How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Similar documents
How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Using AD360 as a reverse proxy server

WEB CREATOR FILE MANAGER

Joomla 2.5 Kunena Component Installation

Using the Terminal Services Gateway Lesson 10

Sophos Mobile Control SaaS startup guide. Product version: 7

Hypersocket SSO. Lee Painter HYPERSOCKET LIMITED Unit 1, Vision Business Centre, Firth Way, Nottingham, NG6 8GF, United Kingdom. Getting Started Guide

How to Set Up External CA VPN Certificates

Transport Gateway Installation / Registration / Configuration

A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.

Configuring Remote Access using the RDS Gateway

Setting up Microsoft Exchange Server 2016 with Avi

Mitel MiVoice Connect Security Certificates

NetExtender for SSL-VPN

Sophos Mobile SaaS startup guide. Product version: 7.1

Building Block Installation - Admins

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

User guide NotifySCM Installer

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Entrust Connector (econnector) Venafi Trust Protection Platform

Load Balancing VMware Workspace Portal/Identity Manager

How to Configure SSL Interception in the Firewall

How to connect to the University of Exeter VPN service

Microsoft Outlook. How To Share A Departmental Mailbox s Calendar

Using SSL to Secure Client/Server Connections

Sophos Mobile as a Service

Link Gateway Initial Configuration Manual

Setting up the Sophos Mobile Control External EAS Proxy

How to Set Up Calendars and Contacts

SSL VPN Web Portal User Guide

Sophos Mobile Control SaaS startup guide. Product version: 6.1

How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Document Management Guide

Using digital certificates in Microsoft Outlook

Workshare Client Extranet. Getting Started Guide. for Mac

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Online Backup Manager v7 Quick Start Guide for Synology NAS

Recommended Browser Settings

Transport Gateway Installation / Registration / Configuration

Deploying Citrix MetaFrame with the FirePass Controller

INUVIKA TECHNICAL GUIDE

How to Configure a Remote Desktop Licensing Server for vspace 6

Load Balancing VMware Identity Manager

Add OKTA as an Identity Provider in EAA

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Configuring Confluence

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

3.1 Getting Software and Certificates

ShareFile Account Admin Guide

Register by completing the form, or connecting via your GitHub or Google account.

GETTING STARTED. Client Axcess Guide. Logging In to Client Axcess the First Time. 4. Enter your verification code on the Identity Verification screen.

Installing and Configuring vcloud Connector

Outlook for ios/android App. Adding and Removing a Shared Calendar on Outlook for ios/android

This post documents the basic steps that should be performed after installing Exchange I perform the following steps:

SSL VPN Web Portal User Guide

Smart Call Home Deploying thetransport Gateway on Cisco Unified Computing System and Red Hat Linux

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

LiveNX Upgrade Guide from v5.1.2 to v Windows

Hands-on Lab Exercise Guide

RPC Over HTTP Install Windows Server 2003 Configure your Exchange 2003 front-end server as an RPC Proxy server

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

SECURE Gateway v4.7. TLS configuration guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Important Information

VII. Corente Services SSL Client

Procedure to Flash Upgrade the TLink TL250/TL300

Installation Guide. Contents. Overview. Dell SonicWALL Advanced Reporting Installation Guide. Secure Remote Access. SonicOS

Access SharePoint using Basic Authentication and SSL (via Alternative Access URL) with SP 2016 (v 1.9)

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Authlogics Forefront TMG and UAG Agent Integration Guide

It must be installed on a public-facing IIS server, or have a public reverse proxy to a backend IIS server.

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

DPI-SSL. DPI-SSL Overview

Automatic registration of Drivve Image on a Xerox device

Installing and Configuring vcloud Connector

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Outlook and Outlook Web App. Sharing and Accessing Subfolders

Certificates for Live Data Standalone

User Manual for SYSADMIN for e-diary Application

Part 2 Uploading and Working with WebCT's File Manager and Student Management INDEX

Link Platform Manual. Version 5.0 Release Jan 2017

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

How to Create a Signed QuickAdd Package

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Welcome to the e-learning course for SAP Business One Analytics Powered by SAP HANA: Installation and Licensing. This course is valid for release

Owner of the content within this article is Written by Marc Grote

OneLogin Integration User Guide

Configuring Shared Links for Web Access

Oracle Eloqua Legacy Authenticated Microsites and Contact Users. Configuration Guide

Web Push Notification

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Brocade Virtual Traffic Manager and Parallels Remote Application Server

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

How to Configure S/MIME for WorxMail

scconnect v1.x ADMINISTRATION, INSTALLATION, AND USER GUIDE

DEPLOYING A 3SCALE API GATEWAY ON RED HAT OPENSHIFT

Transcription:

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity This article explains how to configure your Sophos UTM to allow access Microsoft s Remote Desktop Gateway (RD Gateway) services through the Web Application Firewall. Configuring your Windows 2008/2012 server is outside the scope of this guide; This article assumes you ve already setup your Remote Desktop Gateway and Remote Desktop Host farm (RD Host) environment for remote connectivity and that you have copies of your SSL certificates available in PFX format. Known to apply to the following Sophos product(s) and version(s) Sophos UTM 9.1 Operating systems Microsoft Windows Server 2008 R2 2012 What To Do A. Import the required certificates 1. Go to the Webserver Protection menu in the UTM Web admin console and select Certificate Management 2. Click New Certificate and select Upload in the Method: dropdown box 3. Fill in a name, the required password and a comment (if needed) 4. Click the folder next to the upload field to select the PFX file you wish to import 5. Click save to upload the PFX and complete the import

B. Optional: Import the root Certificate In case your PFX file does not include the root certificate you need to manually import it in order for the UTM to be able to use it. 1. Go to certificate management and navigate to the Certificate Authority tab. 2. Click the Import CA button and fill in the name, description and type (this should usually be Verification CA ) 3. Click the folder next to the upload field to select the certificate to upload (both PFX and CER format are supported) 4. Click save to upload the certificate and complete the import

C. Configuring the Firewall Profile Since RD Gateway is used to transport RPC traffic over an HTTPS tunnel, the traffic is similar to Outlook Anywhere from the UTM s perspective (since that uses RPC as well). As a result of this we will need to configure a profile that allows Outlook Anywhere traffic to the backend servers. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Firewall Profiles tab and click the New Firewall Profile button 3. Fill in a Name for the profile and select the appropriate firewall action (Drop, Reject or Monitor) from the Mode: dropdown menu (Monitor logs the traffic and allows it, Reject drops the traffic and informs the end user s browser, Drop silently drops the traffic) 4. Enable the Pass Outlook Anywhere option 5. Enable URL Hardening and enter /rpc and /RpcwithCert as entry points by clicking the + icon in the top right corner of the checkbox. 6. (Optional) Block suspect hosts by enabling the Block clients with bad reputation feature 7. Click Save to store the profile and continue The following screenshot displays our recommended settings:

D. Creating the Real Webserver(s) 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Real Webservers tab and click the New Real Webserver button 3. Fill in a Name for the new Real Webserver and select either a pre-existing Host object by clicking the folder icon or create one by clicking the + button

4. Set the Real Webserver connection type by selecting either HTTP or HTTPS from the Type dropdown menu. 5. (Optional) After selecting the appropriate connection type the UTM will automatically fill in the associated port, should you however need to use a non-standard port you can enter it in the Port field. Repeat the above procedure for every RD Gateway server in your farm. For the rest of this guide we are going to assume a minimum of two servers, but the configuration for a single server is practically similar. E. Creating the Virtual Webserver 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 3. Fill in a Name for the Virtual server 4. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. Since RD Gateway relies on SSL connectivity, we will set this to HTTPS. 5. (Optional) The UTM will automatically fill in the standard port associated to the HTTPS protocol, but you can set an alternate port in the Port: field (Sophos does not recommend changing the public port as Microsoft s Remote Desktop client and the Remote Desktop Web Gateway do not support this) 6. Select the applicable certificate from the Certificate: dropdown menu 7. Select either the desired domain name from the Domains: list, or (when using a wildcard certificate) enter your desired hostname by clicking the + button in the top right corner. 8. Select the Firewall Profile you ve created for the RD Gateway from the Firewall Profile dropdown menu 9. Enable the Pass Host Header option (this setting is very important when using signed Remote Desktop Profiles, as a failure to do so will result in a discrepancy between the hostname the RD gateway receives and the hostname used to sign the profile, which will cause the Remote Desktop client to display an error) 10. Click the Save button to store the configuration and continue The following screenshot displays our recommended settings:

F. Configuring exceptions Since the URL Filtering feature in UTM is very strict, it will currently not allow clients to open any URL other than the ones we ve configured. This means that rdgw.example.com/rpc is allowed, but rdgw.example.com/rpc/rpc.dll or rdgw.example.com/rpc/directory/anything will be dropped. To enable the clients to access these virtual directories, you need to create an Exception to allow for a little less stringent filtering. 1. Navigate to the Exceptions tab and click the New Exception button 2. Set a Name for the exception and (if needed) Write a description in the Comment: field 3. Enable the URL Hardening option in the Skip these checks menu 4. Select your RD Gateway Virtual Webserver from the On the virtual server dropdown menu 5. Set the For all requests dropdown menu to Web requests matching this path 6. Click the + button in the top right corner to create the a new excepted path and enter /rpc/* 7. Repeat step 6 for the /RpcWithCert/* virtual directory 8. Click the Save button to store the configuration and finish this guide. The following screenshot displays our recommended settings for the exception:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback