This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway 2019 not working with WAF

Hi,

For a few days now i'm struggling with getting my 2019 RDG to work behind my Sophos UTM WAF. I've tried multiple configurations found on the internet, but i'm still unable to connect to my RD Gateway 2019. After entering my credentials i recieve the message that the RD Gateway is not reachable.

The WAF logfile lines generated during the login process are:

2022:12:27-10:40:55 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9p9o8iLu3YiutOnVFggAAABA"]
2022:12:27-10:40:55 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="435" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9p9o8iLu3YiutOnVFggAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9qNo8iLu3YiutOnVFgwAAABA"]
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="270" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFgwAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3992910656] [client 185.76.168.73:49205] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/KdcProxy"] [unique_id "Y6q9qNo8iLu3YiutOnVFhAAAABA"]
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="196" user="-" host="185.76.168.73" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="206" url="/KdcProxy" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhAAAABA"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 4001303360] [client 185.76.168.73:49204] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/remoteDesktopGateway/"] [unique_id "Y6q9qNo8iLu3YiutOnVFhQAAAA8"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 4001303360] [client 185.76.168.73:49204] AH00135: Invalid method in request RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="211" user="-" host="185.76.168.73" method="RDG_OUT_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="443" url="/remoteDesktopGateway/" server="gateway.domain.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="E0sgl0UU8EPWaL847Oi2UA==" websocket_version="13" uid="Y6q9qNo8iLu3YiutOnVFhQAAAA8"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3984517952] [client 185.76.168.73:49206] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/rpc/rpcproxy.dll"] [unique_id "Y6q9qNo8iLu3YiutOnVFhgAAABE"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 3984517952] [client 185.76.168.73:49206] AH00135: Invalid method in request RPC_IN_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="210" user="-" host="185.76.168.73" method="RPC_IN_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="413" url="/rpc/rpcproxy.dll" server="gateway.domain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhgAAABE"
2022:12:27-10:40:56 firewall httpd[11576]: [security2:error] [pid 11576:tid 3959339840] [client 185.76.168.73:49209] [client 185.76.168.73] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "rdg.domain.com"] [uri "/rpc/rpcproxy.dll"] [unique_id "Y6q9qNo8iLu3YiutOnVFhwAAABQ"]
2022:12:27-10:40:56 firewall httpd[11576]: [core:error] [pid 11576:tid 3959339840] [client 185.76.168.73:49209] AH00135: Invalid method in request RPC_OUT_DATA /rpc/rpcproxy.dll?localhost:3388 HTTP/1.1
2022:12:27-10:40:56 firewall httpd: id="0299" srcip="185.76.168.73" localip="83.80.157.199" size="211" user="-" host="185.76.168.73" method="RPC_OUT_DATA" statuscode="501" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="358" url="/rpc/rpcproxy.dll" server="gateway.domain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Y6q9qNo8iLu3YiutOnVFhwAAABQ"

rdg.domain.com is the hostname of my rdg server

gateway.domain.com is the external gateway dns name pointing to my external IP of the Sophos UTM.

The message i get after entering my credentials is

The WAF configuration i configured is identical to JACK1976's post in this thread.

https://community.sophos.com/utm-firewall/f/general-discussion/116289/remote-desktop-gateway-2019-won-t-work-with-sophos-utm-waf/419337

The UTM firmware i'm running is: 9.713-19.

I hope somebody can help me fix this issue.



This thread was automatically locked due to age.
Parents Reply
  • It could be something in your setup that they do not have in their UTM, not just what's been posted there.  Or something was missed, or just mis-typed.  Could be a number of things.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data