new macos rdp client >= 10.7.2 doesn't work over rdpgw

[krisss85]

It does look like the connection cannot be upgraded to websocket, but more investigation is required. It works still with 10.7.1 Plausible reason is the following entry from the release notes: Improved compatibility with third-party network devices and load balancers for workspace download and RD Gateway-based connections.

[krisss85]

replicated locally

rdpgw_1 | 2021/12/21 10:38:29 Starting remote desktop gateway server rdpgw_1 | 2021/12/21 10:39:13 http: TLS handshake error from 172.19.0.1:58920: remote error: tls: unknown certificate rdpgw_1 | 2021/12/21 10:39:13 http: TLS handshake error from 172.19.0.1:58918: remote error: tls: unknown certificate rdpgw_1 | 2021/12/21 10:39:13 http: TLS handshake error from 172.19.0.1:58926: remote error: tls: unknown certificate rdpgw_1 | 2021/12/21 10:39:25 Session {33001a58-6ad9-f0f6-a16b-14bbb641c5fe}, false, false rdpgw_1 | 2021/12/21 10:39:25 Opening RDGOUT for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:39:25 Session {33001a58-6ad9-f0f6-a16b-14bbb641c5fe}, true, false rdpgw_1 | 2021/12/21 10:39:25 Opening RDGIN for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:39:25 Legacy handshakeRequest done for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:39:25 Client handshakeRequest from 172.19.0.1 rdpgw_1 | 2021/12/21 10:39:25 major: 1, minor: 0, version: 0, ext auth: 2 rdpgw_1 | 2021/12/21 10:39:25 Tunnel create rdpgw_1 | 2021/12/21 10:39:25 Tunnel auth rdpgw_1 | 2021/12/21 10:39:26 Channel create rdpgw_1 | 2021/12/21 10:39:26 Establishing connection to RDP server: xrdp:3389 rdpgw_1 | 2021/12/21 10:39:26 Connection established rdpgw_1 | 2021/12/21 10:39:29 Close channel rdpgw_1 | 2021/12/21 10:39:29 Cannot read message from stream read tcp 172.19.0.4:9443->172.19.0.1:58940: use of closed network connection rdpgw_1 | 2021/12/21 10:40:32 http: TLS handshake error from 172.19.0.1:58952: remote error: tls: unknown certificate rdpgw_1 | 2021/12/21 10:40:36 Session {1c9833c1-a626-6c5c-c5af-090f32ef9c40}, false, false rdpgw_1 | 2021/12/21 10:40:36 Opening RDGOUT for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:40:36 Session {1c9833c1-a626-6c5c-c5af-090f32ef9c40}, true, false rdpgw_1 | 2021/12/21 10:40:36 Opening RDGIN for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:40:36 Legacy handshakeRequest done for client 172.19.0.1 rdpgw_1 | 2021/12/21 10:40:36 Client handshakeRequest from 172.19.0.1 rdpgw_1 | 2021/12/21 10:40:36 major: 1, minor: 0, version: 0, ext auth: 2 rdpgw_1 | 2021/12/21 10:40:36 Tunnel create rdpgw_1 | 2021/12/21 10:40:36 Tunnel auth rdpgw_1 | 2021/12/21 10:40:36 Channel create rdpgw_1 | 2021/12/21 10:40:36 Establishing connection to RDP server: xrdp:3389 rdpgw_1 | 2021/12/21 10:40:36 Connection established rdpgw_1 | 2021/12/21 10:40:38 Close channel rdpgw_1 | 2021/12/21 10:40:38 Cannot read message from stream read tcp 172.19.0.4:9443->172.19.0.1:58956: use of closed network connection

[krisss85]

well, it might be bit different locally, here the request hits xrdp

[20211221-17:40:55] [INFO ] Socket 11: AF_INET connection received from 172.19.0.4 port 41296 [20211221-17:40:55] [DEBUG] Closed socket 11 (AF_INET 172.19.0.3:3389) [20211221-17:40:55] [DEBUG] Closed socket 10 (AF_INET 0.0.0.0:3389) [20211221-17:40:55] [DEBUG] item ini_version, value 1 [20211221-17:40:55] [DEBUG] item fork, value true [20211221-17:40:55] [DEBUG] item port, value 3389 [20211221-17:40:55] [DEBUG] item tcp_nodelay, value true [20211221-17:40:55] [DEBUG] item tcp_keepalive, value true [20211221-17:40:55] [DEBUG] item security_layer, value rdp [20211221-17:40:55] [DEBUG] item crypt_level, value low [20211221-17:40:55] [DEBUG] item certificate, value [20211221-17:40:55] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20211221-17:40:55] [DEBUG] item key_file, value [20211221-17:40:55] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20211221-17:40:55] [DEBUG] item ssl_protocols, value TLSv1, TLSv1.1, TLSv1.2 [20211221-17:40:55] [DEBUG] TLSv1.2 enabled [20211221-17:40:55] [DEBUG] TLSv1.1 enabled [20211221-17:40:55] [DEBUG] TLSv1 enabled [20211221-17:40:55] [DEBUG] item autorun, value [20211221-17:40:55] [DEBUG] item allow_channels, value true [20211221-17:40:55] [DEBUG] item allow_multimon, value false [20211221-17:40:55] [INFO ] Multi monitor server support disabled [20211221-17:40:55] [DEBUG] item bitmap_cache, value true [20211221-17:40:55] [DEBUG] item bitmap_compression, value true [20211221-17:40:55] [DEBUG] item bulk_compression, value true [20211221-17:40:55] [DEBUG] item max_bpp, value 16 [20211221-17:40:55] [DEBUG] item new_cursors, value false [20211221-17:40:55] [DEBUG] item use_fastpath, value both [20211221-17:40:55] [DEBUG] item blue, value 009cb5 [20211221-17:40:55] [DEBUG] item grey, value dedede [20211221-17:40:55] [DEBUG] item ls_top_window_bg_color, value 009cb5 [20211221-17:40:55] [DEBUG] item ls_width, value 350 [20211221-17:40:55] [DEBUG] item ls_height, value 430 [20211221-17:40:55] [DEBUG] item ls_bg_color, value dedede [20211221-17:40:55] [DEBUG] item ls_logo_filename, value [20211221-17:40:55] [DEBUG] item ls_logo_x_pos, value 55 [20211221-17:40:55] [DEBUG] item ls_logo_y_pos, value 50 [20211221-17:40:55] [DEBUG] item ls_label_x_pos, value 30 [20211221-17:40:55] [DEBUG] item ls_label_width, value 60 [20211221-17:40:55] [DEBUG] item ls_input_x_pos, value 110 [20211221-17:40:55] [DEBUG] item ls_input_width, value 210 [20211221-17:40:55] [DEBUG] item ls_input_y_pos, value 220 [20211221-17:40:55] [DEBUG] item ls_btn_ok_x_pos, value 142 [20211221-17:40:55] [DEBUG] item ls_btn_ok_y_pos, value 370 [20211221-17:40:55] [DEBUG] item ls_btn_ok_width, value 85 [20211221-17:40:55] [DEBUG] item ls_btn_ok_height, value 30 [20211221-17:40:55] [DEBUG] item ls_btn_cancel_x_pos, value 237 [20211221-17:40:55] [DEBUG] item ls_btn_cancel_y_pos, value 370 [20211221-17:40:55] [DEBUG] item ls_btn_cancel_width, value 85 [20211221-17:40:55] [DEBUG] item ls_btn_cancel_height, value 30 [20211221-17:40:55] [INFO ] Security protocol: configured [RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [RDP] [20211221-17:40:55] [DEBUG] Using RDP security, and reading the server configuration [20211221-17:40:55] [DEBUG] [MCS Connection Sequence] receive connection request

[krisss85]

extract from the pcap @bolkedebruin

[krisss85]

added some extra logging, it seems we are getting lost somewhere here

rdpgw_1     | 2021/12/23 10:10:59 Establishing connection to RDP server: xrdp:3389
rdpgw_1     | 2021/12/23 10:10:59 Connection established
rdpgw_1     | 2021/12/23 10:10:59 Entering channel response
rdpgw_1     | 2021/12/23 10:10:59 Leaving channel response
rdpgw_1     | 2021/12/23 10:10:59 Message pt: 10, sz: 29
rdpgw_1     | 2021/12/23 10:10:59 Data sent
rdpgw_1     | 2021/12/23 10:10:59 Writing data to stream
rdpgw_1     | 2021/12/23 10:10:59 Data packets received server side
rdpgw_1     | 2021/12/23 10:11:01 Message pt: 16, sz: 12
rdpgw_1     | 2021/12/23 10:11:01 Close channel
rdpgw_1     | 2021/12/23 10:11:01 Message pt: 0, sz: 0

connection seems to be closed after sending some data we are somewhere here https://github.com/bolkedebruin/rdpgw/blob/master/cmd/rdpgw/protocol/server.go#L145

[krisss85]

@bolkedebruin it seems we are not the only one, we should probably wait for them to fix so it works over websockets or maybe there will be some param to set https://techcommunity.microsoft.com/t5/azure-virtual-desktop-feedback/msrdc-10-7-2/idi-p/3042147

[bolkedebruin]

@krisss85 if you are capturing can you show what RDG_OUT_DATA is showing? Should be above RDG_IN_DATA somewhere.

[bolkedebruin]

I had a look myself. As per tech community post, the 10.7.2 client (and .3) do not ask for a websocket connection (e.g. there is no "upgrade" in the protocol asked for). This should still work for the docker version (however the legacy connection also seems to fail) but on kubernetes it doesn't and requires websockets.

[krisss85]

@bolkedebruin the new beta client 10.7.4 resolved the issue, so I believe we can close this one as we are affected by the change on RDP client from MS https://install.appcenter.ms/orgs/rdmacios-k2vy/apps/microsoft-remote-desktop-for-mac/distribution_groups/all-users-of-microsoft-remote-desktop-for-mac