Saturday, May 30, 2015

Securing RD Gateway with Web Application Proxy - Part 1

Introduction

So you've spun up an RDS 2012 R2 environment and you are allowing external access via RD Gateway. You've trained your users on how to use RD Web Access to login in order to access their applications and virtual desktops from home. Maybe you've even installed a two-factor authentication product that integrates with RD Web Access to add an additional layer of protection for your environment. Great!

Wait a minute....

Here's what's not always clear. In regards to remote access to your enterprise environment, RD Web Access is really just a front-end for RD Gateway. RD Web Access is completely optional. You can still gain access to your production environment by interacting with RD Gateway directly using mstsc.exe or the Remote Desktop App on an Android or IPhone device. You don't need to use RD Web Access at all.

So what happens when your two-factor authentication software only integrates with RD Web Access, and not RD Gateway directly? Doesn't that mean someone could access your environment remotely without requiring 2FA by using one of the methods listed above?

YES!!!

This could be a huge problem for your company depending on your internal security policies or compliance requirements. So what options do you have if your vendor doesn't do RD Gateway? Switching vendors is not always feasible, depending on your timeline and budget. There must be something else we can do...


Enter Web Application Proxy

Web Application Proxy is a role in Windows Server 2012 and 2012 R2 that replaces some of the functionality found in Microsoft's UAG and TMG products. It acts as a reverse proxy to allow you to securely deliver your internal web applications to external users. As of the August 2014 Update Rollup for Server 2012 R2, Web Application Proxy (here on out referred to as WAP) supports securely publishing RD Gateway, as can be seen in this TechNet blog post. Finally a supported solution to secure RD Gateway without switching to a 2FA vendor that supports direct integration with RD Gateway!

WAP Graphic from TechNet


But how do we setup and configure WAP to host RD Gateway connections? Microsoft is still working on their official documentation. Besides the aforementioned blog post, there is only a single article I could find on TechNet detailing how to configure WAP for RD Gateway - and the details are very sparse.

This blog post will serve as one of the first resources for installing and configuring the necessary infrastructure components required to host RD Gateway connections behind WAP. Please be warned that these posts will be long and screenshot-heavy.

Tuesday, May 26, 2015

An authentication error has occurred (Code: 0x607)

Authentication error 0x607 when launching a RemoteApp
Authentication error 0x607 when launching a RemoteApp
If a user receives error message 0x607 - An authentication error has occurred when attempting to launch a published RemoteApp, check the logs on the client PC.

This is likely due to the client PC not trusting your certificate. Either procure a certificate from a trusted third-party certificate authority, or the user will need to install and trust the root certificate authority and any intermediate certificate authorities in the certificate chain.

---EDIT---

A secondary cause has been found for this error message. If the user is unable to contact the certificate revocation list that is listed on the certificate to verify the revocation status of the certificate, they will receive the 0x607 error. So for example, if the URL of your certificate vendor is being blocked by a corporate web filter, you will have receive this error when launching a RemoteApp.