This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wse 2012 rwa 443 waf

Hi there,
I've seen a few posts regarding RWA access, however, nothing regarding the Remote Desktop option that it provides.

Here is the issue:

Create a NAT of 443 to Windows Server Essisentials 2012, and the RWA and Remote Desktop works fine as expected.

Disable NAT

Create a WAF link, to the RWA, and that works fine, however the Remote Desktop doesn't.

Am I missing something? I figured Sopho's would be used in these types of small business enviorements, no real documentation regarding how to configure this...

This thread was automatically locked due to age.

0 martin_sh over 12 years ago

Hi 3PNTSTech,
I was looking to configure RWA with my Win Server 2012 essentials and I came across your post. Remote Web Access worked fine when I had a simple router. I replaced the router with astaro and I have not found a guide on how to configure astaro for direct access with ws2012e. You mentioned you've seen a few posts regarding RWA access. I haven't been lucky so far. Could you show them to me?
Thank you!
0 gilipeled over 12 years ago

Hi ,

If it worked for you with a simple router so the easiest way for you is to make a DNAT from external IP Address with the services required with an automatic packet filter rule or with a standard rule.
If you are talking about using WAF for it then you will have to configure the WAF for it.
What is the way you plan to do it , it's your decision.
The first way will work for sure and it is easy to implement.

All my best
Gilipeled

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
0 gilipeled over 12 years ago

On WAF by the way you will have to install the right certificate to communicate with the server.

If you have any issue with configuring the WAF , just post here exactly what you need and probably here in the BB we will find the configuration with you.
If I will find a good article I will post it here.

A my best.
Gilipeled.

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
0 gilipeled over 12 years ago

Hi ,

Here is a good article how to do it with Microsoft TMG.
This will give a good understanding of the way how to publish it.
From here to do it with WAF its not a long way.
I can try it in my Lab environment and see if I can make it work .
It does not look too complicate.
With all the experts here probably you will got the exact config before I will finish to install it in my Lab.

Here is the link to the article:

http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

All my best.
Gilipeled.

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
- 0 martin_sh over 12 years ago in reply to gilipeled
  
  Hi Gilipeled,
  First of all, thank you for the promptly response. Being my first post I wasn't hoping to get any replies. Anyway, this is my short story: I installed WS2013E, and following the easy wizards I got everything working. According to WS2012E, the direct access can be automatically set up by using upnp. Then, I got an old computer (dual core, though) and I installed Astaro (and, I am still learning how to use it). I have followed, the guides from "Sophos user bulletin board" and I have set up so far:
  Firewall
  Intrusion Prevention
  Web filtering
  Antivirus
  Antispyware
  I took advantage of the "DNS Best Practice" discussion from BAlfson that solved a delicate problem.
  I have created two internal interfaces: one for the active directory (which includes WS2012E and my family computers), another one for my lab (learning) independent from the other interface.
  As a next step I was going to learn to create a vpn connection using astaro. I don't have plans to create web server (at least for now). What I need is to securely access my home computers from work or outside. It appears that Astaro already offers such solution (though I haven't explored it yet). I simply thought since the Microsoft "Direct Access" which is now integrated with VPN in one place (and much advertised by Microsoft) would give me a quick solution. According to Microsoft, if the wizard doesn't configure the router using upnp, then the "router" can be configured manually by forwarding the port 80 and 443 to the server ip.
  Should I use the Astaro's VPN and remote solutions, instead?
  By the way, thank you for the link in your previous post. "Step by step" guides are very appreciated.
  Thank you,
  Martin
0 gilipeled over 12 years ago

Hi

The UTM ( astaro ) has s great VPN solutions so if you plan to use VPN then the answers Is sure use it'd VPN solutions.
I recommend on the SSL VPN , just configure it and work with it.
Its a great VPN solution.

All my best.
Gilipeled.

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
0 apijnappels over 12 years ago

Hi Martin,
To create DNAT rules for your traffic (much like your old simple router probably did), go to Network Protection -> NAT -> Tab NAT
click Net NAT rule
Rule Type DNAT
For traffic from: Any
Using service: HTTP (and HTTPS) *
Going to: External (WAN address)

Change destination to: Your internal server
And the service to: leave empty if you use same ports internally and externally (80 / 443)

Enable Automatic Firewall rule to automatically add a rule to allow this traffic.

Under advanced also enable Log initial packets so you can check in your live firewall if you need to find any errors.

* for HTTP and HTTPS you could create 2 separate DNAT rules or you can use a Service-Group where you can put both HTTP and HTTPS in, this would work fine for all traffic needing to go to same internal server and where internal and external ports are the same.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
- 0 martin_sh over 12 years ago in reply to apijnappels
  
  Hello Apijnappels,
  I followed your instructions; I created two dNat-s: one for HTTP and one for HTTPS. I re-run the "Direct Access" wizard from Server 2012 Essentials. I unchecked configure router (since the "router" now allows the required "port forwarding"), and in a couple minutes the WS2012E reports that Direct Access wizard completed successfully. I have one question, though: You said, "And the service to: leave empty if you use same ports internally and externally (80 / 443)". Is this equivalent to meaning "don't change the service". Could I have entered the same service, example http for http? Is it better to leave it empty?
  Thank you for your time!
  
  Martin
0 gilipeled over 12 years ago

Hi ,

If you leave the destination service empty , if will use the same service you entered in the source.

All my best.
Gilipeled.

Gil Peled.

CEO- Expert2IT LTD.

SOPHOS Platinum Partner.

Gil@expert2it.co.Il.
0 apijnappels over 12 years ago

As gilipeled says, leaving empty is the same as don't change service. In that case you could have also used 1 DNAT rule with a service group in it. In this service group you should then add HTTP and HTTPS (or any other service that needs to be accessible from outside to the same internal server).

But if you only need HTTP and HTTPS maybe you can even use WAF, so your UTM will handle all webrequests from the outside world en pass them to the real internal webserver while scanning uploads for viruses and also protect against x-site scripting and other possible vulnerabilities.....

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
0 BAlfson over 12 years ago

Martin, in the case of a single service, it makes no difference. In the case of a Services Group, putting the Group into 'and the service to' will "break" the NAT rule, so it's a good habit to avoid doing so in general.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
- 0 martin_sh over 12 years ago in reply to BAlfson
  
  Thank you for the support!
  I took the time to do my homework before I ask any other question. What I need it is to make sure I can connect securely from a coffee house to my home network.
  Windows server 2012 essential offers direct access feature using a https and displays the shared resources in a web page. By creating a NAT to WS2012 I solved my first problem. Now I can connect from a computer (it can be no domain member). connect I use a free domain from Microsoft and I enter https://"a chosen name".remotewebaccess.com. It allows the remote desktop initiated from the web page (not sure how it works, but I am able to remote to my computers at home that are members of domain). I liked the suggestion to use WAF so all traffic will checked by Sophos. However, I am not sure if it applies in my case. So, the idea is to have a virtual server and a real server. The web application firewall (WAF) will filter the traffic. I have no plans to build webservers, but I was wondering if what Microsoft calls "Web Remote Access" from WS2012E it can be that "real webserver". Basically, keep what I have and then use UTM Web Application Firewall for extra security. Not sure if this can be done.
  Anyway, since my android tablet couldn't connect remote desktop (I use pocketcloud for rdp), I decided to create a vpn with Sophos. I found step by step guides. Though, I didn't find guides for android I created a connection using L2tp. I learned to use user portal to download the certifications. It appears that all the traffic goes through this vpn (including the internet browsing). Please correct me if I am wrong. I didn't use ssl since I have NAT (443) port forwarding and I wasn't sure if both services use the same port.
  
  So far it looks good. Please let me know if the WAF solution applies in my scenario, and if should I be aware of any risk (example, I go to a coffee house I think that I am safe).
  
  Thank you,
  Martin
  - 0 martin_sh over 12 years ago in reply to martin_sh
    
    Before my query gets out of category, I need to make some clarifications. Initially, I was looking for documentations (hopefully step by step guides) on Sophos regarding remote access. I came across the question posted by "3PNTSTech", who mentioned he had seen a few posts regarding RWA. However, I have now spend a considerable time and efforts. I found very good step by step guides on Browse by topic - Sophos Knowledgebase | Security Articles, Advisories for Sophos - Sophos Support, Knowledgebase and Resources | Sophos Technical Support - Sophos though not up to date. Also, I understand that my posts are under "Web Server Security" topic. So, if I had to ask the question, "Which VPN solution do you suggest - SSL, IPsec, L2tp?" then I should post it under "VPN: Site to Site and Remote Access". Thank you for all your help!
    Martin
0 BAlfson over 12 years ago

Yes, the accepted rule here is "one topic per thread," and the VPN forum would be the best choice.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
View More