas,

     

    Thanks a lot for the golden tips.


    I totally agree with you that WAF won't give you 100% protection against malware coming from users' computers. At my work environment I'm using Citrix NetScaler to publish RDS farm which is used by thousands of users and we know that our biggest threat is infected computers that get connected to our RDS. 


    Of course there are some security measurements that can be followed to minimize the threat just as disabling remote computer devices redirection, keeping servers up to date, installing smart antivirus on all servers, etc.


    In my situation I have Home Sophos and my home RDS so my best is to use 2FA and apply country filtering as you mentioned. I've been using DNAT and I don't like but it was easier than Sophos WAF which I always wanted to configure for my RDS and I'm almost have it configured just trying to get my Andriod RDP working. It's very strange to me how Sophos doesn't have a solution for RDG 2012 and beyond! This's the main reason I've been lacking configuring WAF.

     

    Cheers
    Mo

  • Hello!

     

    Could you Confirm, that you can Connect with the Windows 10 mstsc Application?

    I'm not able to get this Method working.

    When i add the following url Hardening entries:

    /remoteDesktopGateway
    /remoteDesktopGateway/
    /RemoteDesktopGateway/*

    The ios App starts working. All otherc Settings are like posted here.

    But when the ios App works, the Windows Application is not able to connect anymore. When i remove the three entries, it seems like the Windows App does a fallback and works, but no ios.

    Here are the Logs from a Connect from a Windows PC with the three Lines for ios Enabled:

    2019:12:05-15:42:06 firewall-1 httpd[10319]: [security2:error] [pid 10319:tid 3793615728] [client xxx] [client xxx] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxx"] [uri "/KdcProxy"] [unique_id "XekXPsqN6R7tt0QAERousgAAASI"]
    2019:12:05-15:42:06 firewall-1 httpd: id="0299" srcip="xxx" localip="xxx" size="326" user="-" host="xxx" method="POST" statuscode="503" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="18002" url="/KdcProxy" server="xxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XekXPsqN6R7tt0QAERousgAAASI"
    2019:12:05-15:42:06 firewall-1 httpd[9269]: [security2:error] [pid 9269:tid 3944684400] [client xxx] [client xxx] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxx"] [uri "/remoteDesktopGateway/"] [unique_id "XekXPuhiMOIVS1sKWorgdQAAAN4"]
    2019:12:05-15:42:06 firewall-1 httpd: id="0299" srcip="xxx" localip="xxx" size="0" user="-" host="xxx" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="41515" url="/remoteDesktopGateway/" server="xxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="wss" websocket_protocol="-" websocket_key="Xa85jx815fXAL8nwDBuuDQ==" websocket_version="13" uid="XekXPuhiMOIVS1sKWorgdQAAAN4"
     
    On the RDG Server i get a Error 312 Microsoft-Windows-TerminalServices-Gateway/Operational
     
    When i disable the three Lines in the url hardening Section, the Connect works from Windows but not from ios.
    Another Thread here says - that's what i can confirm:
     
    What happens here is that first the RD Client will try to reach RD Gateway using the /remoteDesktopGateway/ path. If allowed access, using that path will activate RDG_IN_DATA and RDG_OUT_DATA protocol, that won't work with WAF and Outlook Anywhere, because it's a different protocol than RPC over HTTPS. Since in the recommended configuration /remoteDesktopGateway/ is not allowed by URL Hardening, the client will fallback to RPC over HTTPS (hence rpcproxy.dll) and it will just work.
     
    Could please anyone confirm the RDG_OUT_DATA Protocol works with the UTM?
  • Hi Andreas,

     

    I had the same issue I think and ended up putting the firewall profile on monitor mode which isn't good anyway but I gave up trying to get my IOS working. Everything was working except IOS with these URLs: 

    /remoteDesktopGateway
    /remoteDesktopGateway/
    /RemoteDesktopGateway/*

  • I tried your soloution, but it doesn't work. When /remoteDesktopGateway is accessible, i can't connect with Windows.

    Now i have 2 WAF Profiles with different subdomains - one for ios (with the three exceptions available) and one without them.

    The first is useable with IOS, the Second with Windows.

    Can you use both Methods with one Profile? If yes, could you give me more Information about your Config?

    Does anyone know, if the MacOS Client works the same way as the Windows Client or the IOS Client?

  • Do you have these entries in skip filter rules:

    Also how about

  • Hi JAC1976, thanks for this info. I can confirm that this works for me as well for RD Gateway 2016.

    One query I do have however, in your firewall exception you are skipping everything for valid URLs - was that required or did you just decide to tick them all to see if it would work? I'm intending to do some further testing with these options anyway but thought I'd ask.

  • Hi JAC1976,

     

    You saved my day this 2 settings did it :)

    Thank you.