Hallo zusammen,
ich bin neue hier aber ich hoffe könnte mir jemand paar Tipps geben.
Also es geht um RD Gateway und UTM9.
Die Umgebung
SRV-01 Windows Server 2022 Std. Dienste: Broker, Gateway, Lizenzen, WEB Access inkl. Web Client (via Powershell dazu installiert)
TS-01 Windows Server 2022 Std. Dienste: Terminal Server selbst wo Apps als Collection freigegeben sind.
Firewall: UTM9 Cluster mit Firmware 9.712-13
Die Umgebung selbst funktioniert einwandfrei. Wenn ich das über DNAT veröffentliche, funktioniert es gnadenlos.
Jetzt möchte ich diese Umgebung über WAF präsentieren was ich korrekt finde.
Als Basis für die Konfiguration habe ich aus diesem Topic genommen.
Remote Desktop Gateway 2019 WON'T work with Sophos UTM WAF
Es hat einwandfrei geklappt. Ich kann mich anmelden und sehe die Apps
Dann wenn ich versuche App zu starten bekomme ich das:
ich bin 99% sicher, dass das Problem an Verweis zu TS-01 liegt. Ich muss irgendwo das konfigurieren aber weiß leider nicht was und wo.
Hier sind die Logs von WAF bei der "click" auf App
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at REQUEST_COOKIES:TSWAAuthClientSideCookie. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: e=e found within REQUEST_COOKIES:TSWAAuthClientSideCookie: Name=entra%5Ctest01&MachineType=public&WorkSpaceID="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [tag] [tag] [tag] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at REQUEST_COOKIES:TSWAAuthClientSideCookie. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: e=e found within REQUEST_COOKIES:TSWAAuthClientSideCookie: Name=entra\\x5ctest01&MachineType=public&WorkSpaceID="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [tag] [tag] [tag] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:CorId. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:CorId: {398c3c8b-a10a-4149-bff5-d3d97fc70000}"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:ConId. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:ConId: {67f5685d-1678-426a-81c6-cf06bb2121df}"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Rule 93efe38 [id "981243"][file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960015-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=12, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Last Matched Data: 0"] [hostname "xxxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3815803760] [client 82.207.253.143:5017] [client 82.207.253.143] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 18, SQLi=12, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "xxxx-rd.xxxx.de"] [uri "/remoteDesktopGateway"] [unique_id "Y2vtvUL3hJQySpqUPlu2xQAAAFc"]
2022:11:09-19:13:17 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="199" user="-" host="82.207.253.143" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=12, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" exceptions="-" time="126549" url="/remoteDesktopGateway" server="xxxxx-rd.xxxx.de" port="443" query="?CorId=%7B398c3c8b-a10a-4149-bff5-d3d97fc70000%7D&ConId=%7B67f5685d-1678-426a-81c6-cf06bb2121df%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM" referer="-" cookie="MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyC
2022:11:09-19:13:23 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3866159984] [client 82.207.253.143:5038] [client 82.207.253.143] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxxx-rd.xxxx.de"] [uri "/RDWeb/Pages/en-US/LogOff.aspx"] [unique_id "Y2vtw0L3hJQySpqUPlu2ygAAAFE"], referer: xxxx-rd.xxxx.de/.../default.aspx
2022:11:09-19:13:23 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="136" user="-" host="82.207.253.143" method="GET" statuscode="302" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="48386" url="/RDWeb/Pages/en-US/LogOff.aspx" server="xxxx-rd.xxxx.de" port="443" query="" referer="">xxxx-rd.xxxx.de/.../default.aspx" cookie="TSWAFeatureCheckCookie=true; HASH_TSWAFeatureCheckCookie=2EADBE26C6D98AE0E44F2FA6993C6F1D48E076A0; MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyCookie=C472BABF76FC7B5CA38731826AAE191AF4D2F9A845499551CE09B2B43127E76C167E2022:11:09-19:13:23 sophos-1 httpd[1084]: [security2:error] [pid 1084:tid 3866159984] [client 82.207.253.143:5038] [client 82.207.253.143] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "xxxx-rd.xxxx.de"] [uri "/RDWeb/Pages/en-US/login.aspx"] [unique_id "Y2vtw0L3hJQySpqUPlu2ywAAAFE"], referer: xxxx-rd.xxxx.de/.../default.aspx
2022:11:09-19:13:23 sophos-1 httpd: id="0299" srcip="82.207.253.143" localip="xx.xx.163.149" size="2719" user="-" host="82.207.253.143" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipAntiVirus, SkipURLHardening, SkipFormHardeningMissingToken, SkipThreatsFilter" time="167149" url="/RDWeb/Pages/en-US/login.aspx" server="xxxx-rd.xxxx.de" port="443" query="" referer="">xxxx-rd.xxxx.de/.../default.aspx" cookie="TSWAFeatureCheckCookie=true; HASH_TSWAFeatureCheckCookie=2EADBE26C6D98AE0E44F2FA6993C6F1D48E076A0; MicrosoftApplicationsTelemetryDeviceId=8b47311e-b41d-40c2-a475-e9c090e20e30; HASH_TSWAAuthClientSideCookie=8BE176F6F7585B754BD261A997A8C275F6D5C391; HASH_TSWAAuthHttpOnlyCookie=89C8E6B776D89EFC88A1BD9FFF31234BE0F6D74B; MSFPC=GUID=a92e2fe7c14947bc84c9343e350d2720&HASH=a92e&LV=202211&V=4&LU=1667986051946; TSWAAuthClientSideCookie=Name=entra%5Ctest01&MachineType=public&WorkSpaceID=; TSWAAuthHttpOnlyCookie=C472BABF76FC7B5CA38731826AAE191AF4D2F9A845499551CE09B2B43127E76C167ED3EDC2919E3015E43D4B0199080EC3E760
Könnte jemand mir paar Tipps geben wo was bei mir noch fehlt?
This thread was automatically locked due to age.