How to Enable WAF with Remote Desktop (RD) Web Access
Scope
Enable Web Application Firewall (WAF) with RD Web Access.
To enable WAF on RD Web Access Virtual Service. This is requires the use of Sub Virtual Services due to the request methods Microsoft use (RDG_IN_DATA and RDG_OUT_DATA) when launching your Remote Desktop application.
Solution
The LoadMaster can separate the RD Web Access portal traffic using content rules and forward it to a SubVS where WAF will be enabled. Subsequent RDP requests will then be routed to another SubVS that handles the RDP Connections.
If your clients connect over UDP 3391 then you're not required to separate the traffic as these connections will hit your UDP Virtual Service.
Configuration
Create Two Content Rules
In the LoadMaster Web User Interface (WUI), go to Rules and Checking > Content Rules > Create New Rule.
- Rule 1
Match String = RDG_IN_DATA
- Rule 2
Match String = RDG_OUT_DATA
Set Add HTTP Headers to None
Navigate to your Top Level VS > Advanced Properties > Add HTTP Headers = "none"
Create Two SubVSs
In the WUI, go to Virtual Services > View/Modify Services > Modify > Real Servers > Add SubVS and name them accordingly.
Enable Content Switching on the Top Level VS
To enable Content Switching, follow the steps below:
- In the WUI, go to Virtual Services > View/Modify Services > Modify.
- Expand the Advanced Properties section.
- Enable Content Switching
- In the SubVSs section there will be a new column called Rules.
Click None and assign the Default rule to the First WAF SubVS. You will then assign your two RDG_IN_DATA & RDG_OUT_DATA Rules to your Second Sub VS
Configure SubVS's
- Sub VS-1 (WAF) will be your RD Web Access VS. You will enable WAF here.
- Sub VS-2 will handle your RDP traffic. Within this Sub VS you will also be required to Set Add HTTP Headers to None"Found under Advanced Properties.