By default HTML5 server is able to forward RDP requests from default web ports 80/443 to target RDP server. Some hacker tools reuse this fact to run RDP brute force attacks against these ports. As countermeasure you got in such case two choices, either completely disable RDP forwarding as described in this FAQ or alternatively you may disable RDP forwarding but enable at same time RDP cookie approved connections. That means, initial RDP connection packet must contain special cookie string known to the server in order to be successfully passed through. To enable this cookie approvement do following.
(0. firstly upgade to latest RDPus version since in older versions this feature may be not available)
1. follow this FAQ to disable RDP forwarding if not yet done
2. open with Notepad *\Clients\webserver\balance.bin
3. add as next line (and save changes)
/~~mySpecificRDPcookie=127.0.0.1:3389 RDPPORT;
(this would mean RDP client must send cookie /~~mySpecificRDPcookie to be passed to 127.0.0.1:3389, the /~~mySpecificRDPcookie is just an example, it could be any string except preceding /~~ which is mandatory)
4. if you use mstsc.exe to connect, then create and edit file *.rdp and add as next line
loadbalanceinfo:s:/~~mySpecificRDPcookie
(by other clients than mstsc.exe the cookie support may be lacking, we do not maintain the list of third part clients supporting cookies)
(5). if you use load balancing in half balancing mode (when gateway takes the role of RDP client and not subserver) then without knowing that cookie RDP client part of HTML5 client would fail to connect. To get over it open with Notepad *\Clients\webserver\setting.bin directly on gateway server and insert as next line following content with final changes saving
default_rdp_cookie=”/~~mySpecificRDPcookie”
6. restart HTML5 server in AdminTool GUI.
Oracle Remediation
Since Windows2012/2016 and Windows10 there exists new option for additional RDP security by enforcing only updated clients to avoid vulnerability exploitation of RDP by potential hackers by brute forcing the connection. This will require the RDP clients to support at least CredSSP v6.
1. start gpedit.msc
2. change: Computer Configuration > Administrative Templates > System > Credential Delegation > Encryption Oracle Remediation > Only Updated Clients >> Force Updated Clients
Remember, this requires at least HTML5 v6.12 client, check you web_log.txt if you are unsure.
Randomized local remote binding
New HTML5 v6.23 client supports randomized remote addresses for 127.*.*.* address space.
1. open with Notepad *\Clients\webserver\settings.bin
2. add as next line (and save changes)
rdp_remote_address_by_forward=”*”
rdp_remote_address_by_html5=”*”
3. restart HTML5 server in AdminTool GUI.