cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

RDP over HTTPS Inspection

Does HTTPS Inspection support RDP over Https?

I tried to activate Inbound HTTPS inspection on our RDP gateway which allows opening RDP connections over HTTPS on port 443.

The session is opened using https from an external client to the session broker and then changes to RDP over https (similar to the image below). 

When activating the https inspection, the connection is broken and there is a log saying that

  • Https validation is unsupported
  • Rejection reason is - SSL version is not supported.

When bypassing the connection in the Https inspection policy, RDP is working again

Is it possible to inspect such connections?

Did anyone try and succeed?

Is there a way to workaround the broken session or to inspect only the connection initialization (which is HTTPS only before changing to RDP)?

If not, is there a plan to support RDP over HTTPS inspection in the future?

Image result for rdp over https

0 Kudos
5 Replies
Highlighted

Re: RDP over HTTPS Inspection

SSL Config of the Web Server would be interesting, i think.

i.e. here -   it is stated that SSLv3 is disabled by default, which might result in your message...

Also, is there a publicly trusted certificate in use or from internel PKI/self signed? Does yout Firewall trust the issuer of these certs?

Daniel

0 Kudos
Admin
Admin

Re: RDP over HTTPS Inspection

There should be log messages in SmartLog if the TLS negotiation is failing somehow.

0 Kudos

Re: RDP over HTTPS Inspection

My question is why legitimate RDP traffic should be inspected anyhow...

0 Kudos

Re: RDP over HTTPS Inspection

As far as I unterstood, it‘s more for the rdp over https from Internet to the rd Gateway/Broker (however MS is calling it) which is then kind of reverse proxying the rdp to the Terminal Server.

so for the Gateway it‘s a https connection. 

Daniel

0 Kudos

Re: RDP over HTTPS Inspection

Correct Daniel, I would like to scan the https/RDP to traffic to make sure that the connection opened to the session broker and to the remote desktop session host is legit. If it is not possible to scan the RDP protocol, I would at least expect to be able to scan the HTTPS part (Where the connection is opened from the client to the session broker using HTTPS) and to be able to bypass the RDP over HTTPS traffic. 

If this is not supported it is a good RFE to be able to scan RDP over HTTPS in future versions

0 Kudos