Forum Post: RE: Remote Desktop Gateway WAF Error 0x3000008 Failed to Sync Outlook Session

Does anyone find some solution for this problem ? Remote Desktop Gateway over Waf with Android does not connect.... RDP on windows machines works fine. My logs: 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RDG_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"] 2017:12:01-09:55:26 myutm httpd[17666]: [url_hardening:error] [pid 17666:tid 4003548016] [client 171.151.211.201:49073] URI prefix does not match, URI: mywebrdp.xxx.net:443/.../ 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "399"] [id "960020"] [rev "1"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [data "Last Matched Data: RDG_OUT_DATA https://mywebrdp.xxx.net:443/remoteDesktopGateway/ HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4003548016] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [hostname "mywebrdp.xxx.net"] [uri "/remoteDesktopGateway/"] [unique_id "WiFDLgqQBf4AAEUCS-kAAABz"] 2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="230" user="-" host="171.151.211.201" method="RDG_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Pragma Header requires Cache-Control Header for HTTP/1.1 requests." exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1009" url="/remoteDesktopGateway/" server="mywebrdp.xxx.net" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-kAAABz" 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"] 2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf"] [line "52"] [id "960911"] [rev "2"] [msg "Invalid HTTP Request Line"] [data "RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_OUT_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"] 2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "RPC_IN_DATA"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"] 2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/usr/apache/conf/waf/modsecurity_crs_http_policy.conf"] [line "88"] [id "960035"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".dll"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_OUT_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"] 2017:12:01-09:55:26 myutm httpd[17666]: [security2:error] [pid 17666:tid 4062296944] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEUCS-oAAABs"] 2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_OUT_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1317" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEUCS-oAAABs" 2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960911-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-REQUEST_LINE. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy"] [data "Last Matched Data: RPC_IN_DATA https://mywebrdp.xxx.net/rpc/rpcproxy.dll?localhost:3388 HTTP/1.1"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"] 2017:12:01-09:55:26 myutm httpd[18484]: [security2:error] [pid 18484:tid 4028726128] [client 171.151.211.201] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=, XSS=): URL file extension is restricted by policy"] [hostname "mywebrdp.xxx.net"] [uri "/rpc/rpcproxy.dll"] [unique_id "WiFDLgqQBf4AAEg04ToAAAAM"] 2017:12:01-09:55:26 myutm httpd: id="0299" srcip="171.151.211.201" localip="186.193.226.254" size="225" user="-" host="171.151.211.201" method="RPC_IN_DATA" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: URL file extension is restricted by policy" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="1524" url="/rpc/rpcproxy.dll" server="mywebrdp.xxx.net" port="443" query="?localhost:3388" referer="-" cookie="-" set-cookie="-" uid="WiFDLgqQBf4AAEg04ToAAAAM"