Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG WAF & RDS 2019

Guillaume POMENTE

Hi,

I configure waf profile for RDS 2019.

For configure that, i follow this KB https://support.sophos.com/support/s/article/KB-000036644?language=en_US

There is no problem for open the web portal but when users open rdp file, unable to authenticate. When the user enters his password, it loops, it asks for the password again.

I created a NAT Rules for test, there is no problem, but for security reasons I would like to pass by WAF.

Do you help me please ?

Regards



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    Hi,

    Thank you very much for your response.

    Please find bellow the log fail with the command tail -F /log/reverseproxy.log

    [Mon Mar 29 09:33:51.802606 2021] timestamp="1617003231" srcip="92.184.112.247" localip="WAN IP" user="-" method="-" statuscode="408" reason="-" extra="-" exceptions="-" duration="9" url="-" server="-" referer="-" cookie="-" set-cookie="-" recvbytes="339" sentbytes="4931" protocol="HTTP/1.0" ctype="-" uagent="-" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="-"
    [Mon Mar 29 09:33:52.270508 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="16620" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="805" sentbytes="5346" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:52.395578 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19298" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:52.556032 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="58350" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="5009" sentbytes="334" protocol="HTTP/1.1" ctype="114" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:52.733368 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="9434" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1013" sentbytes="5712" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"
    [Mon Mar 29 09:33:53.276655 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="18060" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="477" sentbytes="414" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:53.407892 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19004" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:53.654417 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="7984" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="810" sentbytes="5769" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:53.786373 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="21208" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1172" sentbytes="176" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:33:53.903697 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="408" reason="-" extra="-" exceptions="-" duration="20115550" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="493" sentbytes="420" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
    [Mon Mar 29 09:34:16.020616 2021] [proxy_http:error] [pid 25647:tid 140701215864576] (104)Connection reset by peer: [client 92.184.112.247:59818] AH01110: error reading response
    [Mon Mar 29 09:33:52.857323 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="23163464" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1375" sentbytes="167" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"

    Regards

  • FormerMember
    0 FormerMember in reply to Guillaume POMENTE

    Hi ,

    Thanks for providing the logs. Other than status code 408 and 401, there's nothing in the logs pointing us to the issue. 

    Status code 401 indicates the request lacks valid authentication credentials for the target resource, and the 408 means server is closing the unused connection. 

    I would suggest you run a packet capture on the XG firewall and the server to investigate this further. Capture packets on source public IP and internal server IP address. 

    Check out the following KBA on how to run a packet capture on Sophos Firewall: 

    Thanks,