Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Application Security: Remote Desktop Support

Equal as Outlook Anywhere Remote Desktop uses RPC requests. In the meantime Outlook Anywhere is supported officially by UTM 9.1 So I hope the effort for the develovers will be small to implement it as well. I think the advantage will be huge for many of use, because many customer ask for it.

90 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Marcel ForsterMarcel Forster shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    16 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • FosterDougFosterDoug commented  ·   ·  Flag as inappropriate

        As a concession to the hundreds of people who have asked for this feature, perhaps Sophos could change the user interface label to say "Enable RPC over HTML for Outlook Anywhere and Remote Desktop"

      • FosterDougFosterDoug commented  ·   ·  Flag as inappropriate

        Note that all of the following list of ideas seem to be the same, but only this topic has a Sophos reply. When Sophos does not help us identify similar items, one wonders if they really use the voting process to influence decisions, and it certainly makes it easy to waste our limited votes. I have added my own cross-post to all of these topics. But if the subject is dead, all of those voters should get their votes back:
        ·
        Web Application Firewall: Remote Desktop Gateway support (201 votes)
        ID33532 9.209 RDWeb via WAF is not possible on customers site (10 votes)
        Enable the use of the WAF as a front end for Remote Desktop Gateway.(13 votes)
        Web Applikation Firewall: Web-Access for Remote Desktop (6 votes)
        Web Application Security: Remote Desktop Support (90 votes)

      • Anonymous commented  ·   ·  Flag as inappropriate

        You can get it to work, but then you will get a lot of issue's with external corporate users, which you are not able to solve in all cases, if this feature is fixed the way it should, you will make lots of your users happy.

        Sophos, Please stop ignoring this problem, it is a real problem. Many users have problems and sophos is just ignoring the fact that RDG (al least, remote desktop services 2012R2) is not working the way it should. Quit stalling more time by ignoring and please start spending time fixing this issue.

      • Dan BuhlerDan Buhler commented  ·   ·  Flag as inappropriate

        We've been unable to get it working with Server 2012 R2 and iOS or Windows 8+ clients.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please add a pass through RPC RDP Gateway Traffic feature to the WAF like Outlook Anywhere

      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        The only advantage to this request is to use SSL offloading at the UTM so that you can validate the HTTP headers. While I get that this does imply some small level of protection (nothing IIS isn't doing for itself), you need to realize that neither ISA nor TMG actually "inspect" this traffic beyond the HTTPS headers because the actual RPC messages are encrypted between the RDC and RDG.

        You can't make the comparison to OWA or ActiveSync (AKA EAS) because they are entirely different communication processes that ISA, TMG and UTM are perfectly able of protecting as they use "normal" HTTP, that can be inspected for malware.

        OA is like RDG in that you have encrypted RPC messages being passed through encrypted HTTP, making them invisible to any IPS found in UTM, ISA or TMG.
        Here are some articles I wrote for ISA 2006 (still relevant) that help explain what is happening with RPC over HTTP:

        http://blogs.technet.com/b/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-1-protocols-authentication-and-processing.aspx
        http://blogs.technet.com/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-2-test-tools-and-strategies.aspx
        http://blogs.technet.com/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-3-common-failures-and-resolutions.aspx

        Basically, what UTM needs to do is recognize the RDG_IN_DATA and RDG_OUT_DATA HTTP methods and treat it exactly as they do OA traffic - that is, pass it uninspected.

      • 131632131632 commented  ·   ·  Flag as inappropriate

        @Alan Toews
        About your question, "How would you see this feature working exactly?".

        I think, a simple Checkbox "Pass Remote Desktop Gateway" like "Outlook Anywhere" would do it to allow RDGW traffic.

      • 131632131632 commented  ·   ·  Flag as inappropriate

        Hi all. I am also one of these, waiting for a possibility to shutdown my old ISA 2006. The only reason i cannot do this right now, is Remote Desktop Gateway Support from the UTM.
        As many of you already mentioned, RDGW uses different methods as OutlookAnywhere like RDG_IN_DATA, and RDG_OUT_DATA on the URLs with "/remoteDesktopGateway/".

        @Alan Toews
        Hi Alan. There are some admins out there, who are publishing services over one public IP address, using a wildcard certificate. I have this setup with ISA 2006, publishing OWA, OA, ActiveSync and RDGW.

        So, with one PublicIP we cannot DNAT RDGW Access. SSL VPN is not really a comfortable solutione, since RDS Apps are mostly published by Remote Desktop WebAccess and use RDGW.

        I would love RDGW functionalities support like OutlookAnywhere, and then we can kill ISA and maybe also TMG servers, and replace them with this great product from Sophos.
        As Christian Krüsi mentioned, there a lot of users out there, which are trying to deploy their RDS Plattform, while they think RPC over HTTP Support (Outlook Anywhere) also works for RDGW.

        I hope, this would help you understand, how important this feature is.

        Thnak you

      • Christian KrüsiChristian Krüsi commented  ·   ·  Flag as inappropriate

        I would like this feature also. There is another Feature request for the same functionality at http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4305841-web-application-firewall-remote-desktop-gateway- . And there are many posts in the Forum like http://www.astaro.org/closed-forums-read-only/utm-9-betas/utm-9-1-public-beta/47321-9-092-feature-remote-desktop-gateway-waf-not-working.html where the astaro beta bot says that this is tracked as mantis ID #25441

        @Alan Toews. The Remotedesktop Gateway serves a Website where you can start Apps from the Remotedesktop Server or a RDP Session (rdp over https). If WAF would cover this it would be more secure than a DNAT rule and more comfortable than over the VPN Portal.

      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        Alan, RDG is not "raw RDP", but (like Outlook Anywhere), a multi-tunneled protocol: RDP over RPC over HTTP over SSL.
        Please see my other comment for the basic data points that should solve this.

      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        Agreed - the functional differences between OA and RDG are not that significant.
        I suspect that UTM is identifying OA through the use of path (always /rpc/rpcproxy.dll) and RPC_IN_DATA and RPC_OUT_DATA methods.
        To support RDG, it's a simple matter of including /remoteDesktopGateway/ and RDG_IN_DATA and RDG_OUT_DATA methods as well.

      • Alan ToewsAdminAlan Toews (Sr. Product Manager, Sophos Features & Ideas Laboratory) commented  ·   ·  Flag as inappropriate

        Hi Marcel,

        How would you see this feature working exactly? RDP is not an http or https based protocol, and doesn't operate on standard web ports by default. You can already use the HTML5 VPN portal feature to provide RDP access to a server through the browser.

        Alternately, you can simply use a DNAT rule to port-forward traffic to it, and block malicious traffic with IPS.

        Is there something extra you're wanting this to do? If neither of the above options are what you're asking for, perhaps some further description of the request would be helpful.

      Feedback and Knowledge Base