Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF & 2012r2 RDG issue

Louis-M

Real strange issue with WAF.

Using a DNAT to our RDG server works without issue. Change it to WAF (no profile) and we can't get it to go and we end up with this in the logs:

2018:09:11-19:18:03 gw01-2 httpd: id="0299" srcip="XXX.XXX.XXX.XXX" localip="YYY.YYY.YYY.YYY" size="13" user="-" host="XXX.XXX.XXX.XXX" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="14330" url="/rpc/rpcproxy.dll" server="remote.mydomain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W5gG2la8xLYAAFfUEsgAAAAG"
2018:09:11-19:18:03 gw01-2 httpd: id="0299" srcip="XXX.XXX.XXX.XXX" localip="YYY.YYY.YYY.YYY" size="13" user="-" host="XXX.XXX.XXX.XXX" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="14463" url="/rpc/rpcproxy.dll" server="remote.mydomain.com" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="W5gG21a8xLYAAFfUEsoAAAAH"
2018:09:11-19:18:23 gw01-2 httpd[22484]: [proxy_http:error] [pid 22484:tid 4079676272] (70007)The timeout specified has expired: [client XXX.XXX.XXX.XXX:32850] AH01095: prefetch request body failed to 10.1.28.175:443 (10.1.28.175) from XXX.XXX.XXX.XXX ()

 

Any idea? It works if we go to /RDWeb so the certificates etc are all fine. It's just the full RDP that doesn't work with WAF but is fine with DNAT.



This thread was automatically locked due to age.
  • 0

    Louis, does Giovani's solution work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Came back to this with a fresh head as it was doing my nut in.

    To cut a long story short, this was what was showing up in the logs:

    2018:11:12-20:16:15 gw03-1 httpd[20854]: [proxy_msrpc:error] [pid 20854:tid 4103662448] (70007)The timeout specified has expired: [client xxxxxxx:55654] RPC_OUT_DATA: failed to read request body - ap_get_brigade
     
    And the issue was...... The Common Threats Filter!
     
    Now, you would think the logs would show that ie warning - pattern match xxxxxx filter. But no, nothing was registering as it did when I enabled the common threats filter and made an exception for each error as you normally do to tighten things down.
     
    Long story short and moral of the story - strip the config right back to basics and start again and don't believe what it's showing/not showing you.
Unfiltered HTML