Web Application Security: Remote Desktop Support
Equal as Outlook Anywhere Remote Desktop uses RPC requests. In the meantime Outlook Anywhere is supported officially by UTM 9.1 So I hope the effort for the develovers will be small to implement it as well. I think the advantage will be huge for many of use, because many customer ask for it.
David Kottmann commented
Patrick Wageck commented
Please add a pass through RPC RDP Gateway Traffic feature to the WAF like Outlook Anywhere
The only advantage to this request is to use SSL offloading at the UTM so that you can validate the HTTP headers. While I get that this does imply some small level of protection (nothing IIS isn't doing for itself), you need to realize that neither ISA nor TMG actually "inspect" this traffic beyond the HTTPS headers because the actual RPC messages are encrypted between the RDC and RDG.
You can't make the comparison to OWA or ActiveSync (AKA EAS) because they are entirely different communication processes that ISA, TMG and UTM are perfectly able of protecting as they use "normal" HTTP, that can be inspected for malware.
OA is like RDG in that you have encrypted RPC messages being passed through encrypted HTTP, making them invisible to any IPS found in UTM, ISA or TMG.
Here are some articles I wrote for ISA 2006 (still relevant) that help explain what is happening with RPC over HTTP:
Basically, what UTM needs to do is recognize the RDG_IN_DATA and RDG_OUT_DATA HTTP methods and treat it exactly as they do OA traffic - that is, pass it uninspected.
About your question, "How would you see this feature working exactly?".
I think, a simple Checkbox "Pass Remote Desktop Gateway" like "Outlook Anywhere" would do it to allow RDGW traffic.
Hi all. I am also one of these, waiting for a possibility to shutdown my old ISA 2006. The only reason i cannot do this right now, is Remote Desktop Gateway Support from the UTM.
As many of you already mentioned, RDGW uses different methods as OutlookAnywhere like RDG_IN_DATA, and RDG_OUT_DATA on the URLs with "/remoteDesktopGateway/".
Hi Alan. There are some admins out there, who are publishing services over one public IP address, using a wildcard certificate. I have this setup with ISA 2006, publishing OWA, OA, ActiveSync and RDGW.
So, with one PublicIP we cannot DNAT RDGW Access. SSL VPN is not really a comfortable solutione, since RDS Apps are mostly published by Remote Desktop WebAccess and use RDGW.
I would love RDGW functionalities support like OutlookAnywhere, and then we can kill ISA and maybe also TMG servers, and replace them with this great product from Sophos.
As Christian Krüsi mentioned, there a lot of users out there, which are trying to deploy their RDS Plattform, while they think RPC over HTTP Support (Outlook Anywhere) also works for RDGW.
I hope, this would help you understand, how important this feature is.
Christian Krüsi commented
I would like this feature also. There is another Feature request for the same functionality at http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4305841-web-application-firewall-remote-desktop-gateway- . And there are many posts in the Forum like http://www.astaro.org/closed-forums-read-only/utm-9-betas/utm-9-1-public-beta/47321-9-092-feature-remote-desktop-gateway-waf-not-working.html where the astaro beta bot says that this is tracked as mantis ID #25441
@Alan Toews. The Remotedesktop Gateway serves a Website where you can start Apps from the Remotedesktop Server or a RDP Session (rdp over https). If WAF would cover this it would be more secure than a DNAT rule and more comfortable than over the VPN Portal.
Alan, RDG is not "raw RDP", but (like Outlook Anywhere), a multi-tunneled protocol: RDP over RPC over HTTP over SSL.
Please see my other comment for the basic data points that should solve this.
Agreed - the functional differences between OA and RDG are not that significant.
I suspect that UTM is identifying OA through the use of path (always /rpc/rpcproxy.dll) and RPC_IN_DATA and RPC_OUT_DATA methods.
To support RDG, it's a simple matter of including /remoteDesktopGateway/ and RDG_IN_DATA and RDG_OUT_DATA methods as well.
How would you see this feature working exactly? RDP is not an http or https based protocol, and doesn't operate on standard web ports by default. You can already use the HTML5 VPN portal feature to provide RDP access to a server through the browser.
Alternately, you can simply use a DNAT rule to port-forward traffic to it, and block malicious traffic with IPS.
Is there something extra you're wanting this to do? If neither of the above options are what you're asking for, perhaps some further description of the request would be helpful.