Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Application Security: Remote Desktop Support

Equal as Outlook Anywhere Remote Desktop uses RPC requests. In the meantime Outlook Anywhere is supported officially by UTM 9.1 So I hope the effort for the develovers will be small to implement it as well. I think the advantage will be huge for many of use, because many customer ask for it.

40 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Marcel ForsterMarcel Forster shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    9 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        The only advantage to this request is to use SSL offloading at the UTM so that you can validate the HTTP headers. While I get that this does imply some small level of protection (nothing IIS isn't doing for itself), you need to realize that neither ISA nor TMG actually "inspect" this traffic beyond the HTTPS headers because the actual RPC messages are encrypted between the RDC and RDG.

        You can't make the comparison to OWA or ActiveSync (AKA EAS) because they are entirely different communication processes that ISA, TMG and UTM are perfectly able of protecting as they use "normal" HTTP, that can be inspected for malware.

        OA is like RDG in that you have encrypted RPC messages being passed through encrypted HTTP, making them invisible to any IPS found in UTM, ISA or TMG.
        Here are some articles I wrote for ISA 2006 (still relevant) that help explain what is happening with RPC over HTTP:

        http://blogs.technet.com/b/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-1-protocols-authentication-and-processing.aspx
        http://blogs.technet.com/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-2-test-tools-and-strategies.aspx
        http://blogs.technet.com/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-3-common-failures-and-resolutions.aspx

        Basically, what UTM needs to do is recognize the RDG_IN_DATA and RDG_OUT_DATA HTTP methods and treat it exactly as they do OA traffic - that is, pass it uninspected.

      • 131632131632 commented  ·   ·  Flag as inappropriate

        @Alan Toews
        About your question, "How would you see this feature working exactly?".

        I think, a simple Checkbox "Pass Remote Desktop Gateway" like "Outlook Anywhere" would do it to allow RDGW traffic.

      • 131632131632 commented  ·   ·  Flag as inappropriate

        Hi all. I am also one of these, waiting for a possibility to shutdown my old ISA 2006. The only reason i cannot do this right now, is Remote Desktop Gateway Support from the UTM.
        As many of you already mentioned, RDGW uses different methods as OutlookAnywhere like RDG_IN_DATA, and RDG_OUT_DATA on the URLs with "/remoteDesktopGateway/".

        @Alan Toews
        Hi Alan. There are some admins out there, who are publishing services over one public IP address, using a wildcard certificate. I have this setup with ISA 2006, publishing OWA, OA, ActiveSync and RDGW.

        So, with one PublicIP we cannot DNAT RDGW Access. SSL VPN is not really a comfortable solutione, since RDS Apps are mostly published by Remote Desktop WebAccess and use RDGW.

        I would love RDGW functionalities support like OutlookAnywhere, and then we can kill ISA and maybe also TMG servers, and replace them with this great product from Sophos.
        As Christian Krüsi mentioned, there a lot of users out there, which are trying to deploy their RDS Plattform, while they think RPC over HTTP Support (Outlook Anywhere) also works for RDGW.

        I hope, this would help you understand, how important this feature is.

        Thnak you

      • Christian KrüsiChristian Krüsi commented  ·   ·  Flag as inappropriate

        I would like this feature also. There is another Feature request for the same functionality at http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4305841-web-application-firewall-remote-desktop-gateway- . And there are many posts in the Forum like http://www.astaro.org/closed-forums-read-only/utm-9-betas/utm-9-1-public-beta/47321-9-092-feature-remote-desktop-gateway-waf-not-working.html where the astaro beta bot says that this is tracked as mantis ID #25441

        @Alan Toews. The Remotedesktop Gateway serves a Website where you can start Apps from the Remotedesktop Server or a RDP Session (rdp over https). If WAF would cover this it would be more secure than a DNAT rule and more comfortable than over the VPN Portal.

      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        Alan, RDG is not "raw RDP", but (like Outlook Anywhere), a multi-tunneled protocol: RDP over RPC over HTTP over SSL.
        Please see my other comment for the basic data points that should solve this.

      • Jim HarrisonJim Harrison commented  ·   ·  Flag as inappropriate

        Agreed - the functional differences between OA and RDG are not that significant.
        I suspect that UTM is identifying OA through the use of path (always /rpc/rpcproxy.dll) and RPC_IN_DATA and RPC_OUT_DATA methods.
        To support RDG, it's a simple matter of including /remoteDesktopGateway/ and RDG_IN_DATA and RDG_OUT_DATA methods as well.

      • Alan ToewsAdminAlan Toews (Admin, Sophos Features & Ideas Laboratory) commented  ·   ·  Flag as inappropriate

        Hi Marcel,

        How would you see this feature working exactly? RDP is not an http or https based protocol, and doesn't operate on standard web ports by default. You can already use the HTML5 VPN portal feature to provide RDP access to a server through the browser.

        Alternately, you can simply use a DNAT rule to port-forward traffic to it, and block malicious traffic with IPS.

        Is there something extra you're wanting this to do? If neither of the above options are what you're asking for, perhaps some further description of the request would be helpful.

      Feedback and Knowledge Base