Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 7 subscribers
  • Views 2280 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway 2019 not working with WAF

Geoffrey van Meurs

Hi,

For a few days now i'm struggling with getting my 2019 RDG to work behind my Sophos UTM WAF. I've tried multiple configurations found on the internet, but i'm still unable to connect to my RD Gateway 2019. After entering my credentials i recieve the message that the RD Gateway is not reachable.

The WAF logfile lines generated during the login process are:

2022:12:27-10:40:55 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9p9o8iLu3YiutOnVFggAAABA"]
2022:12:27-10:40:55 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="435" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9p9o8iLu3YiutOnVFggAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9qNo8iLu3YiutOnVFgwAAABA"]
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="270" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFgwAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9qNo8iLu3YiutOnVFhAAAABA"]
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="206" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhAAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 4001303360] [client 185.76.168.73:49204] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/remoteDesktopGateway/"] [unique_id "Y6q9qNo8iLu3YiutOnVFhQAAAA8"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 4001303360] [client 185.76.168.73:49204] AH00135: Invalid method in request RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="211" user="-" host="185.76.168.73" method="RDG_OUT_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="443" url="/remoteDesktopGateway/" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="E0sgl0UU8EPWaL847Oi2UA==" websocket_version="13" uid="Y6q9qNo8iLu3YiutOnVFhQAAAA8"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3984517952] [client 185.76.168.73:49206] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/rpc/rpcproxy.dll"] [unique_id "Y6q9qNo8iLu3YiutOnVFhgAAABE"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 3984517952] [client 185.76.168.73:49206] AH00135: Invalid method in request RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="210" user="-" host="185.76.168.73" method="RPC_IN_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="413" url="/rpc/rpcproxy.dll" server="gateway.domain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhgAAABE"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3959339840] [client 185.76.168.73:49209] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/rpc/rpcproxy.dll"] [unique_id "Y6q9qNo8iLu3YiutOnVFhwAAABQ"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 3959339840] [client 185.76.168.73:49209] AH00135: Invalid method in request RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="211" user="-" host="185.76.168.73" method="RPC_OUT_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="358" url="/rpc/rpcproxy.dll" server="gateway.domain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhwAAABQ"

rdg.domain.com is the hostname of my rdg server

gateway.domain.com is the external gateway dns name pointing to my external IP of the Sophos UTM.

The message i get after entering my credentials is

The WAF configuration i configured is identical to JACK1976's post in this thread.

https://community.sophos.com/utm-firewall/f/general-discussion/116289/remote-desktop-gateway-2019-won-t-work-with-sophos-utm-waf/419337

The UTM firmware i'm running is: 9.713-19.

I hope somebody can help me fix this issue.



This thread was automatically locked due to age.
Unfiltered HTML