All posts by msdadmin

Connecting to a Remote Desktop Gateway behind a proxy server

Connecting to a Windows 2012 R2 RD Gateway server when you are behind a proxy server, especially one requiring authentication, may fail with the following errors:

‘Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to.’

 RDPError2

Or

‘Remote Desktop can’t connect to the remote computer for one of these reasons:

  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network’

RDPError

Additionally, you will see the following event ID 4625 in the security log on the gateway server.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/5/2013 4:20:00 PM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: RDGW.CONTOSO.COM

Description:

An account failed to log on.

 This issue is documented here:

 https://support.microsoft.com/en-us/kb/2903333

To fix it, set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core

Type: REG_DWORD

Name: EnforceChannelBinding

Value: 0 (Decimal)

RDPError_reg

 Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value. When you are done, reboot the server and it should work behind your proxy server.

Configuring Site to Site VPN from Cisco ASA to a Draytek router

Walkthrough for creating a site to site VPN from a Cisco ASA firewall to a Draytek router, using ADSM. The models used were a Cisco ASA 5505 running ADSM 7.4(2) and ASA 9.2(3)3, and a Draytek 2860 series firewall/router.

Note that there is a guide on the Draytek site here: http://www.draytek.com/index.php?option=com_k2&view=item&id=2027&Itemid=293&lang=en but I found this did not have quite enough information, and besides is for an older ASA and ADSM version.

ASA Configuration

Connection Profile:

  1. Choose Wizards>>IPsec VPN Wizard
  2. Peer IP address: Enter the WAN IP of your Draytek
  3. Local network: Choose the Network Object for your inside network
  4. Remote network: Choose or add a new Network Object for the remote network (inside the Draytek)
  5. Click Next
  6. Enter a Pre-shared key
  7. Click Next
  8. Check the box for NAT exempt (you will get asymmetric NAT errors if you do not choose this).
  9. When finished, edit the Connection profile, and under IKE v1 change the IPsec proposal to just ESP-3DES-SHA
  10. On IKE v2 choose 3DES

ASAK_IKE1

ASAK_IKE2

Access Rule:

  1. On Access Rules, click Add:
    • Interface: Inside
    • Source: Choose your inside network
    • Destination: Choose your remote network behind the Draytek
  2. Add another access rule:
    • Interface: Outside
    • Source: Choose your remote network behind the Draytek
    • Destination: Choose your inside network

Draytek Configuration

  1. Click on VPN and Remote Access
  2. Click Lan to Lan
  3. Click a free Index
  4. Enter a profile name
  5. Call direction Dial-Out
  6. Dial-Out settings: Ipsec tunnel
  7. Server IP: Enter the IP of the ASA
  8. IKE Authentication Method: enter the same key you used on the ASA
  9. IPsec Security Method: Click High, then Advanced, then choose:
    1.  IKE phase 1 proposal: 3DES_SHA1_G2
    2. IKE phase 2 proposal:  3DES_SHA1

Draytek_IKE

  1. Enter the remote network settings under TCP/IP Network Settings at the bottom.

That’s it! Then try pinging something on the other side and it should dial the tunnel. I would suggest using the logging on the ASA to troubleshoot issues, since it is more comprehensive that the syslog on the Draytek. The most common reasons for the tunnel not coming up are the phase 1 and phase 2 settings, so make sure that these match on both sides.