RDG through UTM not Using HTTP and UDP, only RPC-HTTP

Hello everyone!

we have a newly deployed Remote Desktop Gateway Server (on Windows Server 2019) installed in our environment and I was successfully able to publish it through our UTM 9 WAF.

Unfortunately, by doing this I am only able to get RPC-HTTP connections through it to our destination computers behind this RDG. As far as I know, the (Simple) HTTP transport is the much newer and faster protocol for RDG, but it's always doing a fallback to RPC-HTTP.

Even the RDG itself mentions this in the event viewer:

If I circumvent the UTM HTTP is wronging and even UDP (more on that later). There is no problem on the RDG itself.

Now the funny part: If I scrap the WAF and just use a NAT rule HTTP works, but UDP doesn't. And I would really like to use UDP because of it's performance benefits!

That is very strange to me as I don't get why the UTM isn't letting UDP 3391 through natting. I can even see it in the logs.

(I use a DNAT from 4443 to 443 just for testing).

Here are my settings:
WAF:

(no exceptions)

NAT:

Any suggestions what might be wrong?

Ideally, I would like to use WAF for HTTP and an additional NAT rule for UDP. If that won't work I think I could life with 2 NAT rules. But as the UDP is the best way for performance the NAT rules would only be worth it with UDP.

Thanks a lot in advance!

Best regards,

Markus

  • Hallo Markus,

    Port 4443 is reserved in UTM for SUM.  What happens if you switch to 8443?

    Also, see #5 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    thanks for the fast reply!

    I tried your suggestions but unfortunately that did not change anything. I changed the TCP port to 8443. WAF still only let's me use RPC-HTTP.

    And with natting I see no change. Now 8443 is HTTP, but UDP isn't coming through. It still shows up in the Firewall logs but not in the RDG.

    I changed the UDP NAT rule according to Rule 5. No difference.

    Any other suggestions?

    By the way - although UDP isn't going through I still see quite a performance boost when I use HTTP with NAT instead of RPC-HTTP. So I start to think to stick to natting anyway - or is it a major security risk to not use the WAF?

    Thanks

    Markus