How does RD Gateway enforce device redirection?

Question

Hi,

In RD Gateway, it's possible to configure device redirection policies. I was wondering how does it work, how does RD Gateway enforce these policies? Since RD Gateway only serves as a tunnel and does not break the RDP encryption, this is not something trivial.

I checked the protocol specification and found that one step of the connection establishment is tunnel authorization, the client sends a Tunnel Authorize Request and the server responds with a Tunnel Authorize Response which contains a list of devices to redirect. This made me think that RD Gateway does not actually enforce device redirection but only instructs the client which devices to redirect, and the client can theoretically just ignore this and redirect all the devices.

I found this link:
http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Egy%C3%A9b%20biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/TS%20Gateway%20Step-By-Step%20Guide.pdf
Which says more or less the same, but it's really old, so at some point it did work this way, but I don't think it's like that anymore.

Today, when configuring RD Gateway device redirection policies this option appears: "Only allow client connections to Remote Desktop Session Host servers that enforce RD Gateway device redirection", which suggest that there is some enforcement mechanism. I also found this link which seems to approve it:
https://learn.microsoft.com/en-us/windows/win32/termserv/modify-device-redirection-default-

So I am wondering how does it work, my guess is that the RD Gateway sends some sort of a preflight request to the target machine before the RDP sessions begins, over the same connection.

Thanks,
Gabriel

Answer 1

Hi,

When a client initiates a connection, RD Gateway first establishes SSL tunnels between itself and the external client. Next, RD Gateway vets the client's user (and optionally the computer) credentials to make sure that the user / computer are authorized to connect to RD Gateway. Then RD Gateway makes sure the client is allowed to connect to the requested resource. If the request is authorized then RD Gateway sets up an RDP connection between itself and the internal resource. All communication between the external client and the internal endpoint goes through RD Gateway. So, the RD Gateway can enforce device redirection between itself and the external client, and then enforce device redirection between itself and the internal resource.

Thanks,

Eleven

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

Answer 2

Hi,

RD Gateway might inspect RDP communication. The RDP connection firstly created between the client and the gateway itself. The RDP communication is from the client to the gateway itself. The gateway check the RDP communication to ensure the contents follow the policies. Then it created a connection between itself and the internal resource and rearrange the RDP communication to send it to the internal resource. All the communication between the client and the RD Gateway as well as between the gateway and internal resource are encrypted.

Thanks,
Eleven

Answer 3

Hi,

I am not sure. I think you can capture network traces on client, gateway and RDS server to analyze the whole process.

You can download the Network Monitor to capture the traces.
https://www.microsoft.com/en-US/download/details.aspx?id=4865

But now the traces analysis is not supported in forum now. We suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
 
You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thanks,
Eleven