I have a small server running several virtual machines, some web servers and also a windows 2008 R2 Remote Desktop Gateway server.
The intention is to have an Apache2 server running on Ubuntu 11.10 which will act as a reverse proxy server to forward requests to the corresponding server based on the hostname that is used.
I have this working for several other Ubuntu Apache2 servers and for the IIS7 server running on my 2008 R2 RD Gateway server.
With working, I mean that I can access all these web servers both via HTTP and HTTPS based on the hostname I'm visiting with a web browser.
What does not work however, is using the remote desktop gateway functionality, to connect from an external client to an internal RDP server.
I know that the RD gateway server is configured correctly because if I redirect external HTTPS traffic directly to it's IP (bypassing the apache2 proxy server) everything works fine.
When I put the apache2 proxy in between, and try to establish an RDP connection from an external source, I get the following error in the apache proxy error.log:
[error] (70007)The timeout specified has expired: proxy: prefetch request body failed to 192.168.2.172:443 (rdpgw.internal.domain.com) from xx.xx.xx.xx ()
Where xx.xx.xx.xx is my external client's IP.
The remote desktop client on the remote client will give a generic timeout error, and on the RD Gateway server everything seems fine.
When connecting directly to the RD gateway server I can see this in the IIS logfile:
2012-01-26 11:54:13 192.168.2.172 RPC_IN_DATA /rpc/rpcproxy.dll localhost:3388 443 - xx.xx.xx.xx MSRPC 401 1 2148074254 15
2012-01-26 11:54:13 192.168.2.172 RPC_OUT_DATA /rpc/rpcproxy.dll localhost:3388 443 - xx.xx.xx.xx MSRPC 401 1 2148074254 15
And when connecting through the apache2 proxy I can see:
2012-01-26 11:54:53 192.168.2.172 RPC_IN_DATA /rpc/rpcproxy.dll localhost:3388 443 - 192.168.2.170 MSRPC 401 1 2148074254 46
2012-01-26 11:54:53 192.168.2.172 RPC_OUT_DATA /rpc/rpcproxy.dll localhost:3388 443 - 192.168.2.170 MSRPC 401 1 2148074254 31
So the connection in the 2nd case is coming from the apache2 proxy.
otherwise the connections seem to be the same.
About one thing I'm not quite sure how it should be setup, are the certificates on both servers.
I understand that HTTPS can by design not be 'intercepted' and forwarded by the proxy server, so if I'm correct there are actually 2 seperate SSL connections involved here: 1 from the remote client to the apache proxy, and one from the apache proxy to the RD gateway server.
I figured it would be best if the remote client did not see the difference, so I used the same self-signed certificate and private key on both the apache proxy and the RD gateway server.
There are the contents of the corresponding vhsot apache2 config file:
<VirtualHost *:443>
ServerName rdgw.externaldomainname.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / https://rdgw.internal.domain.com/
ProxyPassReverse / https://rdgw.internal.domain.com/
SSLEngine on
SSLProxyEngine on
RequestHeader set Front-End-Https "On"
SSLCertificateFile /etc/apache2/certs/rdgw.externaldomainname.com.crt
SSLCertificateKeyFile /etc/apache2/certs/rdgw.externaldomainname.com.key
</VirtualHost>
Hopefully someone knows how this can be done?
It should be possible as I found this MS article which describes how to setup exactly this configuration, only with MS ISA as a proxy server instead of Ubuntu/Apache2
Best Answer
Unfortunately, RPC-over-HTTP compatibility in Apache looks like a "will not fix". Its behavior doesn't jive with how mod_proxy handles communication, and they aren't inclined to bend over backwards for Microsoft's non-standard HTTP behavior.
See here. Highlight:
If there's no other reason that you were looking at Apache specifically, maybe look into an alternative - HAProxy may be a good fit?