Thread Info
  • State Suggested Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 4 answers
  • Subscribers 37 subscribers
  • Views 89052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Running Remote Desktop Gateway using WAF?

oxident

Hi!

I'm trying to migrate from UTM to XG and I can't get my Remote Desktop Gateway working.

In my network, I've got a Win2012R2 server which hosts the RDG-, Broker- and Webgateway-role.

In order to access it from outside of my private LAN, I've created the following business application rule (basically as I did in UTM):

  • HTTP-Template
  • hosted address: (my WAN port)
  • HTTPS: enabled
  • Redirect HTTP: enabled
  • Listening Port: 443
  • Certificate: (selfsigned using the correct FQDN)
  • Domains: (same as in the certificate)
  • protected server: the private IP of the server in my LAN
  • authentication: none
  • allow from: Any IPv4
  • exceptions: none
  • Application Protection: none (also tried a self made rule containing only "Outlook Web Access")
  • Intrusion Prevention: none
  • Traffic shaping: none
  • disable compression: off
  • rewrite HTML: off
  • pass Host Header: on

Now, if I access the server's Remote Desktop webfeed (https://myserver.mydomain.com/RDWeb/Feed/webfeed.aspx) or it's main URL (/RDWeb), I can access its ressources without problems or certificate warnings. Windows even creates shortcuts for the published RemoteApps.

But whenever I try to actually *use* the gateway (for accessing workstations in my LAN) or one of the RemoteApps, my client tries to connect a couple of seconds without success. It simply says "Cannot connect. Please check your connection".

I'm not yet very familiar with XG's log structure but so far I haven't seen any blocked packets or something similiar. I've even set up a rule that allows the Terminal Server to access the WAN zone without any authentification.

When I'm inside my LAN, everything works perfectly, as well as when using UTM 9.

Is there anything I could try?



This thread was automatically locked due to age.
  • 0 in reply to oxident

    Okay, after digging around a little bit more, I've finally got it working using an this older thread:

    community.sophos.com/.../302538

    In summary:

    - use WAF instead of NAT
    - create a custom protection policy (enable only "Pass Outlook Anywhere" and "Static URL Hardening" -> Entry URLs as written in the above thread)- add exceptions for a few paths (again, read the thread)
    - enable "Pass Host Header"

    That way it even works when using the Windows 10 (Mobile) Remote Desktop app.

    I'm quite sure I've tested this before but maybe I've missed something or Sophos fixed this in the current release ;-)

  • 0 in reply to oxident

    Oxident,

    the thread is really old but it works (I did not try it but I am sure it works). XG uses the same WAF as UTM9.

    I hope that  or  can take a note and make sure that a proper Template for RDG is already integrated inside the next version of XG. I know that we can create custom template, but it would be nice that who uses the built-in template can publish RDG easily without having a look at the community. [;)]

    Thanks

  • 0 in reply to lferrara

    Hi there

    I am also unable to publish Windows Remote Desktop Services.  I have followed the guidance in the documentation and reviewed many of the postings.  I get get RDS working fine, up until I added Static URL Harding, via a Protection Policy and the required exceptions, then it breaks.  The browser reports "Request Blocked", and "no signature found", the logs indicate the same.

    Bearing in mind I am using built in templates, I expected this to work.  Am I missing something?

    I have a single XG Firewall (SFOS 16.01.2).

  • 0 in reply to Sandy Millar

    Hi there

    I have answered my own question. :0(

    I reworked the scenario from the beginning and have it working. It appears that the Protection Policies Entry URL's must match the Exceptions, which is not surprising, however it appears that you need to add ALL the Entry URL's, e.g. /rpc/rpcproxy.dll?localhost:3388, /rpc/*, /RPCWithcert/* and /RDWeb/*, evn though I only wanted Remote Desktop Web Gateway.

    I suspect this is a case of "not seeing the wood for the trees".

    Kind regards

    Sandy

  • 0

    I know this is an older thread, but I can't get this to work against a 2016 RDS Gateway with an RDP8.1 client.  It never attempts to fall back to /rpc and thus fails (I'm guessing due to the RDG_DATA_IN, etc issue).  When you look in the logs, it only attempts to connect to /remoteDesktopGateway.

    Does anyone else have this working on a 2016 Gateway?

    Thanks,

    John

  • +1 in reply to axsom1

    Hi John,

    i had the same Problem and had opened a case with Sophos

    .
    Sophos is not interrested in supporting Windows 2016 and RDG through WAF.
    They will not and can`t support RDG in UTM or XG Firewall.

    I think it´s time to seek another Firewall vendor ...

     

  • 0 in reply to juergenb52

    Thanks Juergenb52.  Pretty disappointing.

  • +1

    This is the combined policy and one rule solution of https://community.sophos.com/kb/en-us/126103 for use with one FQDN for both RD Web and RD Gateway services. It has been tested with Windows 2012R2. Per Nico's post each KB126103 policy worked with Windows 2016 seperatly for each service, so this combined policy and one rule solution should work. Please post if this works for Windows 2016. 

     

    Configure Protection Policy

    First we need to set up the combined RDS Web Access Protection and RDS Web Gateway Protection policy.

    RDS Web Gateway Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft RD Web Gateway 2012R2
      • Pass Outlook Anywhere: Enabled
      • Mode: Reject
      • Static URL Hardening: Enabled
        • /rpc/*
        • /rpcWithCert/*
        • /rpc/rpcproxy.dll?localhost:3388
        • /rpc/rpcproxy.dll
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: Enabled
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enabled (All Selected)
      • Rigid Filtering: Disabled
      • Skip Filter Rules:
        • 960032
        • 960035
        • 960911
        • 981172 (added from RD Web Specific policy)
        • 981176
        • 981204
    2. Click on Save.

    Configure Firewall rule

    RDS Web Access Rule

    1. Navigate to Firewall.
    2. Click Add Firewall Rule and select Business Application Rule from the drop down menu.
    3. Select the Microsoft Remote Desktop Gateway 2008 and R2 template
    4. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • Certificate
      • Domains
      • Protected Server
    5. Go to Exceptions
      • Add Path /RDWeb/*
      • Set Sources
      • Check Static URL Hardening
      • Click Save
      • (You can also add additional exceptions for lowercase variations such as /rdweb/)
    6. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    7. Now select Microsoft RD Web Gateway 2012R2
  • 0 in reply to AADD

    Now I have implemented WAF on RDGateway with Windows Server 2019 at SG UTM analogous to the given instruction. The Connection works fine, but the speed of file transfer through the RDP-Session is very bad. Does anyone have a solution to that or a way to troubleshoot this issue. In the logs I could not find any indication.

  • 0 in reply to RFD

    Thank you for posting that this rule works on 2019 as well.

    When you say file transfer, do you mean from host to rdp client, like via the clipboard, or local to remote drive resource mapping? Also are you suggesting that this was faster before implementing WAF rule?