Remote Desktop Gateway via Reverse Proxy

HenriH · May 26, 2017, 5:32 AM

Hi,

I'am short of port 443, is there any way to use the SQUID Reverse Proxy in conjunction with the MS RDP TS GW (RPC over HTTPS)?

Thanks

Henri

Mats · May 26, 2017, 10:06 AM

Yes, it can be done

I did that a few years ago but unfortunately I don't have that config anymore (I replaced squid with HA proxy and removed the RDGW) )so I can't give you a complete config.
My scenario was built for a single external IP scenario (ADSL from ISP)
I did create a few different hostnames like www.example.com, Mail.example.com and rdgw.example.com. All of them resolving to the same IP (thanks to the DDns client in PFsense)
In Squid I created rules based on the hostname and forwarded that traffic to the right backend system. Since the routing is based on hostname, all services can use 443 from the client to the firewall

HenriH · May 26, 2017, 11:30 AM

Thanks a lot,

unfortunately I get this kind of messages :-[.

Thanks

Henri

Date IP Status Address User Destination
26.05.2017 13:21:31 5.x.x.x TAG_NONE_ABORTED/000 https://tsgw.example.com/rpc/rpcproxy.dll? - -
26.05.2017 13:21:31 5.x.x.x TCP_MISS_ABORTED/000 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:16 5.x.x.x TCP_MISS/200 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:16 5.x.x.x TCP_MISS/200 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:16 5.x.x.x TCP_MISS/401 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:16 5.x.x.x TCP_MISS/401 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:16 5.x.x.x TCP_MISS/401 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:15 5.x.x.x TCP_MISS/401 https://tsgw.example.com/rpc/rpcproxy.dll? - 10.43.23.50
26.05.2017 13:21:15 5.x.x.x TCP_MISS/404 https://tsgw.example.com/remoteDesktopGateway/ - 10.43.23.50

Mats · May 27, 2017, 11:14 AM

I'm sorry that I can't help you more with squid.
I did dig through my old backups but no luck.

even if it's a little-off topic:
I did find an old 2008/TSGW virtual machine though so I just had to test to set up a TSGW behind HAproxy. That worked.

I know got a public certificate (Lets encrypt) with a san name for my TSGW, a hostname that points to the external IP of my firewall and a Haproxy config that forwards the traffic to the TSGW server on my DMZ.

For reference:
Ha proxy frontend

ACL
TSGW Host starts with: no tsgw.Example.com

Action
Use Backend See below TSGW

The backend is even easier, just a server list
active TSGW Address+Port: 192.168.5.2 443 yes

HenriH · May 27, 2017, 1:12 PM

Hi Mats,

thanks at lot, ok I will switch to HApoxy, if that works better.

Best regards

Henri