Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 26546 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URI prefix does not match

Longman
Version: 9.109-1

This past week followed the latest article on setting up access to a Remote Desktop Gateway using WAF. Had been using a dnat rule prior to that. Has worked well however tested access using an Andriod tablet with the Microsoft RDP client and have encountered the issue stated in the subject. Below is the log entries showing the URI prefix not matching. Based on the URI value in the log what changes would be needed to the entry url's? I have tried several different entries with no success.

Thanks


2014:03:17-04:18:01 FIREWALL reverseproxy: [Mon Mar 17 04:18:01.576147 2014] [url_hardening:error] [pid 13885:tid 4013575024] [client X.X.X.X:56659] URI prefix does not match, URI: rdgateway.domain.com:443/.../rpcproxy.dll
2014:03:17-04:18:01 FIREWALL reverseproxy: [Mon Mar 17 04:18:01.576156 2014] [url_hardening:error] [pid 13885:tid 4047145840] [client X.X.X.X:56660] URI prefix does not match, URI: rdgateway.domain.com:443/.../rpcproxy.dll


This thread was automatically locked due to age.
  • 0 in reply to BAlfson
    Ahah!  So, what happens if you add the whole beginning? 
    https://rdgateway.domain.com:443/rpc

    Cheers - Bob


    I am having the same issue I can log in from a MS rdp file on all MS clients but the MS app installed on iOS or android does not work.

    If I remove the url hardeidning then the app can login but the client can not.

    I used this to set it up:
    https://www.winsec.nl/2014/01/15/publishing-rd-gateway-sophos-utms-web-application-firewall/
  • 0
    Were you able to resolve this?
    If so could you detail how please.
    I have the same issue, where I can connect from a Windows PC, but I get a 403 error from apple devices (including iMac) and from Android devices I get a generic failure to connect message.  On both devices I'm using the RD Client app.
  • 0
    Want to bump this for exposure, I experience this as well. My other publishing rules work well, but RD Gateway failure is causing me to fall back to NAT rules [:(]

    Here is an excerpt of the failure attempt from the live log:
    2014:06:24-11:28:08 proxy reverseproxy: srcip="94.186.198.191" localip="192.168.x.y" size="265" user="-" host="94.186.198.191" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="30077" url="/remoteDesktopGateway/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-" 

    2014:06:24-11:28:08 proxy reverseproxy: srcip="94.186.198.191" localip="192.168.x.y" size="265" user="-" host="94.186.198.191" method="RDG_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="29674" url="/remoteDesktopGateway/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-" 

    2014:06:24-11:28:08 proxy reverseproxy: srcip="94.186.198.191" localip="192.168.x.y" size="0" user="-" host="94.186.198.191" method="RDG_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="4509" url="/remoteDesktopGateway/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-" 

    2014:06:24-11:29:37 proxy reverseproxy: [Tue Jun 24 11:29:37.828229 2014] [proxy_http:error] [pid 13427:tid 4046588784] (-102)Unknown error 4294967194: [client 94.186.198.191:59143] AH01095: prefetch request body failed to 192.168.a.b:443 (192.168.a.b) from 94.186.198.191 () 

    2014:06:24-11:29:37 proxy reverseproxy: srcip="94.186.198.191" localip="192.168.x.y" size="357" user="-" host="94.186.198.191" method="RDG_IN_DATA" statuscode="400" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="89625115" url="/remoteDesktopGateway/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-" 

    2014:06:24-11:29:37 proxy reverseproxy: [Tue Jun 24 11:29:37.829774 2014] [proxy_http:error] [pid 13427:tid 4054981488] (104)Connection reset by peer: [client 94.186.198.191:59142] AH01110: error reading response 

    2014:06:24-11:29:37 proxy reverseproxy: srcip="94.186.198.191" localip="192.168.x.y" size="10" user="-" host="94.186.198.191" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="89751922" url="/remoteDesktopGateway/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-"

    I've sanitized a few IP's/hostnames, but this includes the full conversation until failure on the client side.

    Version:
    Sophos: 9.202-3
    Windows Server: 2012 R2 Fully Patched
    Windows Client: Windows 8.1
    RDP Client Version: 6.3.9600

    Happy to troubleshoot/debug anything that helps to facilitate this scenario.

    Thanks,
    Tim
  • 0
    Seeing similar issues when using SSTP. Here are my live logs for that:
    2014:06:25-08:53:47 proxy reverseproxy: [Wed Jun 25 08:53:47.736812 2014] [proxy_http:error] [pid 25331:tid 4130515824] (-102)Unknown error 4294967194: [client 217.7.11.243:49477] AH01095: prefetch request body failed to 192.168.a.b:443 (192.168.a.b) from 217.7.11.243 () 

    2014:06:25-08:53:47 proxy reverseproxy: srcip="217.7.11.243" localip="192.168.x.y" size="610" user="-" host="217.7.11.243" method="SSTP_DUPLEX_POST" statuscode="400" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter_ProtocolViolations, SkipThreatsFilter_ProtocolAnomalies, SkipThreatsFilter_RequestLimits, SkipThreatsFilter_HttpPolicy, SkipThreatsFilter_BadRobots, SkipThreatsFilter_GenericAttacks, SkipThreatsFilter_SqlInjectionAttacks, SkipThreatsFilter_XssAttacks, SkipThreatsFilter_Trojans, SkipThreatsFilter_Outbound" time="5823" url="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" server="remote.domain.com" referer="-" cookie="-" set-cookie="-" 

    Can the change be to offer a GUI to specify allowed methods for any given rule?

    Thanks,
    Tim
  • 0 in reply to BAlfson
    Ahah!  So, what happens if you add the whole beginning? 
    https://rdgateway.domain.com:443/rpc

    Cheers - Bob


    Bob, I think I closed the issue at that :443 ar the end of the URL. WAF is not expecting that for a HTTPS connection, so it complains about the URI prefix. I managed to get it working by doing some highly unsupported edditing in my lab's reverseproxy.conf file. I found out that adding a exception using the whole URL to reverseproxy.conf makes it work:

    WAFExceptions PATH https://rdgateway.domain.com:443/rpc* SkipURLHardening


    Unfortunately, Webadmin won't allow us to add such an exception to URL Hardening. It complains that the path must start with a slash. To circunvent that, I added this exception mannualy to reverseproxy.conf through the shell. It's not a fix nor a workaround, since any modifications o the file gets overwritten in time. Also, it's higly unsupported and may void your warranty. I only did it 'cause it was a lab setup, but at least it helped me zeroing in on the cause. 

    Maybe someone from Sophos could take a look at that?

    Regards - Giovani
  • 0 in reply to BAlfson
    I have the same error when I use the MS client from Android

    I get this message:

    URI prefix does not match, URI: https://tsmg.xyz.com:443/rpc/rpcproxy.dll?localhost:3388 

    with these Entry URLs:
    /rpc
    /RpcwithCert
    https://tsmg.xyz.com:443/rpc
Unfiltered HTML