Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3317 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RDP via (Android+iOS) application blocked by UTM

Tmg2UTM
Hey All, thank you for the help thus far. I really appreciate it!

I am able to connect to the RDP server via RD Gateway using a Microsoft Client. The successful logs look as follows:
---------------------------------------------------------------------------------------------------------------

2014:06:10-06:51:12 utm reverseproxy: [Tue Jun 10 06:51:12.350196 2014] [url_hardening:error] [pid 10353:tid 3979213680] [client 14.14.14.14:49519] No signature found, URI: tech.wan.com.au/.../
2014:06:10-06:51:12 utm reverseproxy: srcip="14.14.14.14" localip="11.11.11.11" size="284" user="-" host="14.14.14.14" method="RDG_OUT_DATA" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="342736" url="/remoteDesktopGateway/" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
2014:06:10-06:51:13 utm reverseproxy: srcip="14.14.14.14" localip="11.11.11.11" size="13" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="744980" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
2014:06:10-06:51:13 utm reverseproxy: srcip="14.14.14.14" localip="11.11.11.11" size="13" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="197524" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"

However I am unable to connect via the Microsoft RDP app on any other platform. The error log is as follows:
---------------------------------------------------------------------------------------------------------

2014:06:10-06:50:09 utm reverseproxy: [Tue Jun 10 06:50:09.655723 2014] [url_hardening:error] [pid 10353:tid 3995999088] [client 14.14.14.14:52726] URI prefix does not match, URI: tech.wan.com.au:443/.../rpcproxy.dll
2014:06:10-06:50:09 utm reverseproxy: [Tue Jun 10 06:50:09.655746 2014] [url_hardening:error] [pid 10353:tid 3987606384] [client 14.14.14.14:52727] URI prefix does not match, URI: tech.wan.com.au:443/.../rpcproxy.dll
2014:06:10-06:50:09 utm reverseproxy: srcip="14.14.14.14" localip="11.11.11.11" size="286" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="403" reason="url hardening" extra="URI prefix does not match" exceptions="-" time="3054527" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
2014:06:10-06:50:09 utm reverseproxy: srcip="14.14.14.14" localip="11.11.11.11" size="286" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="403" reason="url hardening" extra="URI prefix does not match" exceptions="-" time="3049346" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"

The things I have tried are as follows:
-----------------------------------------------------------------

1. Connecting directly to the server via the app and bypass the utm = working! (So issue is definitely the firewall and not the server or iis publishing...etc).

2. Adding the full uri to the url hardening list: 
"tech.wan.com.au:443/.../rpcproxy.dll.

3. Adding the partial uri to the url hardening list:
"/rpc/rpcproxy.dll?localhost:3388" - I still get the same error


This thread was automatically locked due to age.
Parents
  • 0
    Update (not the solution), if I disable URL hardening it works, here is the log:
    --------------------------------------------------------------------------

    2014:06:10-07:33:37 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="0" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="32705571" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:37 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="158678" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="32701519" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:41 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="354628" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:41 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="260166" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="343290" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="339080" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="20" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="335409" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="20" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="347985" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"

    So URL hardeing is more than likely the issue, but I have /rpc and /rpcwithcert already listed and it looks like it is going to /rpc/rpcproxy.dll.

    A strange thing is when i disable url hardening it does not add the full domain like below:

    URI: https://tech.wan.com.au:443/rpc/rpcproxy.dll?localhost:3388

    Instead it mentions url instead of uri.

    Of course I will need URL hardening on to secure the server so removing it is no the solution.

    Any ideas what url I need to add the url hardening?
Reply
  • 0
    Update (not the solution), if I disable URL hardening it works, here is the log:
    --------------------------------------------------------------------------

    2014:06:10-07:33:37 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="0" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="32705571" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:37 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="158678" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="32701519" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:41 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="354628" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:41 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="260166" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="343290" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="13" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" time="339080" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="20" user="-" host="14.14.14.14" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="335409" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"
    2014:06:10-07:33:42 utm reverseproxy: srcip="14.14.14.14" localip="10.10.10.10" size="20" user="-" host="14.14.14.14" method="RPC_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" time="347985" url="/rpc/rpcproxy.dll" server="tech.wan.com.au" referer="-" cookie="-" set-cookie="-"

    So URL hardeing is more than likely the issue, but I have /rpc and /rpcwithcert already listed and it looks like it is going to /rpc/rpcproxy.dll.

    A strange thing is when i disable url hardening it does not add the full domain like below:

    URI: https://tech.wan.com.au:443/rpc/rpcproxy.dll?localhost:3388

    Instead it mentions url instead of uri.

    Of course I will need URL hardening on to secure the server so removing it is no the solution.

    Any ideas what url I need to add the url hardening?
Children
No Data