How to use HTML5 gateway as RD-Gateway

Since TSplus version 12.60.2.11 with internal version HTML5 v6.84 the HTML5 server includes RD HTTPS gateway support.

Prerequisites: the HTML5 module replicates behavior of IIS SSL webserver with RD-Gateway support, this fact brings few limitations by usage with mstsc.exe or any other native RDP client based on Microsoft's RDP client core.
The minimum prerequisite is also signed and valid SSL certificate for used domain.
Remember, this limitation is client side related, also mstsc.exe related and can't be affected by server side implementation.
If you use third part RDP clients like FreeRDP then this limitation can be handled there differently but which is not our circle of interests to provide support on third part RDP clients, refer please to related software support!

You will fail to establish connection to RD-Gateway with mstsc.exe or any other Microsoft's RDP core based client in following cases
1. you access RD-Gateway by IP instead domain
2. your SSL certificate CN=***DOMAIN*** is originally for another domain than accessed address.
3. your SSL certificate is self signed.
4. your SSL certificate is outdated.
5. your SSL certificate is spoofed.
You can easily check if your TSPlus HTML5 webserver as RD-Gateway will be accepted by mstsc.exe, just open in Internet Explorer https://rdp_gateway_domain and if you see any "red error message" telling there is certificate error then mstsc.exe won't accept this server as valid RD-Gateway and will refuse future connection. Unlike browser by mstsc.exe you can't accept invalid RD Gateway SSL certificate.


If you don't want to buy SSL certificate you can reuse TSplus SSL Tool to sign your domain by Let's Encrypt since mstsc.exe accepts Let's Encrypt certificates pretty well.
Remember that Let's Encrypt can't be used to sign dynamic domains like *.dyndns.com etc., you need first level domain.

If you don't have own first level domain, then you can check following steps, sometimes, but not always, if you have fixed internet IP then providers assign to it resolvable domain name. You can check it easily by example:
cmd.exe > nslookup.exe 44.55.66.77
then if you see in output of nslookup.exe under Name: *** something useful and this domain name gets resolved back to same IP as in example 44.55.66.77 by command:
cmd.exe > ping your_resolved_domain
then congratulation, you got everything you need, free domain and free Let's Encrypt certificate to work with mstsc.exe via RD-Gateway, so sign this resolved domain by Let's Encrypt firstly and then continue. In other case if you fail by the step above then there is no other chance for you than to buy first level domain for future signing.

Notice: old RDG-RPC protocol via RPC proxy "/rpc/rpcproxy.dll?localhost:**" requests is not supported, supported is only modern RDG-HTTP protocol either via two SSL HTTPS TCP connections or via one SSL Websockets TCP connection.
If you use third part (reverse) proxy with SSL decryption instance before TSplus server in the connection chain then go sure to setup this third part (reverse) proxy on server side to allow RDG_OUT_DATA and RDG_IN_DATA as valid HTTP methods since so you could pass RDP traffic even through different third part proxies.

Only RD-Gateway self must be domain validated and signed but target remote RDP servers are not affected by this rule!


Please continue with next FAQ steps only if you are sure you fulfill the prerequisites above with signed and valid domain SSL certificate!

How to use mstsc.exe with RD-Gateway

0. firstly check *\Clients\webserver\settings.bin for presence of following variable > rdg_allow_proxy=false
If you find this variable then REMOVE IT and restart HTML5 server! If not present then continue with next step!
By default HTML5 accepts RD-Gateway proxy connections if not forcibly disabled by settings.bin > rdg_allow_proxy=false

1. insert wished target intranet RDP server as IP or as domain
If you use target RDP server that is found in intERnet and not in intRAnet (10.*.*.*, 192.168.*.*,172.16.*.*-172.31.*.*, and local 127.*.*.*), then by default such INTERNET address connections will be refused(or replaced to default RDP localhost:port) to avoid high security risk that your HTML5 server gets misused to connect to non verified RDP servers in "wild wide web" of internet. These rules are attached as good to HTML5 connections as to RD-gateway connections.
RDP cookie connections given by *\Clients\webserver\balance.bin > /~~***=rdp_server:3389 RDPPORT; strings are not affected by this rule. How to allow internet RDP servers will be handled here later after this FAQ.

2. go to Advanced > Use these RD Gateway server settings
> Server Name: your_html5_server.com (insert only DOMAIN with valid SSL certificate)
(when no port specified then default port is 443)
All other options may stay unchecked!


3. press connect

4. when asked for "RD Gateway Server" credentials put following logon
Login: a\a
Password: a
By default you can put for RD-Gateway server any login and password, not only a\a, the only requirement is to put login as domain\login string since originally Microsoft requires for installing RD-gateway configurated ActiveDirectory, but for HTML5 based RD-Gateway this limitation is unconsidered since AD is not supported anyway, but mstsc.exe still requires this kind of logon typing. Later after this FAQ you may check steps how to enforce verified RD Gateway logon.

5. put RDP server logon
If you checked by RD Gateway setting to reuse RD-Gateway's logon additionally as RDP logon then remember that if you usually are not using domain part in your logon then you can use MicrosoftAccount string as default domain name. Let's assume your default logon is Administrator then use as login MicrosoftAccount\Administrator etc.
But better avoid reusing same login for RDP server and for RD Gateway server, remember always, that are two different logon entities. You must pass successfully both logon checks, firstly of RD gateway and second of RDP server self.


You can check *\Clients\webserver\web_log.txt for possible failures.


If you use as RDP server and RD gateway same domain then RDP port will be automatically set to default locally forwarded RDP server port defined in HTML5 server, this behavior replicates behavior of HTML5 client.
Such approach is necessary when you use corporate network with outgoing proxy where you would like else to connect to your remote RDP server and only way to do that is reusing RD gateway with local server since usually mstsc.exe doesn't allow any other way to connect via local corporate proxy than via RD gateway connection and using 127.0.0.1 as target RDP server name could create unwished issues if failed by check of allowed target RDP servers. Or the RDP server has set same SSL private key as by HTML5 + RD Gateway, and you wish to avoid security validity failure message in mstsc.exe for RDP connection which would be else caused when using 127.*.*.* as local RDP server name. Remember, RD gateway connection consist mostly of 2(1 Websockets+1 RDP) or 3(2 HTTP + 1 RDP) encapsulated SSL connections that cost increased CPU time for encryption/decryption, and so have always in mind that SSL validity check gets processed by two different instances, by RD gateway as first instance and by RDP server as next second instance.

Remember: if you disabled local RDP connection forwarding by *\Clients\webserver\settings.bin > disable_rdp=true then RD Gateway connections on local RDP server like 127.0.0.1:3389 will be refused too.




How to allow only specified INTERNET RDP servers as target via RD Gateway.


As described already due security limitation internet RDP servers are not allowed by default, only of intranet type, so read this FAQ if you still want to allow only specified internet servers to be allowed to connect via RD gateway.


1. locate or if not present create new file *\Clients\webserver\rdplist.bin

2. add as last line separated as example
127.0.0.1:3389
192.168.2.1

your-server.com:3390

second-server.net


Notice if port is not provided then any port will be allowed. The domains are not resolved to IP's so the RDP server to connect must match by string equality. The domain could be resolved to intRAnet IP but by security logic such addresses are still considered as potential intERnet servers by default therefore they need same extra handling in security as internet IP's.


3. restart HTML5 server in AdminTool GUI to take changes effect



How to allow only servers with predefined RDP connection cookie /~~** via RD Gateway


The main difference between allowing specified servers by rdplist.bin as described above or by RDP cookie is that when used cookie the server to be connected may be accessed by approach the native RDP client supports. Not every native RDP client supports RD-Gateway protocol however very many native third part RDP clients support RDP cookie passing. So by reusing cookie approach you delegate the choice to RDP client being still able to reuse RD-Gateway protocol if supported by it self. However the support of RD-Gateway protocol by native RDP client is preferable since so the native RDP client could connect through local corporate proxy.

By default RDP connection cookie /~~** can be reused to connect to target RDP server without necessity of RD Gateway as by example below
Server side > *\Clients\webserver\balance.bin > /~~srvTS1=demo.tsplus.net:3389 RDPPORT;
Client side > *file*.rdp > loadbalanceinfo:s:/~~srvTS1
In such case the target RDP server gets not checked for being of intranet type and skips many other security checks, but in case of local corporate proxy for usage with mstsc.exe you may wish to mix RD gateway connection and RDP cookie, as soon the cookie gets detected you can set as target RDP server same server as for RD gateway, and if target RDP server will be found in balance.bin by the cookie, as by example /~~srvTS1 > demo.tsplus.net:3389 then provided server string will be changed automatically to wished assigned RDP server for cookie as in example above demo.tsplus.net:3389.
But you may want to limit RD gateway connections only to these RDP cookie defined connections as additional security improvement.

1. locate *\Clients\webserver\settings.bin

2. add as last line
accept_rdg_forwarded_only_rdp=true

3. restart HTML5 server to take changes effect
From now on as soon anyone will connect to your RD gateway without accepted RDP cookie then such connection will be refused. The nice side effect of using this RDP cookie by balance.bin scenario, the content of remote RDP server field doesn't anymore play any role, if cookie gets found on server side then the server will be automatically replaced to the matching cookie in balance.bin. Remember, trying to connect without RDP cookie by this enabled option accept_rdg_forwarded_only_rdp=true will cause failure in your RDP client.



How to allow any INTERNET RDP servers as target via RD Gateway.


As described above due security limitation internet RDP servers are not allowed by default, only of intranet type, so read this FAQ if you still want to allow any internet servers to be allowed to connect via RD gateway.

1. locate *\Clients\webserver\settings.bin

2. add as last line
disable_internet_servers=false

3. restart HTML5 server in AdminTool GUI to take changes effect
Remember, allowing any RDP server is high security risk since your RD Gateway could be so potentially reused to do evil things in the name of your server, use this option at your own risk, or prefer instead rdplist.bin or RDP cookie approach described above. Remember in usual circumstances it is very uncommon that target RDP servers are founded in intERnet as it would make no sense to connect to intERnet RDP server through intERnet RD-Gateway when you could with same success connect directly, in most cases with RD-Gateway scenario remote RDP servers are founded behind FireWall in corporate intRAnet so this scenario is only security allowed by default.




How to limit RD gateway to specified RD logon only


By default you can use any RD Gateway logon/password in domain\logon style since HTML5 RD-Gateway implementation doesn't support ActiveDirectory verification. But you may still want to limit the access to specific domain\user or domain\user + password constellation as some kind of double factor authentication. To do so follow next steps

1. create file
*\UserDesktop\files\rdgcredentials.ini

2. put as example following content
[your_domain\your_login]
NTLMv2Base64=

[MicrosoftAccount\xyz_logon]
NTLMv2Base64=


In such example as valid RD gateway logons will be accepted as user logins
your_domain\your_login
and
MicrosoftAccount\xyz_logon
and any other RD Gateway logon will be refused, in the example above accepted is any password.

But sometimes you may wish to accept specified passwords, the passwords may be stored there as NTLMv2 hashes, as example password> your_password would look so as NTLMv2 hash

[your_domain\your_login]
NTLMv2Base64=/Rc3R4saIFKzzJExvZak8Q==


To create this kind of password start any browser directly on server where TSPlus HTML5 server was installed and use following http(s) link format
http://localhost/w0j7?logon=your_domain\your_login&pwd=your_password
Remember, starting this link by internet IP is not allowed, only accepted http://localhost/ or http://127.*.*.*/ as addresses.
After that copy paste the browser output to *\UserDesktop\files\rdgcredentials.ini


Notice, already presence of non empty file *\UserDesktop\files\rdgcredentials.ini will stop RD gateway to accept any logon, so be careful by this file that you add correct logon or logon/password that you shouldn't forget. Real passwords can not be restored from NTLMv2 hashes without brute forcing. As mentioned already, the verification against ActiveDirectory is not supported.


IMPORTANT NOTICE: since HTML5 v7.39 when rdgcredentials.ini is not used, then by default access to INTRANET servers is not allowed but only to localhost/127.*.*.* just to avoid potential security issue that hackers may use RDG Gateway for scanning your INTRANET for alive servers. This limitation is not effective in cases when RDP client sends approved RDP cookie /~~* or when servers are found inside rdplist.bin. To disable that extra check and allow INTRANET servers without rdgcredentials.ini file add to *\Clients\webserver\settings.bin >no_rdg_intranet_no_credential_file=false and restart server to take changes effect.