How to configure ESP for Remote Desktop Gateway
Currently, the LoadMaster does not officially support ESP for Microsoft's RD Gateway. This is due to the request methods Microsoft use, RDG_IN_DATA and RDG_OUT_DATA" when connecting using the RDP Client.
To overcome this incompatibility, the LoadMaster can block these "RDG_IN_DATA" requests methods, where your RDP Client will now use "RPC_IN_DATA" instead.
Note: We can either configure ESP with RD Gateway using Basic authentication or NTLM authentication. If using NTLM, you are required to enable anonymous authentication for RPC Virtual Directory on your RD Gateway server. This is because the only Server Side authentication method we can use with RPC is Basic. When using NTLM Client Side, we only have the option to chose None or Kerberos on the Server Side. Basic Server Side is not supported with NTLM as we have no visibility of the Clients Password due to the Hashing Algorithm. Currently, Kerberos is not supported, but this may change in the future.
If some internal client had the ability to bypass the LoadMaster and connect directly to the RD Gateway server, they would still be required to authenticate, as they would be using RDG_IN_DATA. So this should pose no risk.
If you prefer not to enable Anonymous Authentication, you can still use Basic authentication to connect, but you will need to configure a group policy so that clients use Basic authentication when logging in. All traffic is encrypted over 443 so this should not be an issue.
Section 3A = NTLM Authentication
Section 4A = Basic Authentication
Please be aware, that when publishing Web Apps with your RD Gateway using RD Web Access, clients will have to enter their credentials after launching an RD Web App. This is the same behavior experienced when connecting to RD Web Access using Chrome or Firefox with no ESP enabled.
1. Create Two Content Rules
In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New.
- Rule 1
Match String = RDG_IN_DATA
- Rule 2
Match String = RDG_OUT_DATA
2. Create Two Sub Virtual Services (SubVS):
In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly. For example, SubVS-1 = "RD Gateway" and SubVS-2 = "Block RDG_IN_DATA".
Enable Content Switching
To enable content switching, follow the steps below:
- In the WUI, go to Virtual Services > View/Modify Services > Modify.
- Expand the Advanced Properties section.
- Enable Content Switching.
- In the SubVSs section there will be a new column called Rules. Click None and assign the default rule to Sub VS-1.
- Assign the two previously created rules to SubVS-2.
3A. NTLM Authentication ESP SubVSs
Configure SubVS-1 as a regular RD Gateway Virtual Service with ESP enabled.
Virtual Services > Modify > SubVS-1 > Modify > ESP
Client Side Authentication = NTLM
Server Side Authentication = None
3B. Configure SubVS-2
Configure SubVS-2 to block RDG_IN_DATA requests.
Modify Sub VS-2 > Advanced Properties > Not Available Redirection Handling > Error Code = 501
3C. Enable Anonymous Authentication RD Gateway
1. IIS Manager > Default > RPC > Authentication > Anonymous > Enable
2. Configure Regedit
you need to add the AllowAnonymous entry (of type REG_DWORD) to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy registry subkey and set its value to 1.
3. Reboot RD Gateway Server
4A. Basic Authentication ESP SubVSs
Configure SubVS-1 as a regular RD Gateway Virtual Service with ESP enabled.
Virtual Services > Modify > SubVS-1 > Modify > ESP
Client Side Authentication = Basic Authentication
Server Side Authentication = Basic Authentication
4B. Configure SubVS-2
Configure SubVS-2 to block RDG_IN_DATA requests.
Modify Sub VS-2 > Advanced Properties > Not Available Redirection Handling > Error Code = 501
4C. Group Policy For Basic Authentication
Log into your Active Directory > Group Policy Management Editor > User Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RD Gateway > Set RD Gateway Authentication Method > Enable > "Ask For Credentials use Basic Protocol"
Ensure to update the group policy. For further information, refer to the following Microsoft TechNet article: https://technet.microsoft.com/en-us/library/cc770545(v=ws.11).aspx
Now, go to RDP Client > Options > Advanced > Settings > Use RD Gateway Server Settings.
Basic is the only option that can be selected.
Related KB
How to configure ESP for Remote Desktop Web Access