Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 2032 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RemoteDesktop Gateway 2022 mit UTM9 funktioniert nicht

Konstantin Maier

Hallo zusammen,

ich bin neue hier aber ich hoffe könnte mir jemand paar Tipps geben.

Also es geht um RD Gateway und UTM9.

Die Umgebung

SRV-01 Windows Server 2022 Std. Dienste: Broker, Gateway, Lizenzen, WEB Access inkl. Web Client (via Powershell dazu installiert)

TS-01  Windows Server 2022 Std. Dienste: Terminal Server selbst wo  Apps als Collection freigegeben sind.

Firewall: UTM9 Cluster mit Firmware 9.712-13

Die Umgebung selbst funktioniert einwandfrei. Wenn ich das über DNAT veröffentliche, funktioniert es gnadenlos.

Jetzt möchte ich diese Umgebung über WAF präsentieren was ich korrekt finde.

Als Basis für die Konfiguration habe ich aus diesem Topic genommen.

Remote Desktop Gateway 2019 WON'T work with Sophos UTM WAF

Es hat einwandfrei geklappt. Ich kann mich anmelden und sehe die Apps

Dann wenn ich versuche App zu starten bekomme ich das:

ich bin 99% sicher, dass das Problem an Verweis zu TS-01 liegt. Ich muss irgendwo das konfigurieren aber weiß leider nicht was und wo.

Hier sind die Logs von WAF bei der "click" auf App

2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at REQUEST_COOKIES:TSWAAuthClientSideCookie. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: e=e found within REQUEST_COOKIES:TSWAAuthClientSideCookie: Name=entra%5Ctest01&MachineType=public&WorkSpaceID="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [tag] [tag] [tag] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at REQUEST_COOKIES:TSWAAuthClientSideCookie. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: e=e found within REQUEST_COOKIES:TSWAAuthClientSideCookie: Name=entra\\x5ctest01&MachineType=public&WorkSpaceID="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [tag] [tag] [tag] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:CorId. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:CorId: {398c3c8b-a10a-4149-bff5-d3d97fc70000}"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:ConId. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:ConId: {67f5685d-1678-426a-81c6-cf06bb2121df}"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Rule 93efe38 [id "981243"][file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960015-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=12, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Last Matched Data: 0"] [hostname "xxxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 18, SQLi=12, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="199" user="-" host="82.207.253.143" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=12, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" exceptions="-" time="126549" url="/remoteDesktopGateway" server="xxxxx-rd.xxxx.de" port="443" query="?CorId=%7B398c3c8b-a10a-4149-bff5-d3d97fc70000%7D&ConId=%7B67f5685d-1678-426a-81c6-cf06bb2121df%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM" referer="-" cookie="MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyC
2022:11:09-19:13:23 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3866159984] [client 82.207.253.143:5038] [client 82.207.253.143] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxxx-rd.xxxx.de"] [uri "/RDWeb/Pages/en-US/LogOff.aspx"] [unique_id "Y2vtw0L3hJQySpqUPlu2ygAAAFE"], referer: xxxx-rd.xxxx.de/.../default.aspx
2022:11:09-19:13:23 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="136" user="-" host="82.207.253.143" method="GET" statuscode="302" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="48386" url="/RDWeb/Pages/en-US/LogOff.aspx" server="xxxx-rd.xxxx.de" port="443" query="" referer="">xxxx-rd.xxxx.de/.../default.aspx" cookie="TSWAFeatureCheckCookie=true; HASH_TSWAFeatureCheckCookie=2EADBE26C6D98AE0E44F2FA6993C6F1D48E076A0; MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyCookie=C472BABF76FC7B5CA38731826AAE191AF4D2F9A845499551CE09B2B43127E76C167E2022:11:09-19:13:23 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3866159984] [client 82.207.253.143:5038] [client 82.207.253.143] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxxx-rd.xxxx.de"] [uri "/RDWeb/Pages/en-US/login.aspx"] [unique_id "Y2vtw0L3hJQySpqUPlu2ywAAAFE"], referer: xxxx-rd.xxxx.de/.../default.aspx
2022:11:09-19:13:23 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="2719" user="-" host="82.207.253.143" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="167149" url="/RDWeb/Pages/en-US/login.aspx" server="xxxx-rd.xxxx.de" port="443" query="" referer="">xxxx-rd.xxxx.de/.../default.aspx" cookie="TSWAFeatureCheckCookie=true; HASH_TSWAFeatureCheckCookie=2EADBE26C6D98AE0E44F2FA6993C6F1D48E076A0; MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyCookie=C472BABF76FC7B5CA38731826AAE191AF4D2F9A845499551CE09B2B43127E76C167ED3EDC2919E3015E43D4B0199080EC3E760

Könnte jemand mir paar Tipps geben wo was bei mir noch fehlt?



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Konstantin,

    du könntest erst mal als Firewall-profil "keines" wählen.

    Damit wäre festzustellen, ob es über die WAF überhaupt funktioniert.

    Wenn dem so ist, kann das Firewall-Profil wieder geladen und angepasst werden.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hallo Dirk,

    Zustand ist gleich. Ich kann mich anmelden, ich sehe Apps aber beim Start ist die gleiche Fehlermeldung.

Reply Children
  • 0 in reply to Konstantin Maier

    Dann ist es zumindest nicht das WAF-Regelwerk.

    Ist festzustellen, was genau aufgerufen werden soll?

    (evtl. am lokalen PC mal daten mitschneiden oder den lokalen DNS-cache durchsehen)

    Wenn es ein paar Sekunden dauert, bis der Fehler kommt, mal nentstat -n ausführen und sehen, ob irgendwo "SYS send" steht


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML