Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 0.9.13-incubating
    • Component/s: RDP
    • Labels:
      None

      Description

      The description of this issue was copied from GUAC-913, an issue in the JIRA instance used by the Guacamole project prior to its acceptance into the Apache Incubator.

      Comments, attachments, related issues, and history from prior to acceptance have not been copied and can be found instead at the original issue.

      Newer RDP servers are usually located behind a gateway server on port 443: http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx

      FreeRDP gained support for connection behind a gateway. Guacamole should be able to do this as well now if the appropriate parameters are made configurable:

      https://github.com/FreeRDP/FreeRDP/issues/386

      1. FreeRDP-patched.tar.gz
        5.86 MB
        Michael Jumper

        Issue Links

          Activity

          Hide
          keitarobr Rodrigo Gonçalves added a comment -

          Dear Michael

          I'm trying to setup a gateway based connection with the following setup:

          <config name="Desktop Virtual" protocol="rdp">
          <param name="hostname" value="xxxxx" />
          <param name="gateway-hostname" value="yyyyyy" />
          <param name="port" value="3389" />
          <param name="enable-printing" value="true" />
          <param name="ignore-cert" value="true" />
          <param name="load-balance-info" value="tsv://MS Terminal Services Plugin.1.Secretarias" />
          </config>

          But the following error is reported:

          [14:11:34:100] [66693:66699] [ERROR][com.freerdp.core] - freerdp_set_last_error 0x2000C
          [14:11:34:100] [66693:66699] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

          Any ideas what may be happening?

          Show
          keitarobr Rodrigo Gonçalves added a comment - Dear Michael I'm trying to setup a gateway based connection with the following setup: <config name="Desktop Virtual" protocol="rdp"> <param name="hostname" value="xxxxx" /> <param name="gateway-hostname" value="yyyyyy" /> <param name="port" value="3389" /> <param name="enable-printing" value="true" /> <param name="ignore-cert" value="true" /> <param name="load-balance-info" value="tsv://MS Terminal Services Plugin.1.Secretarias" /> </config> But the following error is reported: [14:11:34:100] [66693:66699] [ERROR] [com.freerdp.core] - freerdp_set_last_error 0x2000C [14:11:34:100] [66693:66699] [ERROR] [com.freerdp.core.connection] - Error: protocol security negotiation or connection failure Any ideas what may be happening?
          Hide
          mike.jumper Michael Jumper added a comment -

          For convenience, I've attached a copy of the "1.2.0-beta1" version of the FreeRDP source, patched as described above:

          FreeRDP-patched.tar.gz

          Show
          mike.jumper Michael Jumper added a comment - For convenience, I've attached a copy of the "1.2.0-beta1" version of the FreeRDP source, patched as described above: FreeRDP-patched.tar.gz
          Hide
          mike.jumper Michael Jumper added a comment -

          The commit which fixes RAIL is:

          b2f7c488ab9f3c9d8cf6980f779e402cdb92d512 is the first rail-working commit
          commit b2f7c488ab9f3c9d8cf6980f779e402cdb92d512
          Author: Marc-André Moreau <marcandre.moreau@gmail.com>
          Date:   Tue Nov 11 16:35:30 2014 -0500
          
              xfreerdp: cleanup and fix RemoteApp
          
          :040000 040000 ec2436abe4e9b9651252df6517d50723ef6088f9 579df83c60a1714cdcb5d89c5871862716f506ba M	channels
          :040000 040000 21eb2f27c1d3344a9aee79b0fb2c7c8b55753eca 97442e3e8e0c0be9be8d30565656c97cd0912ca1 M	client
          

          That change is past the point in history where the API breaks, but the fix itself is not dependent on those breaking changes. It can be applied to the commit 0746d8c if the changes are limited to:

          diff --git a/channels/rail/client/rail_main.c b/channels/rail/client/rail_main.c
          index 17d5857..238bc19 100644
          --- a/channels/rail/client/rail_main.c
          +++ b/channels/rail/client/rail_main.c
          @@ -526,9 +526,10 @@ BOOL VCAPITYPE VirtualChannelEntry(PCHANNEL_ENTRY_POINTS pEntryPoints)
                  if ((pEntryPointsEx->cbSize >= sizeof(CHANNEL_ENTRY_POINTS_FREERDP)) &&
                                  (pEntryPointsEx->MagicNumber == FREERDP_CHANNEL_MAGIC_NUMBER))
                  {
          -               context = (RailClientContext*) malloc(sizeof(RailClientContext));
          +               context = (RailClientContext*) calloc(1, sizeof(RailClientContext));
           
                          context->handle = (void*) rail;
          +               context->custom = NULL;
           
                          context->ClientExecute = rail_client_execute;
                          context->ClientActivate = rail_client_activate;
          

          Thus ... a seemingly-good FreeRDP having working gateway while also having an API compatible with current Guacamole is the product of:

          1. Upstream at commit 0746d8c14cc8cca7b66bdea31fa6a00cbd509095
          2. The above patch
          3. Plus cherry-picking commit 1b663ceffe51008af7ae9749e5b7999b2f7d6698 if cmake is unhappy.

          The real solution is supporting the latest FreeRDP "2.0.0" tags (GUACAMOLE-249), of course, but that will take some time.

          Show
          mike.jumper Michael Jumper added a comment - The commit which fixes RAIL is: b2f7c488ab9f3c9d8cf6980f779e402cdb92d512 is the first rail-working commit commit b2f7c488ab9f3c9d8cf6980f779e402cdb92d512 Author: Marc-André Moreau <marcandre.moreau@gmail.com> Date: Tue Nov 11 16:35:30 2014 -0500 xfreerdp: cleanup and fix RemoteApp :040000 040000 ec2436abe4e9b9651252df6517d50723ef6088f9 579df83c60a1714cdcb5d89c5871862716f506ba M channels :040000 040000 21eb2f27c1d3344a9aee79b0fb2c7c8b55753eca 97442e3e8e0c0be9be8d30565656c97cd0912ca1 M client That change is past the point in history where the API breaks, but the fix itself is not dependent on those breaking changes. It can be applied to the commit 0746d8c if the changes are limited to: diff --git a/channels/rail/client/rail_main.c b/channels/rail/client/rail_main.c index 17d5857..238bc19 100644 --- a/channels/rail/client/rail_main.c +++ b/channels/rail/client/rail_main.c @@ -526,9 +526,10 @@ BOOL VCAPITYPE VirtualChannelEntry(PCHANNEL_ENTRY_POINTS pEntryPoints) if ((pEntryPointsEx->cbSize >= sizeof(CHANNEL_ENTRY_POINTS_FREERDP)) && (pEntryPointsEx->MagicNumber == FREERDP_CHANNEL_MAGIC_NUMBER)) { - context = (RailClientContext*) malloc(sizeof(RailClientContext)); + context = (RailClientContext*) calloc(1, sizeof(RailClientContext)); context->handle = (void*) rail; + context->custom = NULL; context->ClientExecute = rail_client_execute; context->ClientActivate = rail_client_activate; Thus ... a seemingly-good FreeRDP having working gateway while also having an API compatible with current Guacamole is the product of: Upstream at commit 0746d8c14cc8cca7b66bdea31fa6a00cbd509095 The above patch Plus cherry-picking commit 1b663ceffe51008af7ae9749e5b7999b2f7d6698 if cmake is unhappy. The real solution is supporting the latest FreeRDP "2.0.0" tags ( GUACAMOLE-249 ), of course, but that will take some time.
          Hide
          mike.jumper Michael Jumper added a comment -

          Am currently bisecting to discover where RAIL via gateway resumes working, but the bisect is stuck in a sea of inconclusive commits where gateway logins fail (thus the status of RAIL via gateway can't be determined). To navigate out of said sea, I'm currently running a rather ridiculous one-liner which repeatedly:

          1. Tests whether gateway login succeeds - if it succeeds ... manual intervention required to verify RAIL
          2. If it fails, does a git bisect skip past the inconclusive commit
          3. Uninstalls any existing copy of FreeRDP
          4. Attempts to generate the build files with cmake
          5. If that fails, applies the 1b663ce fix for cmake and reattempts
          6. Builds and installs that version of FreeRDP

          No idea how long this will take but ... presumably quite a while.

          Show
          mike.jumper Michael Jumper added a comment - Am currently bisecting to discover where RAIL via gateway resumes working, but the bisect is stuck in a sea of inconclusive commits where gateway logins fail (thus the status of RAIL via gateway can't be determined). To navigate out of said sea, I'm currently running a rather ridiculous one-liner which repeatedly: Tests whether gateway login succeeds - if it succeeds ... manual intervention required to verify RAIL If it fails, does a git bisect skip past the inconclusive commit Uninstalls any existing copy of FreeRDP Attempts to generate the build files with cmake If that fails, applies the 1b663ce fix for cmake and reattempts Builds and installs that version of FreeRDP No idea how long this will take but ... presumably quite a while.
          Hide
          mike.jumper Michael Jumper added a comment -

          The lack of "rail" channel was due to commenting-out a failing line in one of the cmake configuration files of FreeRDP during that initial bisect. Doing another bisect to find the actual solution to that failure results in:

          1b663ceffe51008af7ae9749e5b7999b2f7d6698 is the first cmake-list-working commit
          commit 1b663ceffe51008af7ae9749e5b7999b2f7d6698
          Author: Bernhard Miklautz <bernhard.miklautz@shacknet.at>
          Date:   Fri Dec 12 18:26:45 2014 +0100
          
              build: cmake 3.1 compatibility
              
              * fix problem with REMOVE_DUPLICATES on undefined lists
              * since 3.1 file(GLOB FILEPATHS RELATIVE .. returns single / instead of // as
                previously - necessary adoptions for regex and matches done. Should
              	work with all cmake versions.
              
              Tested with 3.1.0-rc3
          
          :040000 040000 20449794686df55b65d806e67cf7228a7ecaf309 d038f6f10f72b41a8cf4eaa649b1d9945c393dd1 M	channels
          :040000 040000 6bcaacd5584f4ef452ef93f812b1a1f1fe14691a 5cb1d3cb024186d8ed9f0449be2a40c0c84cea4d M	client
          :040000 040000 386c5819ddbd269d2ea4f13b75686e706d7e020d 0285c40b7c3a7b3599dd1c2b2a03e3996b8dfad0 M	server
          :040000 040000 11c3d9a97fd3ed2cf9f7cc7e68f3fdd5123eb07c 79bc747328ffc8b029eb9d82c008c9fa0788cde7 M	third-party
          

          Unfortunately, that commit is at a point in history where the FreeRDP API diverged from what Guacamole is compatible with, but cherry-picking that commit on top of 0746d8c works fine in the sense that plugins install and load correctly.

          RemoteApp / RAIL seems broken, however.

          Show
          mike.jumper Michael Jumper added a comment - The lack of "rail" channel was due to commenting-out a failing line in one of the cmake configuration files of FreeRDP during that initial bisect. Doing another bisect to find the actual solution to that failure results in: 1b663ceffe51008af7ae9749e5b7999b2f7d6698 is the first cmake-list-working commit commit 1b663ceffe51008af7ae9749e5b7999b2f7d6698 Author: Bernhard Miklautz <bernhard.miklautz@shacknet.at> Date: Fri Dec 12 18:26:45 2014 +0100 build: cmake 3.1 compatibility * fix problem with REMOVE_DUPLICATES on undefined lists * since 3.1 file(GLOB FILEPATHS RELATIVE .. returns single / instead of // as previously - necessary adoptions for regex and matches done. Should work with all cmake versions. Tested with 3.1.0-rc3 :040000 040000 20449794686df55b65d806e67cf7228a7ecaf309 d038f6f10f72b41a8cf4eaa649b1d9945c393dd1 M channels :040000 040000 6bcaacd5584f4ef452ef93f812b1a1f1fe14691a 5cb1d3cb024186d8ed9f0449be2a40c0c84cea4d M client :040000 040000 386c5819ddbd269d2ea4f13b75686e706d7e020d 0285c40b7c3a7b3599dd1c2b2a03e3996b8dfad0 M server :040000 040000 11c3d9a97fd3ed2cf9f7cc7e68f3fdd5123eb07c 79bc747328ffc8b029eb9d82c008c9fa0788cde7 M third-party Unfortunately, that commit is at a point in history where the FreeRDP API diverged from what Guacamole is compatible with, but cherry-picking that commit on top of 0746d8c works fine in the sense that plugins install and load correctly. RemoteApp / RAIL seems broken, however.
          Hide
          mike.jumper Michael Jumper added a comment -

          Testing against a test RDP gateway, connections fail with both Guacamole and the FreeRDP client at stable-1.1 and 1.2.0-*. Doing a git bisect, I've found a commit where things start working again:

          0746d8c14cc8cca7b66bdea31fa6a00cbd509095 is the first gateway-working commit
          commit 0746d8c14cc8cca7b66bdea31fa6a00cbd509095
          Author: Brad <eosrei@gmail.com>
          Date:   Mon Sep 29 23:16:07 2014 -0700
          
              Do not BIO_clear_flags() when the SSL error is not valid to fix #2056
          
          :040000 040000 0a61c5e69f8b99c005b3b67ae8fa01711c03046f 14c7ddaf1f426bd9600e5f4ff958d2871329ea1a M	libfreerdp
          

          HOWEVER: At the above commit, connecting to the RDP gateway hangs during security negotiation unless the "Any" security method is selected, and the RemoteApp channel ("rail") is missing.

          More bisecting likely in my future...

          Show
          mike.jumper Michael Jumper added a comment - Testing against a test RDP gateway, connections fail with both Guacamole and the FreeRDP client at stable-1.1 and 1.2.0-*. Doing a git bisect, I've found a commit where things start working again: 0746d8c14cc8cca7b66bdea31fa6a00cbd509095 is the first gateway-working commit commit 0746d8c14cc8cca7b66bdea31fa6a00cbd509095 Author: Brad <eosrei@gmail.com> Date: Mon Sep 29 23:16:07 2014 -0700 Do not BIO_clear_flags() when the SSL error is not valid to fix #2056 :040000 040000 0a61c5e69f8b99c005b3b67ae8fa01711c03046f 14c7ddaf1f426bd9600e5f4ff958d2871329ea1a M libfreerdp HOWEVER: At the above commit, connecting to the RDP gateway hangs during security negotiation unless the "Any" security method is selected, and the RemoteApp channel ("rail") is missing. More bisecting likely in my future...
          Hide
          robertjan@isned.nl Robert Jan Bruins added a comment -

          Thank you for reopening the request and solving it.
          Cant't wait to see and test it.

          Kind regards,

          Robert Jan

          Show
          robertjan@isned.nl Robert Jan Bruins added a comment - Thank you for reopening the request and solving it. Cant't wait to see and test it. Kind regards, Robert Jan
          Hide
          mike.jumper Michael Jumper added a comment -

          It turns out gateway support is not actually present in FreeRDP 1.0.2 nor on stable-1.0. There are simply settings with those names. The values are never used within the source itself.

          With that out of the way, we can just pay attention to stable-1.1 onward, which thankfully use the same API for this. However:

          The GatewayPort property of the settings is not used until 1.2+. Prior to 1.2, the port is hard-coded to 443.

          Show
          mike.jumper Michael Jumper added a comment - It turns out gateway support is not actually present in FreeRDP 1.0.2 nor on stable-1.0. There are simply settings with those names. The values are never used within the source itself. With that out of the way, we can just pay attention to stable-1.1 onward, which thankfully use the same API for this. However: The GatewayPort property of the settings is not used until 1.2+. Prior to 1.2, the port is hard-coded to 443.
          Hide
          mike.jumper Michael Jumper added a comment -

          Overall Guacamole connection parameters that would need to be added seem to be:

          1. gateway-hostname
          2. gateway-port
          3. gateway-domain (only possible with 1.1+)
          4. gateway-username
          5. gateway-password
          6. load-balance-info (only possible with 1.1+)
          Show
          mike.jumper Michael Jumper added a comment - Overall Guacamole connection parameters that would need to be added seem to be: gateway-hostname gateway-port gateway-domain (only possible with 1.1+) gateway-username gateway-password load-balance-info (only possible with 1.1+)
          Hide
          mike.jumper Michael Jumper added a comment -

          Table of relevant FreeRDP settings structure members:

          stable-1.1 or later 1.0.2 or stable-1.0
          GatewayPort tsg_port
          GatewayHostname tsg_hostname
          GatewayUsername tsg_username
          GatewayPassword tsg_password
          GatewayDomain N/A
          GatewayEnabled ts_gateway
          LoadBalanceInfo N/A
          LoadBalanceInfoLength N/A

          Gateway support is not present in FreeRDP for 1.0.1 or earlier.

          Show
          mike.jumper Michael Jumper added a comment - Table of relevant FreeRDP settings structure members: stable-1.1 or later 1.0.2 or stable-1.0 GatewayPort tsg_port GatewayHostname tsg_hostname GatewayUsername tsg_username GatewayPassword tsg_password GatewayDomain N/A GatewayEnabled ts_gateway LoadBalanceInfo N/A LoadBalanceInfoLength N/A Gateway support is not present in FreeRDP for 1.0.1 or earlier.
          Hide
          robertjan Robert Jan Bruins added a comment -

          This feature would be very welcome and enhance security and usability a lot.

          For connecting to a remote site only one port(443) needs to be opened instead of several 3389 ports.
          Of cause connecting over a vpn(or similar) would be a solution but this is not always possible due to restrictions of the remote site.

          Thanx, Robert Jan

          Show
          robertjan Robert Jan Bruins added a comment - This feature would be very welcome and enhance security and usability a lot. For connecting to a remote site only one port(443) needs to be opened instead of several 3389 ports. Of cause connecting over a vpn(or similar) would be a solution but this is not always possible due to restrictions of the remote site. Thanx, Robert Jan

            People

            • Assignee:
              mike.jumper Michael Jumper
              Reporter:
              mike.jumper Michael Jumper
            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development