This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop Gateway WAF Error 0x3000008 Failed to Sync Outlook Session

Hi everyone!

I am sorry for opening another thread on this, but None of the existing threads was exclusively written RDG :)

 

The Problem is straight forward, WAF used to publish RDP over RDG on Server2008R2 RDG and Sophos UTM 9.411-3.

I configured the firewall profile and exceptions for rpc but I did not add /remoteDesktopGateway as it seems to change communication to a new protocol not supported by utm (not rpc via HTTP anymore?)

 

Windows 7 - 10 RDP (mstsc): works great (fast!)

Android Microsoft RDP Client: totally random error 0x3000008 (iOS adds a Zero in hex - 0x03000008) or multiple (up to 10x) credentials wrong popups (although correctly entered)

iOS Microsoft RDP Client: same behavior as andorid!

 

thats really frustrating as I wasn't able to find a bahvior behind the errors... as I said totally random, from time to time the first login works but sometimes you have to enter 3x the credentials to getover the 0x300008 error.

 

As I found out, the iis logs and RemoteGateway - Operational logs ond RDG server are clear and don't record anything, when the client recieves the 0x3000008 error.

So I checked the Sophos logs and found this to be the cause:

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="13" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="9802" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="13" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="1183" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

2017:04:19-17:25:19 * reverseproxy: id="0299" srcip="xxxx" localip="yyyy" size="20" user="-" host="xxxx" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="5517" url="/rpc/rpcproxy.dll" server="remote.*.*" referer="-" cookie="-" set-cookie="-"

 

Up to here is expected behavior and looks equally when using mstsc.

(110)Connection timed out: [client xxx:63301] RPC_IN_DATA: Failed to sync Outlook Session af5b438e-a5d3-e542-75ca-90be05a20271: -1

(70015)Could not find specified socket in poll list.: [client xxx:63301] RPC_IN_DATA: There is no registered Outlook Session af5b438e-a5d3-e542-75ca-90be05a20271 in Cache

Now this is strange... it looks like utm is not able to identify the current mobile session to a previously established one. why does this never happen with mstsc??

 

I hope some Sophos guy can comment this because in the current state I cannot let users use rdg via Sophos as it is too unstable...



This thread was automatically locked due to age.
  • Please get a ticket opened with Sophos Support and let us know the resolution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Yankee.

    Have you added 

    /rpc/rpcproxy.dll?localhost:3388

    in Static URL hardening? I know it doesn't make much sense, but my IOS devices would only connect to RDG after adding this line to the configuration. But I always got an URL hardening error, nothing like your logs show, so your issue might be different.

    Regards - Giovani

  • Does anyone find some solution for this problem ?

     

    Remote Desktop Gateway over Waf with Android does not connect.... RDP on windows machines works fine.

     

    My logs:

     

    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [url_hardening:error] [pid 17666:tid 4003548016] [client 171.151.211.201:49073] URI prefix does not match, URI: mywebrdp.xxx.net:443/.../
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [data "Last Matched Data: RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="230" user="-" host="171.151.211.201" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests." exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1009" url="/remoteDesktopGateway/" server="mywebrdp.xxx.net" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-kAAABz"
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1317" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-oAAABs"
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"]
    2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1524" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEg04ToAAAAM"

  • Hi Giovani.

     

    Already did that... with that exact config Windows RDP client works like a charm... But the Android one (official from microsoft) does not work, seems like it doesn´t fall back to rpc.

    Didn´t tried iOS RDP client, cause I don´t have an apple device to try.

     

    Regards,

    Carlos.

  • Hi everyone...

     

    I gave up on that and changed the publishing to DNAT. Now everything is working as expected!

    Sophos support said that this feature will still take some time until fully functional and distributed... so I will wait and until then use DNAT.