Bug ID 529169: When configuring RDP gateway and SWG on the same BIGIP, port 3389 must be explicitly let through.

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Jun 22, 2015
Severity: 4-Minor

Symptoms

SWG configuration recommends deploying a catch-all virtual (listening on all IPs and all Ports) on an HTTP tunnel interface. When TMOS makes an attempt to find the nexthop for traffic to be forwarded, it queries for all listeners (i.e. virtual servers) for that could match the specific IP and port. This query covers all interfaces and tunnels as well. When using the recommended configuration for Secure Web Gateway, the catch-all virtual will always match. TMOS will forward the traffic to this virtual which results in all packets being dropped as it is configured as a "reject" virtual server.

Impact

RDP traffic will be dropped.

Conditions

RDP gateway configuration on the same device as SWG configured with a catch-all reject virtual.

Workaround

To work around the problem, you can do either of the following: - Configure a layered virtual server for RDP (IP address 0.0, port 3389) on the http tunnel interface. - Or, remove the catch-all layered virtual from the http tunnel. This is not recommended because it will be counterproductive for security.

Fix Information

APM documentation now includes instructions for ensuring correct processing of RDP client traffic on a BIG-IP system on which both of the following are configured: SWG explicit forward proxy and APM configured as a gateway for RDP clients.

Behavior Change