I have it working, kind of. I get to the RDWeb page no issue, I can log in and get the RDP icon, the web page has the correct secure server certificate with the same name as the RDS server in the browser. When I connect to the RDP session, the RDP client launches and requests User credentials, I enter these and I get the error:- “Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address requested and the certificate subject do not match.” When I look at the certificate in the error, it is the mail certificate for OWA & Exchange.
I have added a third network card to the UTM and used this for the RDS connection so as to separate the RDS & Mail connections and it makes no difference.
1. I have both Mail & RDS Certificates loaded onto the Sophos UTM.
2. I have ensured that the RDS rule in the “Web Application Firewall” has the correct certificate applied to it.
3. I have ensured that the RDS certificate is applied to the RDS server in the Config and that the Mail Certificate is not on the server.

I do only have 1 external IP Address, but as I am using 2 different NIC’s for the Mail and RDS I did not think this would be an issue.
I have googled this error and tried most of the fixes, none have worked.

If you have any insight that would be greatly appreciated, thank you. :-)

Hi Ian,

I think this is very easy, just configure port 442 in the virtual webserver and configure your remote desktop connection gateway in “mstsc” with “server.customer.com:442”

Do you have any documentation you can share on publishing an HTTPS connection to a Windows RDS (Remote Desktop Server) through UTM using port 442 or another port, as port 443 is used for OWA and we only have a single external IP Address?
Thank you.

When you look at WAF live logs, there is and ID before the infrastructure ID, it’s THAT ID you need to put in the exception :-)
https://community.sophos.com/kb/en-us/121446

best regards
Martin

Yeah that is a normal warning :-)

‘The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.’

It lets me save it.

Hi Paul,

yeah I would skip them as well.

Hi Philipp,

I would recommend doing this directly on the Microsoft IIS

Amazing Article! thank you!

Do you by any chance know if there are some issues with this configuration if you set up a redirection from ‘/’ to ‘/owa’ ?

If have set it up that way, with the Site Path Rules for all the Other Paths but I didn’t get it to work without any Firewall Profile.