Gateway web access configuration

Similar Messages

• Publish RD Gateway and Web Access with One-Time Password (OTP) / Two-factor Authentication WITHOUT ISA/TMG server

  Hi everybody,
  I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
  We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
  I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
  Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
  The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
  Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
  After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
  The setup is supposed to be like this:
  LAN:
  1 DC (2008 R2)
  RD Farm (2012)
  1 SA Server (2012)
  DMZ:
  RD Gateway/Web Access (2012)
  Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
  When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
  Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
  (without the OTP extension).
  If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
  contain the correct OTP extension.
  The problem comes here.
  When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: Unknown username or password.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: server
  Source Network Address: 192.168.x.x
  Source Port: 63003
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
  The problem is that no matter what i try the above problem stays there.
  Is it not possible to just forward ALL authentication handeling to a remote server?
  The only solution I've found to get it working someday in the future is this:
  "Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
  Also this link describes it:
  http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
  Please, bring me some answers before my head explodes! :)
  PS, long question = maybe some errors, ask me if something is unclear.

  Hi,
  Based on our experience, if the NTLM error occurs, please check the password.
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Connecting to Remote Desktop Published Apps through RD Web Access not working

  Hello,
  I have configured an RD Gateway server. My scenario is like I have a windows 2012R2 server with all RD components (Gateway, web access, connection broker, session host) configured, since this is for a poc. Externally I can access rd web access portal (https://<servername.domain.com>/rdweb)
  and can connect to the target server using "Connect to a remote pc" tab without any issue.
  But I can't connect to any published app from "Remote App and Desktop". The error I recieve is "unable to connect to remote pc. please provide the fully-qualified name......."
  At the same time I can see below errors in event logs related to connection broker:
  Error 802: 
  RD Connection Broker failed to process the connection request for user domain\Administrator. 
  Error: Element not found. 
  Event 1306:
  Remote Desktop Connection Broker Client failed to redirect the user domain\Administrator. 
  Error: NULL
  Error 1296:
  Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
  User : domain\Administrator 
  Error: Element not found. 
  Googling I could see some posts related to these issues, mentioning about to check the network connectivity between RDCB and the target server. I can defenitely say it is fine and already mentioned I can connect to the same server using "connect to
  remote pc" tab.
  Just FYI, I have this server as Amazon EC2 instance and the domain is configured as Amazon directory service. Can someone please help me at the earliest.. This is pretty urgent as my tasks are pending due to this issue.. 
  Vysakh

  Hi,
  I have seen similar issues with Essential role installed, if it’s installed on the terminal server, please remove it.
  Please also ensure involved machines are fully patched and keep port 443 of the TS server open.
  When external users connect to the Web Access page, are they able to see remote apps? If not, please check whether user assignment setting is configured correctly for remote apps.
  Are users able to open remote apps from internal network?
  Here are some related links below for you:
  RDWeb URL Access Works Successful but cannot open Apps Externally only Internally
  https://social.technet.microsoft.com/Forums/en-US/144a0543-7a7c-4899-a674-0fd29dacab7a/rdweb-url-access-works-successful-but-cannot-open-apps-externally-only-internally?forum=winserverTS
  RemoteApp Internet
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/70a819de-3338-4427-a1c3-e38ef99dd4b3/remoteapp-internet?forum=winserverTS
  Configuring RD web access for public/external access
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/4396d3e9-2ac5-4d0b-baba-25471498a349/configuring-rd-web-access-for-publicexternal-access?forum=winserverTS
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Remote Desktop 2012 R2 - Can't get RD Gateway with RD Web Access working through just 443

  I have one server (2012 r2 fully updated) running all remote desktop roles (RD Web Access, RD Gateway, RD Licensing, RD Connection Broker, RD Session Host) and a separate domain controller.
  I have RD Web Access published to cloud.mydomain.co.uk and accessing cloud.mydomain.co.uk/RDWeb works fine.
  I want to setup the environment so only port 443 is open from the outside (thus the RD Gateway is installed) and the user can login through RDWeb and click on an app to launch it.
  If I leave port 3389 open along with 443 and log on to RDWeb and click the remote app, this works fine.
  If I close 3389 on the external firewall and only leave open 443, I can connect AND login to RDWeb but I cannot open the connection
  This is expected:
  http://i.imgur.com/9j2HRqm.png
  Error:
  http://i.imgur.com/2LH2c7T.png
  Digging in the event viewer yielded: http://i.imgur.com/M9uHm0o.png
  Which led me to test change the following setting in the resource access policy, as a test:
  http://i.imgur.com/FlGObFr.png
  This still didn't work but yielded a different error in event viewer:
  http://i.imgur.com/LkaCfU4.png
  Now I suspect I have misconfigured something somewhere in terms of the last event where it suggests it can't connect to resource "cloud.mydomain.co.uk" I would have expected this to be the internal FQDN of my session host. Or, I am hitting some sort
  of odd problem because I have all the roles on the same box.
  Any assistance greatly appreciated. I'm keen to find the root cause behind this as I need to document this solution so don't want to invalidate by messing around too much with settings.

  Hi Gavin,
  If you use RD Gateway then you only need to open TCP port 443 and UDP port 3391 and forward them to your RD Gateway server.  You may have RD Web Access (uses TCP port 443) and RDG running on the same server.
  When an external client launches a RemoteApp they will connect to your RD Gateway via TCP port 443 and UDP port 3391, then the RDG will connect to your internal RDSH servers using TCP port 3389 and UDP port 3389 on behalf of the external client.  In
  this way the RDG will act as a middleman between your external users and your internal RDSH servers.
  In Server Manager - Remote Desktop Services - Overview - Tasks - Deployment Properties you need to specify the external FQDN of your RD Gateway server.  If you have RDWeb and RDG on the same server this would be the same FQDN that your users will use
  for RDWeb.  For example, if your users use https://rds1.yourdomain.com/rdweb to connect to your RD Web Access site, then you would enter rds1.yourdomain.com for the RD Gateway name in deployment properties.
  (Above one Quoted from this thread answered by TP).
  In addition please see that you have properly configured RD Rap & RD Rap policy under RD Gateway manager and also properly configured certificates to match server name.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Remote Web Access (remote desktop gateway) issue with WHS2011

  I have been using Remote Web Access on my Windows Home Server 2011 for several years with no problems. Over the past several weeks, though, I have been receiving an error when I try to connect to a computer through WHS's Remote Web Access:
  "...the Remote Desktop Gateway is temporarily unavailable." Interestingly, when I try to connect from a Windows 8.1 computer, I just get a dialog box that says "Initiating connection," but the connection is never established. I cannot
  find any relevant errors in any of the event logs.
  I have read numerous articles relating to WHS configuration and port forwarding, but these do not have any information that addresses my situation. I have ports 4125, 80, and 443 forwarded to my Home Server. As I said, everything has been working fine with
  this configuration until several weeks ago -- I suspect it might have something to do with a .NET Framework 4.5 update that was recently installed (and that has now been uninstalled), but that is the only change I can think of.
  Any help would be greatly appreciated! Thanks!

  Hi,
  As you have commented that after installing .Net framework you are facing this issue. So after uninstalling still you are facing the same issue. Apart from installing .Net framework 4.5, have you installed or done any other change on your server?
  Here you can check that “Remote Gateway Service” is running. Please check and restart the service if it’s stop. Apart you can check below 2 article for more detail step.
  1.  Can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable error via SBS 2011 
  2.  This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable (Try to perform the steps as suggested for
  WHS 2011)
  Hope it helps!
  Thanks,
  Dharmesh

• RD Gateway and RD Web Access - better together or on different servers?

  I am evaluating Remote Desktop Services with 2012 R2 and initially I had all the roles on 1 server for testing.  I began thinking it would be a better setup to split the RD Gateway role and the RD Webaccess role into different servers for security purposes.
   This way I could expose only the RD Gateway to the internet and the Web Access role would not be exposed.  In all my reading and searching it seems that nearly every article I come upon has both RD Gateway and Web Access installed on the same system.
  What is the ideal setup from a security standpoint to have the these two roles separate or does it not mater?  If it does not mater then I will setup 1 server with Gateway and Web Access and I will then have other servers for licensing, broker, session
  host, and visualization host once I move this into production.
  If these roles are on the same system how do I know if the gateway role is doing anything?  Is the FQDN\rdweb the correct URL to use even when the gateway is implemented?  
  If they are separate how do I tell the gateway and web access servers to use each other?  

  Hi,
  As far as I know, it’s fine to have RD Gateway and RD Web Access roles installed on the same server.
   “Normally external users would log on to RD Web Access via tcp port 443, click on a RemoteApp and connect to RD Gateway via
  tcp 443/udp 3391, RDG connects them to RDCB on tcp 3389 which redirects them to a RDSH server, finally the RDG connects to the RDSH on tcp 3389/udp 3389.”
  Quoted from TP in this post below:
  RD Gateway and RD web issue
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ab40559-23f7-4ebc-b60d-87375cc55674/rd-gateway-and-rd-web-issue?forum=winserverTS
  More links below for you:
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Remote Desktop Gateway/Web Server Placement
  https://social.technet.microsoft.com/forums/windowsserver/en-US/b2970cf5-a5b5-494c-88b7-cd6e01f84bb6/remote-desktop-gatewayweb-server-placement
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Cannot Access IP Web Browser Configuration Page OfficeJet 8600 Plus

  Win 7 64-bit
  HP OfficeJet Pro 8600 Plus
  Wireless Connection
  Hi:
  The printout of wireless network test page shows IP address for HP Officejet Pro 8600 Plus as: http://192.168.1.104 (The HP Home Network Diagnostic Utility v4.3.0.002 also shows: 192.168.1.104)
  When I try to access http://192.168.1.104 with either IE 9 or Firefox 10 I get an error message: "The website is unable to display the webpage"
  But, on the same computer I CAN access  http://192.168.1.103 HP Officejet 6480 web browser configuration page with either IE 9 or Firefox 10
  Why I can't access the web configuration page: http://192.168.1.104
  Thanks
  FYI: I set the router to various other network modes, channel widths, channels and ssid broadcast on/off, and also removed power from router and printer, reconnected power and restarted computer, all these efforts did NOT allow access to http://192.168.1.104
  This question was solved.
  View Solution.

  On the front of the printer: Setup > Network > Wireless Setup Wizard.  Run it.
  Next, on your PC, delete all instances of your printer in Control Panel > Devices and Printers.
  Finally,  re-add the printer this way:
  1. Make sure the printer is turned on and connected to your network. Verify that you can access the printer's internal web page by browsing to its IP address before continuing. Get its IP from a Network Test printed from the front panel of the printer.
  2. Click >> Start >> Control panel >> Devices & Printers.
  3. Click the Add a printer
  4. Select Local printer
  5. Select Create a new port and select Standard TCP/IP Port and click Next button.
  6. Under Device type, select TCP/IP Device. Under Hostname or IP address, enter the printer's IP address. Click Next.
  7. Select Hewlett-Packard from the list of manufacturers and select and select your printer model. Click Next.
  If your printer model was not listed, then select Have Disk, browse the HP CD that came with your printer and select the first file that starts with hp and ends with inf. Click Open then OK. Select your printer model. Click Next.
  8. If you are asked, use the currently installed driver.
  9. It will ask for the Printer name -- enter a new name or use the existing one. This will be the name of the printer that you select from other applications.
  10. You may be asked to share the printer. Choose NO.
  11. The Print Test Page box appears. Go ahead and print it.
  12. Click Finish.
  Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
  I am employed by HP

• Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway

  Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail. 
  Everything worked fine before the migration.
  The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec.  Protecting the box running owa and IIS6.
  I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
  Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
  Thanks in advance
  Mike

  Hello there!
  You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
  Try this article.
  And this one.
  And this one.
  And this one.
  You also can search the public KBs for more relevant articles:
  http://www.blackberry.com/btsc/microsites/microsite.do
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• SSL VPN message "This (client) machine does not have the web access privilege."

  Hello!
  I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
  enable password xxxxxxxx
  aaa new-model
  aaa authentication login userAuthen local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization network groupauthor local
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1279712955
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1279712955
  revocation-check none
  rsakeypair TP-self-signed-1279712955
  crypto pki certificate chain TP-self-signed-1279712955
  certificate self-signed 01
    3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
    33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
    31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
    A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
    649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
    9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
    B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
    551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
    11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
    ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
    48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
    265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
    7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
    495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
     quit
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.0.1 192.168.0.10
  ip dhcp pool myPOOL
     network 192.168.0.0 255.255.255.0
     default-router 192.168.0.1
     dns-server 87.216.1.65 87.216.1.66
  ip cef
  ip name-server 87.216.1.65
  ip name-server 87.216.1.66
  ip ddns update method mydyndnsupdate
  HTTP
    add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  interval maximum 1 0 0 0
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group pppoe
  request-dialin
    protocol pppoe
  username cisco privilege 15 password 0 xxxxxxxx
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp fragmentation
  crypto isakmp client configuration group vpnclient
  key cisco123
  domain selfip.net
  pool ippool
  acl 110
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map clientmap client authentication list userAuthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive
  log config
    hidekeys
  interface Loopback0
  ip address 10.11.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Loopback2
  description SSL VPN Website IP address
  ip address 10.10.10.1 255.255.255.0
  interface Loopback1
  description SSL DHCP Pool Gateway Address
  ip address 192.168.250.1 255.255.255.0
  interface FastEthernet0
  description $ES_LAN$
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 2
  interface FastEthernet3
  interface FastEthernet4
  interface FastEthernet5
  interface FastEthernet6
  interface FastEthernet7
  interface FastEthernet8
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  bundle-enable
  dsl operating-mode auto
  interface Vlan1
  no ip address
  interface Dialer1
  ip ddns update hostname myserver.selfip.net
  ip ddns update mydyndnsupdate host members.dyndns.org
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip policy route-map VPN-Client
  dialer pool 1
  ppp chap hostname xxx
  ppp chap password 0 xxxx
  ppp pap sent-username xxx password 0 xxxx
  crypto map clientmap
  ip local pool ippool 192.168.50.100 192.168.50.200
  ip local pool sslvpnpool 192.168.250.2 192.168.250.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
  ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
  ip nat inside source list 102 interface Dialer1 overload
  ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
  ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
  access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 102 permit ip 192.168.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 144 permit ip 192.168.50.0 0.0.0.255 any
  route-map VPN-Client permit 10
  match ip address 144
  set ip next-hop 10.11.0.2
  control-plane
  banner motd ^C
  ================================================================
                  UNAUTHORISED ACCESS IS PROHIBITED!!!
  =================================================================
  ^C
  line con 0
  line aux 0
  line vty 0 4
  password mypassword
  transport input telnet ssh
  webvpn gateway MyGateway
  ip address 10.10.10.1 port 443 
  http-redirect port 80
  ssl trustpoint TP-self-signed-1279712955
  inservice
  webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context SecureMeContext
  title "My SSL VPN Service"
  secondary-color #C0C0C0
  title-color #808080
  ssl authenticate verify all
  url-list "MyServers"
     heading "My Intranet"
     url-text "Cisco" url-value "http://192.168.0.2"
     url-text "NetGear" url-value "http://192.168.0.3"
  login-message "Welcome to My VPN"
  policy group MyDefaultPolicy
     url-list "MyServers"
     functions svc-enabled
     svc address-pool "sslvpnpool"
     svc keep-client-installed
  default-group-policy MyDefaultPolicy
  aaa authentication list userAuthen
  gateway MyGateway domain testvpn
  max-users 100
  csd enable
  inservice
  end
  Thank you!

  Hi,
  Please check SAP note:
  2004579 - You cannot create a FR company from a Package
  Thanks & Regards,
  Nagarajan

• Cisco ASA 5505 - Basic Web Access

  Hello all,
  Not posted here in a while but thought you guys might be able to help me out with a little problem. Okay, I have a Cisco ASA5505 running the latest asdm and ios...
  [I]Cisco Adaptive Security Appliance Software Version 8.4(2)
  Device Manager Version 6.4(5)206[/I]
  I am trying to get basic web resolution and access but not having any luck. I just wanted to know if there is anything special that I needed to do with the ASA before I can do this. I've made a quick visio diagram of the network, see below:
  [URL=http://imageshack.us/photo/my-images/4/diag.png/][IMG]http://img4.imageshack.us/img4/94/diag.th.png[/IMG][/URL]
  The Vigor has a local subnet of 192.168.0.x/24 however there is also a "For routing use only" option. See below:
  [URL=http://imageshack.us/photo/my-images/717/diag2.png/][IMG]http://img717.imageshack.us/img717/9131/diag2.th.png[/IMG][/URL]
  I'm hopeful that by configuring the "For routing use ip address" as one of my allocation of public ip's, that it should work okay. I can actually ping by IP and name from the interface of the ASA but can't do that or browse to websites from clients which have their default gateway set to 192.168.0.252.
  I was under the assumption web browsing should work out of the box almost as it's treated as an outgoing connection. Here is my config for you to look at:
  (note, I've tried to set the route outside to the local ip of the draytek and also the "For routing usage only" IP address)
  ASA Version 8.4(2)
  hostname gilwoodasa
  domain-name gilwood.local
  enable password 9PvFytIZ2Vpy8Gon encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.252 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 82.70.231.xx 255.255.255.248
  interface Vlan5
  no nameif
  security-level 50
  ip address dhcp
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.67.222.222
  name-server 192.168.0.3
  domain-name xxxxxxxxx
  object-group network obj_any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-645-206.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) after-auto source dynamic any interface
  route outside 0.0.0.0 0.0.0.0 82.70.231.49 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http [url]https://tools.cisco.com/its/service/oddce/services/DDCEService[/url]
    destination address email [email][email protected][/email]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4c06870d7d65d349cb63bd8044d61b35
  : end
  So, if you're still reading this - all I am after is a way to get basic web browsing working. Here are the logs which show the attempted web access...
  [URL=http://imageshack.us/photo/my-images/338/logsi.png/][IMG]http://img338.imageshack.us/img338/671/logsi.th.png[/IMG][/URL]
  Big thank you in advance!

  Hey, thanks for the reply. I have tried the suggestion but to no avail. I can ping google from the outside interface but can't ping it from anything on the inside. This does tend to point towards a NAT issue. Hopefully someone has another suggestion?
  Here are the results from the ASA console when trying to ping from both the inside and outside interface. The successful ones re from the outside.
  http://imageshack.us/photo/my-images/209/pingbf.png/
  Thanks again! Complete config now is as follows:
  ASA Version 8.4(2)
  hostname xxxxx
  domain-name xxxx
  enable password 9PvFytIZ2Vpy8Gon encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.252 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 82.70.231.xx 255.255.255.248
  interface Vlan5
  no nameif
  security-level 50
  ip address dhcp
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.67.222.222
  name-server 192.168.0.3
  domain-name gilwood.local
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-645-206.bin
  no asdm history enable
  arp timeout 14400
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  route outside 0.0.0.0 0.0.0.0 82.70.231.49 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                  CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:5caa6e14d9c76e0858b055316071710f
  : end

• How do I change the URL to the Remote Web Access server in Windows Server 2012?

  Hallo!
  I have set up a Remote Dexktop Service using the "Quick" deployment method in Server Manager and everything is working greate internally, but I cannot start an app published in Remote Web Access from outside our network.
  The problem is that it wants to start the using the internal URL, for example, server.domain.local, instead of the external one, for example remote.server.com.
  I therefore want to know how I can change the default URL for the Remote Web Access server and all the Remote Web Apps in Windows Server 2012?
  I have allready looked in Server Manager and I can change some of the deployment settings in server manager, but there is no way to alter the URL of the Remote Web Access server. See below images:
  Pressing the internal URL only results in opening the internal URL.
  This was very simple to do in Windows Server 2008 R2 using the tsconfig tool, but it does not seam to be any way of solving this in server manager.
  A possible sollution would be to alter the registry someware in HKLM->Software->Microsoft->Windows NT->Terminal Services. But this can easaly lead to problems due to wrong format, etc. and is probably not supported.
  Is there a simpler and supported way?

  That option can be used to connect to any machine that you want.  The error message indicates that the client machine cannot resolve the name "server.domain.local" to an IP address that it can connect to.
  You have several options for configuring that tab on the RDweb site.  You can even remove it entirely. 
  Customization of RD Web Site
  RD Web provides a number of customization options for the RD Web interface, including the ability to control default Gateway server settings and redirection settings. These settings
  are controlled by editing the web.config file located in %SYSTEMROOT%\Web\RDWeb\Pages.
  Displaying Local Help
  To display local help for users instead of the web-based help, edit the LocalHelp value and change the value from false to true.
  <!-- LocalHelp: Displays local help for users, instead of the web-based help. Value must be "true" or "false" -->
  <add key="LocalHelp" value="false" />
  When this value is changed, a user that clicks on Help in the upper right corner of the RD Web login page will open the local help file instead of web-based help.
  Hiding the Connect to a Remote PC Tab
  The RDWeb page
  Connect to a Remote PC tab can be hidden from users to prevent connections to any servers through RD Web other than the servers configured in a collection. By default, this setting is set to true and the
  Remote Desktops tab is displayed. To hide the tab, set the value to false.
  <!-- ShowDesktops: Displays or hides the Remote Desktops tab. Value must be "true" or "false" -->
  <add key="ShowDesktops" value="true" />
  When the value is set to false, a user will not see the Connect to a Remote PC tab when logged on to the RD Web page
  RD Gateway Settings
  If the Connect to a Remote PC tab is enabled, an administrator can configure RD Web to use a Gateway server when connecting to remote computers. To specify a gateway, edit the below
  value with the name of the RD Gateway server:
  <!-- DefaultTSGateway: Admin can preset this to a given Gateway name, or set to "" for no gateway. -->
  <add key="DefaultTSGateway" value="" />
  The default authentication method for the RD Gateway server can also be configured by editing the following section of the web.config:
  <!-- GatewayCredentialsSource: TS Gateway Authentication Type.
  Admins can preset this.
  0 = User Password
  1 = Smartcard
  4 = "Ask me later"
  -->
  <add key="GatewayCredentialsSource" value="0" />
  Devices and Resources
  By default, only Printers and Clipboard are redirected on connections made using the Connect to a Remote PC tab. If the user clicks the
  Options << button, the redirection settings for a specific connection can be modified
  To configure each specified redirection option to be enabled or disabled by default, edit the following section in the web.config file:
  <!-- Devices and resources: Preset the Checkbox values to either true or false -->
  <add key="xPrinterRedirection" value="true" />
  <add key="xClipboard" value="true" />
  <add key="xDriveRedirection" value="false" />
  <add key="xPnPRedirection" value="false" />
  <add key="xPortRedirection" value="false" />
  LAN Experience Defaults
  Windows Server 2012 RD Web Access can display a new user selectable option for optimizing the connection for a LAN experience. This option is displayed at the bottom of the RD Web
  page and can be controlled by the administrator using the following section of the web.config file:
  <!--  Checkbox to opt for optimized LAN experience -->
  <add key="ShowOptimizeExperience" value="false" />
  <add key="OptimizeExperienceState" value="false" />
  This value is set to false by default, but when changed to true, the following checkbox will display at the bottom of the webpage. The LAN experience
  checkbox can also be set as enabled by default.
  Each setting can also be modified using the IIS Manager user interface:
  Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

• RD Web access SSO - remote desktop doesn't work

  Hi,
  This is my first post in here, and I hope you gays can help me out.
  I am currently experiencing some issues with RD Web SSO not working as I would like it to work.  I have found countless articles and guides describing how to get it to work, but no guide have yet helped me.
  The problem is that when I log in on the web access and open a published application everything works fine I wait 5 sec and the application pups up, but when I try to open "Remote Desktop" then I get a new log in box where I must enter my log in credentials
  again (after entering my credentials everything work great.)
  The problems I am currently facing is produced in a demo environment configured as follows:
  1x DC server (DC01) also the lic server
  2x RDS server (RDS01/02)
  1x RDS Connection broker (RDCM01)   I have created a farm named "farm01.mydomain.com"
  1x RDS Web access server (RDWA01)
  1x RDS Gateway (RDSGW01)
  (All the Servers are installed with Windows server 2008 (R2) SP1, and have the latest update.)
  I am publishing my demo environment on the internet, i have created a domain name for my gateway and my web access and they are both accessible from the web (rdwa.mydomain.com and rdsgw.mydomaim,com). I also have secured everything with an SSL wildcard certificate
  ( my external and intern domain names are the same so I am using one SSl certificate) that is trusted on the web.
  when I  log in on the web access server trough (IE9 or IE8 ) from another network(wan) and I open a published application (calculator), it pop ups in just a few seconds. But when I try to open my Remote desktop I get a login box where I must enter my
  username and password one more time.. after that remote desktop opens and everything works great.
  My laptop is a Windows 7 professional with RDP 7 and IE 9, and is not member of a domain (just a workstation), I have tested it from multiple workstations and networks(Also win 7 and RDP7) but even there I have the same problem.
  Thinks that I have tried tell now:
  I have created a kerberos account as mentioned on
  MSDN
  I have checked my group permissions as mentioned
  here
  And many more blogs and forums
  I have tried multiple settings on RDCM, RDWA, RDSGW and RDS server
  Right now I am out of ideas, and I hope you gays can help me out..
  thanks in advance,
  Pouyan

  Thnx for you advise,
  Did you go into your RemoteApp Deployment settings and change the server name to the farm name "farm01.mydomain.com?"
  Yes
  Also in the Session Broker's RemoteApp and Desktop Connection Properties window change the Connection ID to the farm name as well.
  actually I couldn't find out what to put on the connection ID so I had left it just default, but after changing it to the farm name it still doesn't work
  Did you sign you apps with the cert used on your RDS servers?
  yes, I am using a wildcard ssl certificate to sign all the servers/apps with.
  there is
  something that
  strikes me, when I log on the web access and click on a published application (that is hosted from the same RDS servers) then I get a information box. when I click on the "details" button I see on the bottom "use the following credentials to connect" and my
  domain and username are published there. But when I click on the "Remote desktop" icon and do the same I can't see this information!!
  Also I don't think that its an SSL problem, because after log in again it works perfect without any warning.

• RD Web Access SSO not working correctly

  I have two Win 2008 r2 sp1 servers.  Both are RD Session host servers.  One of them is also serving as a RD Gateway server AND RD Web access server.  Most everything is working well and as planned.  However, I am having an issue with
  the the RD Web Access.
  In the RD Web access server configuration page, I've set "One or more RemoteApp sources" and I've added two servers there, separated by a semicolon (eg RDServer1;RDServer2), and as expected a long list of RemoteApps hosted on both servers is shown .  The
  issue is that whatever server is listed second (eg RDServer2) won't allow sso to work right  -- when I click a link for a RemoteApp hosted on RDServer1 I am not prompted again for login credentials.  However, when clicking a link for a RemoteApp
  hosted on RDServer2 I am prompted "Enter Your Credentials".  I've tried swapping the order of the "Source Name" servers, and after a reboot indeed links to the RemoteApps hosted on that second server now prompt for me to "Enter your credentials".
  Things I've tried:
  1. Trying various server name formats (IP address, NetBIOS name, FQDN, and more) to no apparent effect.
  2. Applied the hotfix from KB2524668 to both servers.
  3. Flushed the IE caches for the client machines.
  4.  Tried various AD login accounts
  5. Ensuring that the RD Web Access server is added to the local group "TS Web Access Computers" on both servers.
   This is one step that I'm not 100% sure of -- it is clear to me that the RD Session host server that doesn't contain RD Web access should be there, but I'm not totally clear as to whether the dual-duty RD Web server/RD Session host should have this setting.
   I've tried it both ways, but it doesn't seem to make a difference.
  I'm stumped.

  Kevin,
  That's it!  I have a separate SSL cert for each RD Session Host, and used the corresponding certs to sign RemoteApps for each.  I still don't see this requirement in the documentation (although they do mention exporting self-signed certs, but that
  is due to the fact that they are self-signed and not automatically trusted by client machines), but maybe I'm just blind.
  Regardless, the fix to my problem was to export the cert from my RDServer1, import it to RDServer2, then set RDServer2 to use that cert to sign the RemoteApp connections.
  Thanks for your assistance, I was really stuck.
  Chris

• Windows 2008 R2 + Remote Desktop Web Access + Single Sign-On + 2 servers

  Hi
  First sorry for my English. I have got problem with run SSO with RDWeb. I configured everything follow this instructions:  http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
  and http://blogs.technet.com/b/mrsnrub/archive/2010/03/22/remote-desktop-services-websso.aspx. After logon to RDWeb web page I click application icon. Then I see dialog box for credentials - SSO not working.
  I have got 2 servers with Windows Server 2008 R2 Standard:
  Server OL-AP1 with role Remote Desktop Session Host (RDSH) and certificate for digital sign RemoteApps
  Server OL-AP04 with ONLY Remote Desktop Web Access (RD Web) with certificate for https
  Client PC: Windows 7 SP1 with installing certificate for OL-AP01 witch I used for digital sign RemoteApps
  All certificates created by enterprise domain CA - Active Directory Certificate Services (AD CS)

  Hi,
  Thank you for posting in Windows Server Forum.
  Do you have RD Gateway setup in your environment?
  Have you configure RD Connection Broker and set the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server. 
  Client operating systems must trust the certificate with which the RemoteApp programs are signed. Suggest to install RDP 8.1 for client OS.
  Do you have a trusted certificate with a matching name configured on your RDSH server in RD Session Host Configuration? (Means cert must match the name that clients use to connect to it for running the RemoteApp).
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Web Access for Remote Desktop on Windows Server 2012

  Hello,
  i've a Windows Server 2012 without a domain. So i installed the remote desktop session host, the remote desktop license server and the remote desktop gateway as a server role only. All is working fine. Without a domain, no management tools for remote
  desktop are available. So i configure the remote desktop via the registry. I define (via registry) some remoteapps, too. All values are copied from a running Windows Server 2008 R2. So the remoteapps are runing.
  Now i want to use the new Microsoft Remote Desktop client for Android. To use a remoteapp i must define a remote resource. To define a remote resource i need a url to the web access for remote desktop. So i installed the web access. But if i login to the
  web access, i don't see any remoteapp. What's wrong? I've set the ShowInTSWA to 1. What must i do to access an existing remoteapp via web access?
  Martin

  Hi Martin,
  Server 2012 RD Web Access is designed to retrieve published RemoteApps and Desktops from a Server 2012 RD Connection Broker and/or a Server 2008 R2 RD Session Host server.  From your description it doesn't appear that you are using either of the above.
  I know it is a more complicated set up, but you should consider having a domain, creating a RDS deployment, etc., so that you can use the full featureset as it was intended.  You can do it all on a single server if needed.  For Server 2012
  there is a hotfix that needs to be applied to permit RD Connection Broker to work on the same server instance as active directory.
  -TP