Hot!SSL VPN Portal - HTML5 RDP Broker Connection

Author
elcotrade
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/02 04:16:15
  • Status: offline
2018/10/25 06:35:20 (permalink)
0

SSL VPN Portal - HTML5 RDP Broker Connection

Hy Guys,
 
i have a server 2016 remotedesktopserverfarm with 2 RemoteDesktopServers and one Windows-RemoteDesktopBroker, which redirects the user to the correct RemoteDesktopServer.
 
When i create SSL VPN bookmarks (RDP - Port 3389) to both terminalserver directly, it works - but it's a 50:50 chance to get the server where the user is loaded. When I create a bookmark to the broker, it don't work -> Connection refused.
 
Any idea?
 
Thanks!
Manuel Wagner
#1

17 Replies Related Threads

    Philippe Gagne
    Bronze Member
    • Total Posts : 50
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2018/11/22 08:07:43 (permalink)
    0
    Hi,
     
    I confirmed yesterday with product manager that this feature is not currently implemented. NFR (New Feature Request) have been asked to support RDS farm. Cross fingers! :-)
     
    Philippe 
     
    post edited by Philippe Gagne - 2018/11/22 08:08:44
    #2
    elcotrade
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/02 04:16:15
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2018/11/23 00:10:03 (permalink)
    0
    hi,
     
    that would be great! Thanks for the reply!
     
    Manuel
    #3
    Bert Mulder
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/03 01:49:26
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2019/01/03 01:56:26 (permalink)
    0
    Isn't this the way the Connection Broker is supposed to work? I mean, even without the SSL VPN you would have the same result because of load balancing?
    #4
    srevol
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/26 01:23:42
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2019/02/26 01:33:17 (permalink)
    0
    Hello
    Any news on this NFR ? 
    I have a farm with 3 RDP servers and will upgrade to 4 soon, the propability to reach the good server is now 33% and will descrease !
     
    @Bert : you right , the windows broker load balacing  do its job and loadbalance server-1 and server-2 :-) 
    but in the SSL VPN portal case :
    - you reach server-1
    - broker redirect you to server-2 if needed
    - it seems that the SSL VPN portal does not understand the redirect and stop the connexion.
     
    so clearly, we need this NFR
     
    BR
    Stéphane
    #5
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/01/22 08:08:44 (permalink)
    0
    Hi where are we on this NFR ? I am on 2008 R2 with a 9 server farm and can't get connected either. Same issues as described above. We were about to buy Fortitokens, thankfully I tested this first. Its a show stopper. Support ticket #3801604
    post edited by kubimike - 2020/01/22 08:10:22
    #6
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/01/23 07:43:16 (permalink)
    0
    More info anyone have a clue ? Fortigate Bug ID #444410
     
    post edited by kubimike - 2020/01/23 07:46:17

    Attached Image(s)

    #7
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/01/23 13:50:45 (permalink)
    0
    For anyone watching, Tier 2 support was very helpful in finding the issue. It lays with GUACD. Anyone else having this issue could you dump your output here to confirm? 
     
    commands used to find the problem
    diag debug console timestamp enable
    diag debug duration 0
    diag debug application sslvpn -1
    diag debug application guacd -1
     
     
     
    post edited by kubimike - 2020/01/23 13:54:41

    Attached Image(s)

    #8
    MoparRob
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/13 09:05:45
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/02/13 09:12:39 (permalink)
    0
    I'm working on the same issue and I think I figured it out.

    What you need to do is as follows:
    1) Create a common internal DNS record for each RDSH server. eg:
        farm1.corp.com - <internal IP of RDSH server 1>
        farm1.corp.com - <internal IP of RDSH server 2>
     
    2) Configure your SSL VPN bookmark to point to farm1.corp.com
     
    From here, the system should handle the load balancing automatically and connect you to the RDS servers every time.
     
     
    #9
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/02/13 09:49:19 (permalink)
    0
    Interesting, well I can go to the terminal and use the ping command from my FG against my farm and it works. Do you have your FG connected to your DNS server? Also take one of the RDS offline with the drain command. see if the loadbalancing truly works. What version of Windows server?
    #10
    MoparRob
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/13 09:05:45
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/02/13 13:35:38 (permalink)
    0
    kubimike, I found after some more testing that what I said earlier wasn't working with a strong success rate so I did some more digging and found a route that's getting me closer to the end goal.

    I stumbled across this video (https://www.youtube.com/watch?v=nMcwdOyXO5U) where they used the Fortigate's LB functionality to establish connection to the RDS environment. I set it up and modified as needed to use the SSL VPN portal and it's half way to working. I can successfully connect to the RDS environment however I do find that I have to hit the Reconnect button up to 3 times to get connected (I have 4x RDSH servers)
     
    I'm going to look into seeing what I can do about eliminating the Reconnect issue but I do feel I am getting close.
    #11
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/02/17 06:10:56 (permalink)
    0
    Do you have a 100e ?
    #12
    MoparRob
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/13 09:05:45
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/02/18 07:06:44 (permalink)
    0
    I am running the 500e with firmware 6.0.7 currently. My RDS farm is currently a 2012R2 based farm. It uses the RD Connection Broker for handling connections.
     
    I am also building a new 2019 farm at the moment so I am going to see if there is a way eliminate the reconnect prompts that are occurring with the current 2012R2 farm and the Fortigate.
    #13
    MoparRob
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/13 09:05:45
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/03/06 13:18:15 (permalink)
    0
    So I wanted to report back that while I have made some progress I am still struggling to get this configured to work.
     
    I was able to establish a connection using RDP however it would require clicking Reconnect serveral times until you arrived at the correct server in your RDS farm. This isn't viable given it's a bad experience.
     
    Trying to pass credentials to the RDWeb login page is also proving interesting but I've hit a roadblock. It seems that when trying to pass credentials to the webpage, it's modifying the javascript which results in failure.
     
    For example this is a snippet of code from renderscripts.js found on the RDWeb server
     
    function onClickSecurity() {
        var bPrivateMode = document.getElementById("rdoPrvt").checked;
        var objPassword = document.getElementById("UserPass");
        var objDomainUserName = document.getElementById("DomainUserName");

        if (GetActiveXSSOMode()) {
            document.getElementById("trPrvtWrn").style.display = bPrivateMode ? "" : "none";
        }
            
        if ( bPrivateMode )
        {
            document.FrmLogin["flags"].value |= 4;
            if ( objPassword && objDomainUserName )
            {
                objPassword.setAttribute("autocomplete", "on");
                objDomainUserName.setAttribute("autocomplete", "on");
            }
        }
        else
        {
            document.FrmLogin["flags"].value &= ~4;
            if ( objPassword && objDomainUserName )
            {
    objPassword.setAttribute("autocomplete", "on");
                objDomainUserName.setAttribute("autocomplete", "on");
            }
        }
    }


    When accessing the same page however through the SSL Web portal with SSO enabled, the code is being modified in a number of places to add a fgt_sslvpn value into the script:
     
    function onClickSecurity() {
        var bPrivateMode = document.getElementById("rdoPrvt").checked;
        var objPassword = document.getElementById("UserPass");
        var objDomainUserName = document.getElementById("DomainUserName");

        if (GetActiveXSSOMode()) {
            document.getElementById("trPrvtWrn").style.display = bPrivateMode ? "" : "none";
        }
            
        if ( bPrivateMode )
        {
            document.FrmLogin["flags"].value |= 4;
            if ( objPassword && objDomainUserName )
            {
                fgt_sslvpn.set_attr(objPassword,"autocomplete", "on");
                fgt_sslvpn.set_attr(objDomainUserName,"autocomplete", "on");
            }
        }
        else
        {
            document.FrmLogin["flags"].value &= ~4;
            if ( objPassword && objDomainUserName )
            {
                fgt_sslvpn.set_attr(objPassword,"autocomplete", "off");
                fgt_sslvpn.set_attr(objDomainUserName,"autocomplete", "off");
            }
        }
    }

    So the struggle for me here is two fold. One is I don't know where I find the script that is modifying the information and two I'm not much of a coder so figuring something like this out will take some time.
     
     
    #14
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/03/06 13:47:53 (permalink)
    0
    I have the Hotfix for 100e, I don't have it for 500e :(
    #15
    MoparRob
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/13 09:05:45
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/03/06 14:53:01 (permalink)
    0
    Can you provide the fix here?

    The OS is the same so it should be similar
    #16
    cyrebre
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/07 04:34:25
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/07/07 04:42:25 (permalink)
    0
    Hi all,
     
    We have the same problem there: 4 servers farm, 2 HA connection Broker.
    Tried a lot of things:
    - Upgraded to 6.0.7 and then to 6.0.10
    - Set the load-balancing-info to the same string than internal one (tsv://MS Terminal Services Plugin.1.COLLECTIONNAME)
    - Tried with rdweb
    - Tried with webclient
    - Tried to create as many DNS records as RDSH servers (with the same name)
     
    The only connection I can get is a direct connection to one of our broker...
     
    Does anybody have some updates ? or mybe a Hotfix ?
     
    Thanks
     
     
    #17
    fl0at0xff
    Bronze Member
    • Total Posts : 40
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/08/23 00:13:56
    • Status: offline
    Re: SSL VPN Portal - HTML5 RDP Broker Connection 2020/08/06 22:49:30 (permalink)
    0
    Hello ! I noticed the same problem using Fortigate VM01V. 
    I tried all release from 6.0.9 to 6.4.1 but we are unable to correctly bookmark a RDS farm with a broker.
     
    My workaround is to use a HAproxy in front of RDS then create the RDP bookmark to HAproxy only. 
     
    Below the configuration of HA proxy to perform the correct load balancing between the RDS. 
     
    frontend Proxy3389
            mode tcp
            bind haproxy.dev.local:3389 name rdp
            timeout client 1h
            log global
            option tcplog
            tcp-request inspect-delay 2s
            tcp-request content accept if RDP_COOKIE
            default_backend IPETS

    backend IPETS
            mode tcp
            balance leastconn
            persist rdp-cookie
            timeout server 1h
            timeout connect 4s
            log global
            option tcp-check
            tcp-check connect port 3389 ssl
            default-server inter 3s rise 2 fall 3
            server RDS1 rds1.dev.local:3389 weight 10 check
            server RDS2 rds2.dev.local:3389 weight 10 check

     
    All seems working for me with this solution
    #18
    Jump to:
    © 2020 APG vNext Commercial Version 5.5