This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF: Unable to publish Remote Desktop Gateway 2016

I am running UTM 9.506-2 and RD 2016, but cannot get clients to connect to the RD Gateway
I've tried using the RDG template for Server 2008 but this no longer seems to be compatible.

Followed various walkthru's online to no avail..

A few of the WAF errors:

  • AH01614: client used wrong authentication scheme: /remoteDesktopGateway/  
  • Failed to sync Outlook Session & The registered Outlook Session is in unexpected state 'BROKEN'
  • Errors on RDG_IN_DATA and RDG_OUT_DATA  (401, 503, 502, 503 codes)

Closest I got was greeted with this WEV error message:

  •  "The user user@domain, on client computer "xxx.xxx.xxx.xxx:xxxx", has initiated an outbound connection. This connection may not be authenticated yet."

I have tried following the advice at the end of this article, but it does not seem to work either now

Wondering if there has been a change in how the RDG works in 2016 or if UTM just doesn't support it correctly



This thread was automatically locked due to age.
Parents Reply Children
  • Hi

    What version of Windows server is RDGW?

    What WAF rules are used?

    Martin

  • We're using Windows Server 2016.

    Create your real webserver

    1. Type = https
    2. Port = 443

    Create your Virtual Server

    1. Type = https
    2. Domain = your server FQDN
    3. Real webservers = Your internal server
    4. Advanced = Pass host header

    Create your own WAF filter with:

    1. Static URL hardening:

    /rpc
    /rdweb
    /RDWeb
    /RDweb
    /rpc/rpcproxy.dll?localhost:3388
    /favicon.ico
    /rpcWithCert

    2. Block clients with bad reputation
    3. Pass Outlook anywhere

    Then create an exception for your URL:

    1. Static URL hardening:

    /rpc/*
    /rpcWithCert/*
    /RDWeb/*
    /RDweb/*
    /rdweb/*

    Apply the above filter to the virtual webserver and test. It does work. We have a UTM going to 2 RDGW's (active & failover) which in turn go to 3 connection brokers.

    We also have another UTM at our secondary site doing the same in reverse and we load balance using a failover DNS service as round robin on the outside didn't quite work.
    So we have:
    Internet > SITE A UTM > SITE A RDGW or SITE B RDGW(failover) > 3 CONBKRS > SESSION HOSTS
    Internet > SITE B UTM > SITE B RDGW or SITE A RDGW(failover) > 3 CONBKRS > SESSION HOSTS

    We did have a bit of a job with the "common threats filter"  which seemed to be blocking things but didn't report it in the logs. When we disabled it, everything worked. We did try elimination eg disabling each common threat one at at time but we never got to the bottom of it so we've just left it off for now.

  • Hey Louis,

    I have got UTM 9 and RDG 2019. I followed your steps and my portal works fine however I can't get open RemoteApp. Also I can't get my gateway to work if I wanted to connected to a computer behind it :(

    It works fine if I use DNAT but when i switch to WAF it won't work. 


    This is what I see from the logs:

    2019:10:28-19:26:56 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4102298480] [client 49.196.171.79:48229] [client 49.196.171.79] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/FeedLogin/WebFeedLogin.aspx"] [unique_id "XbbQf4vYPlsAABZoEbAAAAAD"]
    2019:10:28-19:26:57 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4102298480] [client 49.196.171.79:48229] [client 49.196.171.79] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Request Missing a User Agent Header"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/FeedLogin/WebFeedLogin.aspx"] [unique_id "XbbQf4vYPlsAABZoEbAAAAAD"]
    2019:10:28-19:26:57 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="380" user="-" host="49.196.171.79" method="GET" statuscode="302" reason="-" extra="-" exceptions="SkipURLHardening" time="1580200" url="/RDWeb/FeedLogin/WebFeedLogin.aspx" server="PORTAL.MYDOMAIN.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbbQf4vYPlsAABZoEbAAAAAD"
    2019:10:28-19:26:58 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4093905776] [client 49.196.171.79:48230] [client 49.196.171.79] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/duo/duo.aspx"] [unique_id "XbbQgYvYPlsAABZoEbEAAAAE"]
    2019:10:28-19:26:58 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4093905776] [client 49.196.171.79:48230] [client 49.196.171.79] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:params. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: | found within ARGS:params: params|ZGVzdD0lMkZSRFdlYiUyRkZlZWRMb2dpbiUyRldlYkZlZWRMb2dpbi5hc3B4JnRpbWVPZmZzZXQ9NzYmdXNlcm5hbWU9c3VrYWZ1biU1Q3N1a2FmdW4=|1572265542|SmkSW2HPmqkD8BiAkIftXtIpdedxvXOnhGR/5OpuXJ0="] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/RDWeb/duo/duo.aspx"] [unique_id "XbbQgYvYPlsAABZoEbEAAAAE"]
    2019:10:28-19:26:58 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="1341" user="-" host="49.196.171.79" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="271670" url="/RDWeb/duo/duo.aspx" server="PORTAL.MYDOMAIN.com" port="443" query="?params=params%7CZGVzdD0lMkZSRFdlYiUyRkZlZWRMb2dpbiUyRldlYkZlZWRMb2dpbi5hc3B4JnRpbWVPZmZzZXQ9NzYmdXNlcm5hbWU9c3VrYWZ1biU1Q3N1a2FmdW4%3D%7C1572265542%7CSmkSW2HPmqkD8BiAkIftXtIpdedxvXOnhGR%2F5OpuXJ0%3D" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XbbQgYvYPlsAABZoEbEAAAAE"
    2019:10:28-19:27:29 sukafun-utm httpd[5736]: [url_hardening:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] URI prefix does not match, URI: PORTAL.MYDOMAIN.com:443/.../
    2019:10:28-19:27:29 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] [client 49.196.171.79] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "PORTAL.MYDOMAIN.com"] [uri "/remoteDesktopGateway/"] [unique_id "XbbQoIvYPlsAABZoEbIAAAAF"]
    2019:10:28-19:27:29 sukafun-utm httpd[5736]: [security2:error] [pid 5736:tid 4085513072] [client 49.196.171.79:48232] [client 49.196.171.79] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "PORTAL.MYDOMAIN.com"] [uri "/remoteDesktopGateway/"] [unique_id "XbbQoIvYPlsAABZoEbIAAAAF"]
    2019:10:28-19:27:29 sukafun-utm httpd: id="0299" srcip="49.196.171.79" localip="139.216.62.91" size="0" user="-" host="49.196.171.79" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="495885" url="/remoteDesktopGateway/" server="PORTAL.MYDOMAIN.com:443" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="WJimkodLX0Wh+S+ZuRJFUw==" websocket_version="13" uid="XbbQoIvYPlsAABZoEbIAAAAF"

     

    I removed my actual domain and replaced it with portal.mydomain.com

    I appreciate your help.

     

    Cheers
    Mo