Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2319
Views
0
Helpful
4
Replies

How to block RDP over HTTPS

Go to solution
spacemeb
Level 1
Level 1

‎11-02-2021 07:37 AM

Hello,

 

How to block access on sites which are using rdp over https. Is there any way with the current Application Visibility & Control?

 

See also: https://social.technet.microsoft.com/wiki/contents/articles/5468.using-remote-desktop-services-over-the-internet.aspx

 

We are using wsa running at 12.5.1-043

 

Kind Regards,

spacemeb

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
spacemeb
Level 1
Level 1

‎01-17-2022 04:22 AM

Please note that WSA only supports HTTP, HTTPS and FTP protocols, so it cannot understand RDP and eventually drop the traffic. However, if the RDP service is being tunneled using HTTPS provided not being decrypted

workaround for tunneling:

pluto.csts-rtp.lab> advancedproxyconfig

 

Choose a parameter group:

- AUTHENTICATION - Authentication related parameters

- CACHING - Proxy Caching related parameters

- DNS - DNS related parameters

- EUN - EUN related parameters

- NATIVEFTP - Native FTP related parameters

- FTPOVERHTTP - FTP Over HTTP related parameters

- HTTPS - HTTPS related parameters

- SCANNING - Scanning related parameters

- PROXYCONN - Proxy connection header related parameters

- CUSTOMHEADERS - Manage custom request headers for specific domains

- MISCELLANEOUS - Miscellaneous proxy related parameters

- SOCKS - SOCKS Proxy parameters

[]> MISCELLANEOUS

 

Enter values for the miscellaneous options:

 

Would you like proxy to respond to health checks from L4 switches (always

enabled if WSA is in L4 transparent mode)?

[N]>

 

Would you like proxy to perform dynamic adjustment of TCP receive window size?

[Y]>

 

Would you like proxy to perform dynamic adjustment of TCP send window size?

[Y]>

 

Enable caching of HTTPS responses.

[N]>

 

Enter minimum idle timeout for checking unresponsive upstream proxy (in

seconds).

[10]>

 

Enter maximum idle timeout for checking unresponsive upstream proxy (in

seconds).

[86400]>

 

Mode of the proxy:

  1. Explicit forward mode only
  2. Transparent mode with L4 Switch or no device for redirection
  3. Transparent mode with WCCP v2 Router for redirection

[2]>

 

Spoofing of the client IP by the proxy:

  1. Disable
  2. Enable for all requests
  3. Enable for transparent requests only

[1]>

 

Do you want to pass HTTP X-Forwarded-For headers?

[Y]>

 

Would you like to permit tunneling of non-HTTP requests on HTTP ports?

[N]>

 

Would you like to block tunneling of non-SSL transactions on SSL Ports?

[N]> y

 

Would you like proxy to log values from X-Forwarded-For headers in place of

incoming connection IP addresses?

[N]>

 

Do you want proxy to throttle content served from cache?

[Y]>

 

Would you like the proxy to use client IP addresses from X-Forwarded-For

headers?

[N]>

 

Do you want to forward TCP RST sent by server to client?

[N]>

 

Do you want to enable URL lower case conversion for velocity regex?

[Y]>

 

Choose a parameter group:

- AUTHENTICATION - Authentication related parameters

- CACHING - Proxy Caching related parameters

- DNS - DNS related parameters

- EUN - EUN related parameters

- NATIVEFTP - Native FTP related parameters

- FTPOVERHTTP - FTP Over HTTP related parameters

- HTTPS - HTTPS related parameters

- SCANNING - Scanning related parameters

- PROXYCONN - Proxy connection header related parameters

- CUSTOMHEADERS - Manage custom request headers for specific domains

- MISCELLANEOUS - Miscellaneous proxy related parameters

- SOCKS - SOCKS Proxy parameters

[]>

 

pluto.csts-rtp.lab> commit

 

Please enter some comments describing your changes:

[]> 'hit enter'

 

Please note that this will block any non SSL connection from being tunneled over SSL not only RDP .

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2021 07:53 AM

WSA is http/ https and FTP proxy, i do not believe WSA understand any RDP traffic.

 

If you think WSA processing, make test example and post the Logs here.

 

how is your environment ? WSA always in DMZ and behind FW, so you can make Block Policy in FW to block RDP Traffic.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
spacemeb
Level 1
Level 1

‎11-02-2021 08:03 AM

Hello,

I am not certain if WSA is able to identify RDP traffic, but surely we cannot implement this on firewall, thats why I am asking. 

 

Thanks for your reply btw!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to spacemeb

‎11-02-2021 08:11 AM

If you know the Destination URL, try to block it in access policy,

 

grep the logs  - is the first step.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
spacemeb
Level 1
Level 1

‎01-17-2022 04:22 AM

Please note that WSA only supports HTTP, HTTPS and FTP protocols, so it cannot understand RDP and eventually drop the traffic. However, if the RDP service is being tunneled using HTTPS provided not being decrypted

workaround for tunneling:

pluto.csts-rtp.lab> advancedproxyconfig

 

Choose a parameter group:

- AUTHENTICATION - Authentication related parameters

- CACHING - Proxy Caching related parameters

- DNS - DNS related parameters

- EUN - EUN related parameters

- NATIVEFTP - Native FTP related parameters

- FTPOVERHTTP - FTP Over HTTP related parameters

- HTTPS - HTTPS related parameters

- SCANNING - Scanning related parameters

- PROXYCONN - Proxy connection header related parameters

- CUSTOMHEADERS - Manage custom request headers for specific domains

- MISCELLANEOUS - Miscellaneous proxy related parameters

- SOCKS - SOCKS Proxy parameters

[]> MISCELLANEOUS

 

Enter values for the miscellaneous options:

 

Would you like proxy to respond to health checks from L4 switches (always

enabled if WSA is in L4 transparent mode)?

[N]>

 

Would you like proxy to perform dynamic adjustment of TCP receive window size?

[Y]>

 

Would you like proxy to perform dynamic adjustment of TCP send window size?

[Y]>

 

Enable caching of HTTPS responses.

[N]>

 

Enter minimum idle timeout for checking unresponsive upstream proxy (in

seconds).

[10]>

 

Enter maximum idle timeout for checking unresponsive upstream proxy (in

seconds).

[86400]>

 

Mode of the proxy:

  1. Explicit forward mode only
  2. Transparent mode with L4 Switch or no device for redirection
  3. Transparent mode with WCCP v2 Router for redirection

[2]>

 

Spoofing of the client IP by the proxy:

  1. Disable
  2. Enable for all requests
  3. Enable for transparent requests only

[1]>

 

Do you want to pass HTTP X-Forwarded-For headers?

[Y]>

 

Would you like to permit tunneling of non-HTTP requests on HTTP ports?

[N]>

 

Would you like to block tunneling of non-SSL transactions on SSL Ports?

[N]> y

 

Would you like proxy to log values from X-Forwarded-For headers in place of

incoming connection IP addresses?

[N]>

 

Do you want proxy to throttle content served from cache?

[Y]>

 

Would you like the proxy to use client IP addresses from X-Forwarded-For

headers?

[N]>

 

Do you want to forward TCP RST sent by server to client?

[N]>

 

Do you want to enable URL lower case conversion for velocity regex?

[Y]>

 

Choose a parameter group:

- AUTHENTICATION - Authentication related parameters

- CACHING - Proxy Caching related parameters

- DNS - DNS related parameters

- EUN - EUN related parameters

- NATIVEFTP - Native FTP related parameters

- FTPOVERHTTP - FTP Over HTTP related parameters

- HTTPS - HTTPS related parameters

- SCANNING - Scanning related parameters

- PROXYCONN - Proxy connection header related parameters

- CUSTOMHEADERS - Manage custom request headers for specific domains

- MISCELLANEOUS - Miscellaneous proxy related parameters

- SOCKS - SOCKS Proxy parameters

[]>

 

pluto.csts-rtp.lab> commit

 

Please enter some comments describing your changes:

[]> 'hit enter'

 

Please note that this will block any non SSL connection from being tunneled over SSL not only RDP .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents