On 4/07/2013 3:41 a.m., Stan2k wrote:
Thank you for you reply
I think the security is set now :
"acl RDS dstdomain .domain.com
cache_peer_access gateway allow RDS
cache_peer_access gateway deny all
http_access allow RDS
http_access deny all
miss_access allow RDS
miss_access deny all"
I have no logs in IIS but in cache.log i can see this :
Hmm. Would that be IIS 6.0 ? IIRC there were a few weird issues with that.
RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1
Pragma: no-cache
Accept: */*
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {74E283C3-FFEC-45E9-A485-FFD941CC1DE7}
Host: Public_domain_name
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAJYAAABoAWgBrgAAABYAFgBYAAAADgAOAG4AAAAaABoAfAAAAAAAAAAWAgAABYKIogYBsR0AAAAPwb+afd8EjjkbUjKFZt1HiHEAZgB0AHIAaQBhAGwAcwAuAHEAaABjAGwAaQBlAG4AdAAxAFAAQQBSAFEASAAtAE0AQQBMAFYAQQBVAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8boekSNjA11IMiTqE2UKQEBAAAAAAAA+PYljf53zgHyinHwgL5B9QAAAAACABAAUQBGAFQAUgBJAEEATABTAAEAGABMAE8ATgBUAEgARAAtAEQAQwAtAFEARgAEABYAcQBmAHQAcgBpAGEAbABzAC4AcQBoAAMAMABsAG8AbgB0AGgAZAAtAGQAYwAtAHEAZgAuAHEAZgB0AHIAaQBhAGwAcwAuAHEAaAAFABYAcQBmAHQAcgBpAGEAbABzAC4AcQBoAAcACAD49iWN/nfOAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAAAZbtT5dfEX7qWMO07vsbzKCOkNs/WGhVyexvYLnTmElgoAEAAnBjFQKXCQj40wiZPB6Vp1CQA4AEgAVABUAFAALwBxAGYAdAByAGkAYQBsAHMALgBxAHUAYQBuAHQAaABvAHUAcwBlAC4AYwBvAG0AAAAAAAAAAAAAAAAA
Via: 1.1 lonthd-rprx01 (squid/3.3.5-20130620-r12578)
Surrogate-Capability: lonthd-rprx01="Surrogate/1.0"
X-Forwarded-For: Public_IP_Address
Cache-Control: no-cache
Connection: keep-alive
Front-End-Https: On
That looks suspiciously like a Kerberos token sent as "NTLM". Although
it may just be an artifact of how the NTLMv2 security hash is formatted.
Other than that the above looks like a valid request.
----------
2013/07/03 16:04:07.209| http.cc(1172) readReply:
local=Reverse_Proxy_Local_IP:59707 remote=Parent_Server_Local_IP:443 FD 10
flags=1: read failure: (104) Connection reset by peer.
2013/07/03 16:04:07.210| forward.cc(609) serverClosed: FD -1
https://Public_domain_name/remoteDesktopGateway/
2013/07/03 16:04:07.210| errorpage.cc(1281) BuildContent: No existing error
page language negotiated for ERR_READ_ERROR. Using default error file.
2013/07/03 16:04:07.210| store.cc(994) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2013/07/03 16:04:07.210| client_side_reply.cc(1974)
processReplyAccessResult: The reply for RDG_OUT_DATA
https://Public_domain_name/remoteDesktopGateway/ is ALLOWED, because it
matched 'RDS'
2013/07/03 16:04:07.210| client_side.cc(1377) sendStartOfMessage: HTTP
Client local=Reverse_Proxy_Local_IP:443 remote=Public_IP_Address:57042 FD 9
flags=1
2013/07/03 16:04:07.210| client_side.cc(1378) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 502 Bad Gateway
Server: squid/3.3.5-20130620-r12578
Mime-Version: 1.0
Date: Wed, 03 Jul 2013 15:04:07 GMT
Content-Type: text/html
Content-Length: 4218
X-Squid-Error: ERR_READ_ERROR 104
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from lonthd-rprx01
Via: 1.1 Squid_local_name (squid/3.3.5-20130620-r12578)
Connection: close
I can see the (104) error connection reset by peer and the 502 error code
bad gateway.
Okay so it is the server disconnecting before delivering a response.
That sort of hints at one of three things:
* broken server scripts crashing
* overloaded server trying to protect itself by dropping connections
* network congestion controls trying to recover (some firewall moving
into "SYN flood" handling and issuing TCP RESET packets to Squid)
I launched a wireshark on the rds gateway and i can see there is an ssl
negotiation when i try to connect. The fact that IIS don't show any logs
make me think there is no autentication error. maybe a network issue?
Amos