Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 3 answers
  • Subscribers 31 subscribers
  • Views 34215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Server 2016 Remote Web Workplace and Remote Desktop Gateway using WAF

Nico Verheyen

 Hi

I have a Server 2016 Standard server with the Essential options enabled. I try now to enable both Remote Web Workplace and Remote Desktop Gateway.

I've used following KB:

https://community.sophos.com/kb/en-us/126103

both policy work individualy, but not together. The KB sugest to setup 2 policies, but then I cannot use the same DNS name in Domains section. It will error.

I tryed several combinations of policy settings. either RWW or RDG works, but never together.

I could setup a policy with only NAT. It works, but then i have no protection.

Any sugestions?

Nico.



This thread was automatically locked due to age.
  • 0 in reply to juergenb52

    This a nice news. It is almost there!

    Incredible!

  • 0 in reply to sachingurung

    Sorry to say but I will never buy such crap again! I am setting up Windows RDG 2012R2 on a XG115w. 
    And having trouble to get it to work and now read this. 

    Very disappointed on your brand. With such way of thinking it is crap for me!

     

    Regards

    //Håkan 

  • 0

    This post got Hi-Jacked. Lets get it back on track. Nico says the KB information works, as separate rules, but since the WAF module does not allow you to have multiple Business Rules for the same FQDN he is unable to use both the Remote Desktop Gateway and the Remote Desktop Web services. This wouldn't be an issue if the WAF allowed for Inbound Explicit Paths. The KB explicitly says:

    https://community.sophos.com/kb/en-us/126103
    *****

    Configure Firewall rules

    Two business application rules may be needed depending on your implementation of RDS. One rule for RDS Web Access and the other rule for the RDS Gateway. In some situations, both rules can be combined into one.

    *****

     

    So the question is how do we combine these two rules when they have conflicting settings?

    Note: I am in the same boat here with Windows Server 2012 R2 which the KB was written for.

  • +1

    This is the combined policy and one rule solution of https://community.sophos.com/kb/en-us/126103 for use with one FQDN for both RD Web and RD Gateway services. It has been tested with Windows 2012R2. Per Nico's post each KB126103 policy worked with Windows 2016 seperatly for each service, so this combined policy and one rule solution should work. Please post if this works for Windows 2016. 

     

    Configure Protection Policy

    First we need to set up the combined RDS Web Access Protection and RDS Web Gateway Protection policy.

    RDS Web Gateway Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft RD Web Gateway 2012R2
      • Pass Outlook Anywhere: Enabled
      • Mode: Reject
      • Static URL Hardening: Enabled
        • /rpc/*
        • /rpcWithCert/*
        • /rpc/rpcproxy.dll?localhost:3388
        • /rpc/rpcproxy.dll
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: Enabled
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enabled (All Selected)
      • Rigid Filtering: Disabled
      • Skip Filter Rules:
        • 960032
        • 960035
        • 960911
        • 981172 (added from RD Web Specific policy)
        • 981176
        • 981204
    2. Click on Save.

    Configure Firewall rule

    RDS Web Access Rule

    1. Navigate to Firewall.
    2. Click Add Firewall Rule and select Business Application Rule from the drop down menu.
    3. Select the Microsoft Remote Desktop Gateway 2008 and R2 template
    4. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • Certificate
      • Domains
      • Protected Server
    5. Go to Exceptions
      • Add Path /RDWeb/*
      • Set Sources
      • Check Static URL Hardening
      • Click Save
      • (You can also add additional exceptions for lowercase variations such as /rdweb/)
    6. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    7. Now select Microsoft RD Web Gateway 2012R2
  • 0 in reply to AADD

    Hi AADD,

    I just wanted to thank you for going through this and posting potential fixes.

    I will be trying these against 2016 as that has been the issue.  I'm crossing my fingers these all work on 2016 and I can go back to using WAF for these scenarios.

    Thanks,

    John

  • 0 in reply to AADD

    AADD.

     

    Thank your four your findings and i can confirmed that it worked with Windows Server 2016 RD Gateway, Just some small tweaks if I remember correctly.

     

    Thanks

    Rickard