Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Application Firewall: Remote Desktop Gateway support

Similar to support for Outlook Anywhere, it would be really beneficial if the WAF allowed for the publishing of Remote Desktop Gateway and handled those methods. RDG_OUT_DATA followed by RPC_IN_DATA and RPC_OUT_DATA, and including /RemoteDesktopGateway in the request. It seems like common functionality that many customers must be looking for...

201 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    18 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • FosterDougFosterDoug commented  ·   ·  Flag as inappropriate

        Note that all of these ideas seem to be the same, and the last topic in the list has a response that it is already possible:
        ·
        Web Application Firewall: Remote Desktop Gateway support (201 votes)
        ID33532 9.209 RDWeb via WAF is not possible on customers site (10 votes)
        Enable the use of the WAF as a front end for Remote Desktop Gateway.(13 votes)
        Web Applikation Firewall: Web-Access for Remote Desktop (6 votes)
        Web Application Security: Remote Desktop Support (90 votes)
        In reply to the last topic, Sophos says:

        ALREADY POSSIBLE ·
        Alan ToewsAlan Toews (Sr. Product Manager, Sophos Features & Ideas Laboratory) responded
        Enabling Outlook anywhere support in UTM WAF will allow MSRPC over HTML support, which is all that is necessary to support MS RDP services

      • Joel BakerJoel Baker commented  ·   ·  Flag as inappropriate

        Being able to use web publishing was the primary reason for using a UTM over cheaper alternatives like SonicWALL. Now that it no longer works for server 2012r2, my clients can no longer use the web publishing feature and they have to NAT to a single server instead. Can no longer justify the extra cost of the UTM. Come on guys, surely you can extend the feature to support 2012R2 RDG and then get some sales back!!!

      • JamieJamie commented  ·   ·  Flag as inappropriate

        Come on, you really need to pull the proverbial finger out here and sort this bit of key functionally out that A LOT of people actually need to use. It's absolutely mind boggling that this functionality is missing in the first place. UTM is a great product but the lack of this feature lets it down massively, so please, please, please make Remote Desktop Gateway services working through the WAF! :)

      • Joel BakerJoel Baker commented  ·   ·  Flag as inappropriate

        Feature used a lot with small business clients on SBS 2011, need the same functionality for 2012 R2.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I configured WAF for Server 2012 R2 Remotedesktop Gateway. I'm able to connect with the Windows 7 Integrated Remotedesktopclient. But The Windows 8 / iOS / Andoid Remotedesktopclient didn't work. It couldn't be so hard to fix this. Please do IT!

      • Markus GreinerMarkus Greiner commented  ·   ·  Flag as inappropriate

        This feature is important, because with the remote desktop gateway I hope to use the remote desktop client apps on ios and windows.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I need to update my current UTM's, and it won't be with Sophos unless this feature can be added very soon

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please add a pass through RPC RDP Gateway Traffic feature to the WAF like Outlook Anywhere

      • Will RWill R commented  ·   ·  Flag as inappropriate

        This needs to be worked on more. Even though there is a guide on how to publish Remote Desktop Gateway thru the Web Application Firewall, RPC traffic is still being affected.

        2015:02:04-22:16:41 secure reverseproxy: [Wed Feb 04 22:16:41.614280 2015] [authz_blacklist:warn] [pid 3381:tid 4122061680] [client 66.76.13.33:22927] DNS lookup for 33.13.76.66.dnsbl.proxybl.org. failed: Temporary failure in name resolution

        2015:02:04-22:16:41 secure reverseproxy: id="0299" srcip="66.76.13.33" localip="173.219.156.15" size="13" user="-" host="66.76.13.33" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="10164470" url="/rpc/rpcproxy.dll" server="remote.domain.net" referer="-" cookie="-" set-cookie="-"

        2015:02:04-22:16:51 secure reverseproxy: [Wed Feb 04 22:16:51.828767 2015] [authz_blacklist:warn] [pid 3381:tid 4122061680] [client 66.76.13.33:22927] DNS lookup for 33.13.76.66.dnsbl.proxybl.org. failed: Temporary failure in name resolution

        2015:02:04-22:16:51 secure reverseproxy: [Wed Feb 04 22:16:51.829992 2015] [authz_blacklist:warn] [pid 3381:tid 4113668976] [client 66.76.13.33:50077] DNS lookup for 33.13.76.66.dnsbl.proxybl.org. failed: Temporary failure in name resolution

        2015:02:04-22:16:51 secure reverseproxy: id="0299" srcip="66.76.13.33" localip="173.219.156.15" size="13" user="-" host="66.76.13.33" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="10077621" url="/rpc/rpcproxy.dll" server="remote.domain.net" referer="-" cookie="-" set-cookie="-"

        2015:02:04-22:16:56 secure reverseproxy: [Wed Feb 04 22:16:56.923907 2015] [proxy_msrpc:error] [pid 3381:tid 4122061680] (110)Connection timed out: [client 66.76.13.33:22927] RPC_IN_DATA: Failed to sync Outlook Session 1d52475a-8b71-d26f-aa85-c55df210829c: -1

        2015:02:04-22:16:56 secure reverseproxy: [Wed Feb 04 22:16:56.924101 2015] [proxy_msrpc:error] [pid 3381:tid 4122061680] (70015)Could not find specified socket in poll list.: [client 66.76.13.33:22927] RPC_IN_DATA: There is no registered Outlook Session 1d52475a-8b71-d26f-aa85-c55df210829c in cache

        2015:02:04-22:16:56 secure reverseproxy: id="0299" srcip="66.76.13.33" localip="173.219.156.15" size="0" user="-" host="66.76.13.33" method="RPC_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="15251149" url="/rpc/rpcproxy.dll" server="remote.domain.net" referer="-" cookie="-" set-cookie="-"

        2015:02:04-22:17:02 secure reverseproxy: [Wed Feb 04 22:17:02.040162 2015] [authz_blacklist:warn] [pid 3381:tid 4113668976] [client 66.76.13.33:50077] DNS lookup for 33.13.76.66.dnsbl.proxybl.org. failed: Temporary failure in name resolution

        2015:02:04-22:17:02 secure reverseproxy: [Wed Feb 04 22:17:02.051839 2015] [proxy_msrpc:error] [pid 3381:tid 4113668976] (70015)Could not find specified socket in poll list.: [client 66.76.13.33:50077] RPC_OUT_DATA: There is no registered Outlook Session 1d52475a-8b71-d26f-aa85-c55df210829c in cache

        2015:02:04-22:17:16 secure reverseproxy: id="0299" srcip="66.76.13.33" localip="173.219.156.15" size="0" user="-" host="66.76.13.33" method="RPC_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="24211617" url="/rpc/rpcproxy.dll" server="remote.domain.net" referer="-" cookie="-" set-cookie="-"

      • Troy GleasonTroy Gleason commented  ·   ·  Flag as inappropriate

        Yes, we too am looking for functionality. Since we switched from forwarding all port 80 and 443 requests to using the web application support, we have lost our ability to use the remote desktop gateway. Adding this to the Web Application Firewall would be terrific.

      • Christian KrüsiChristian Krüsi commented  ·   ·  Flag as inappropriate

        I would like this feature also. There is another Feature request for the same functionality at http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4160207-web-application-security-remote-desktop-support. And there are many post in the Forum like http://www.astaro.org/closed-forums-read-only/utm-9-betas/utm-9-1-public-beta/47321-9-092-feature-remote-desktop-gateway-waf-not-working.html where the astaro beta bot says that this is tracked as mantis ID #25441

      Feedback and Knowledge Base