RDS Infrastructure

Three Reasons Why You Need to Monitor CAP and RAP Failures On Your Remote Desktop Gateways

April 19, 2022 By Andy Milford Leave a Comment

The latest version of our Remote Desktop Commander Suite (Version 6) now offers reporting that tracks CAP (Connection Authorization Policies) and RAP (Resource Authorization Policies) failures on your Remote Desktop Gateway servers. Why is it important to track these failures? Here are three very important reasons.

CAP and RAP Failures on Your Remote Desktop Gateways May Be Indicative of Hack Attempts

Put simply, Remote Desktop Gateway CAPs control WHO (which users and groups) can access your Remote Desktop Services deployments, and Remote Desktop Gateway RAPs control WHAT (e.g. which computers) they can access in the deployment. If you are seeing either CAP or RAP failures in your event logs, it could be an intruder trying to gain access to your internal network’s systems. This is especially true if you are *not using* a MFA solution on your network to better validate RDS users authenticating through a Terminal Services Gateway.

For instance, if you see a CAP failure (Event ID 201 in the Microsoft-Windows-TerminalServices-Gateway/Operational event log), it could indicate that an attacker has managed to successfully authenticate with one of your Remote Desktop Gateway servers, but the compromised user was not a user approved to access your RDS deployment. Or in other words, a hacker has obtained the correct username/pw combo for a user in your Active Directory, but that user is NOT authorized to use your RDS collections.

In this CAP failure example, a hacker may have gotten the password for ‘CompromisedAccount’, and then attempted to authenticate through the Gateway in attempt to access other systems internal to your network.

In contrast, if you see a RAP failure (Event ID 301 in the Microsoft-Windows-TerminalServices-Gateway/Operational event log), an attacker may be trying to connect to a system BEYOND your RDS deployment and has been blocked from doing so. That is more likely if you’ve already done what I’ve recommended in my book on securing RDS deployments and tightened down your RAPs. A normal user typically uses the default RDP file they obtain from your RDWeb feed. An attacker, on the other hand, could have altered an RDP file to keep your gateway server information, but instead target a non-RDS server by it’s name or IP address.

In this RAP failure example, a hacker may have gotten the password for ‘CompromisedAccount’, and then attempted to access your Domain Controller or another critical server beyond your RDS deployment through the Gateway.

You Could Have a Configuration Issue On Your Gateways

It’s easy to screw up CAP and RAP policies on a Gateway. For instance, let’s say you’ve setup an RDS deployment with a single connection broker. Then, you decide to add a second connection broker and put the deployment into High Availability mode. Did you remember to visit both of your Remote Desktop Gateway servers and add the new broker to each of their RAPs? If not, users who get load balanced to the new, second broker will have problems connecting via the gateway because they’re not yet authorized to connect via the RAP.

In another scenario I’ve seen in my consulting work, a client migrated their RDS deployment from one datacenter to another, and then had an issue with name resolution because of legacy RDP files still in use. The gateways had RAP entries for the fully qualified domain names of the session hosts, but not for their equivalent NetBIOS short names and IP addresses. As a result, some connections were working and others were not.

Your End Users Could Be Using Misconfigured RDP Files

Your end users will continually cause you pain by doing things like caching copies of the RDP files they’ve downloaded to their desktop. Then, when you push changes and reconfigurations out to RDWeb via the Connection Broker, they’ll bypass RDWeb or RADC in favor of their out of date RDP file already stashed on their desktop. That, in turn, can generate RAP failures and/or connection broker connection request failures. If you’re monitoring CAP/RAP failures and connection broker failures, you can make a list of the “wayward children” who need to get a tap on the shoulder!

The Takeaway – You Need Automated Collection and Reporting of Remote Desktop Gateway CAP and RAP Failures

In busy deployments, the Microsoft-Windows-TerminalServices-Gateway/Operational event log wraps VERY quickly. I’ve seen these logs wrap within an hour, because no one remembers to boost their retention settings via Group Policy. And even if you fix the retention, consolidating things by username or by gateway server to make sense of it all will take some doing, even if you do have a SIEM or other log aggregation solution in place.

Our Remote Desktop Commander Suite solution automates all of this for you.

First, it continually collects CAP, RAP and other informational events from your Remote Desktop Gateways and stores them in its SQL database. Doing so allows you to produce reports like these on demand or on a scheduled basis with powerful filtering capabilities around usernames and server names.

Remote Desktop Gateway CAP and RAP Failures

Secondly, it has a Top Level Deployment Status Dashboard where you can continually keep your eye on Remote Desktop Gateway health, current connection count, recent connection failures, plus summon reports like those above with just two mouse clicks. To give you an idea of that dashboard’s power, please watch this video below (remember to expand it to full screen!)

The Remote Desktop Commander Suite can monitor and report on your gateways for only $11.49 per server per month, with volume discounts available. Contact our sales team for more information or to set up a demo.

Connection Broker Monitoring

April 8, 2022 By Andy Milford Leave a Comment

Learn more about how the Top Level Deployment Status Dashboard in Remote Desktop Commander v6 handles connection broker monitoring, remote desktop gateway monitoring, session host monitoring, and synthetic RDP login monitoring.

In Remote Desktop Commander 6.0, we introduced a new Top Level Deployment Dashboard which displays the health of all of your Remote Desktop Services deployment infrastructure in one main view. If you integrate the Remote Desktop Commander Suite with our Remote Desktop Canary solution, the results of your continuous synthetic RDP login tests will automatically update in this dashboard, so you can spot errors or lengthening login times that impact user experience. In addition, this dashboard displays the trending health and load of all of your RDS gateway servers, your connection brokers, and session host collections.

Why Connection Broker Monitoring Is Important

Out of all of these roles, the Connection Broker is arguably the most important, as it truly is the “brains” of an RDS deployment. It is responsible for routing and load balancing users on to the correct servers in RDS collections, and also reconnecting disconnected sessions to the appropriate hosts. As such, the Remote Desktop Commander Suite monitors Connection Broker metrics like connection success rate, the recent number of connections processed, the response time of the SQL database server(s) the connection broker(s) are linked to, and the stored procedure success rate on that SQL database(s) that the connection brokers consult when routing users.

How To Monitor Connection Brokers

Our software collects and monitors these metrics because it has been our direct experience that connection brokers can seem “OK” in terms of CPU and memory use, but may NOT actually be OK when you start looking at things like database response times and stored procedure failure rates. Frankly, the internal mechanics of how connection brokers interact with their SQL databases are, erm, “complicated” and somewhat akin to watching sausage being made – it’s not pretty! When login storms arrive in the morning, after lunch, or after a temporary RD gateway or load balancer failure, the SQL DB typically gets overloaded, causing the connection broker to stop routing connections, etc. Consequently, proper connection broker monitoring must incorporate all of these metrics.

Furthermore, comprehensive RDS deployment monitoring, like what we provide in our Complete Monitoring and Management Bundle for RDS, monitors connection broker metrics ALONGSIDE critical gateway AND session host metrics, plus drives continuous testing into the farm with synthetic RDP login monitoring. The Top Level Deployment Status Dashboard is your entry point to all of this rich information, with drill down capabilities into active session management, shadowing sessions, user and process level performance troubleshooting, and over 100 reports on connection quality, user activity monitoring, licensing, and much more just a few mouse clicks away.

Connection Broker Error Reporting

Quickly investigate the reason for connection broker routing failures using the new Infrastructure – Connection Broker Connection Request Failures report

While connection broker routing failures happen less frequently than Remote Desktop Gateway CAP and RAP failures, it’s still important to keep an eye on them. For instance, if you migrate your deployment to use new infrastructure servers, or if you recreate your RDS collections, you may have users trying to connect with older RDP files that hold invalid collection information. Running the Connection Broker Connection Request Failures report in the Remote Desktop Commander Suite will show you all of the user accounts that are using invalid RDP files, as well as other problems, such as connection broker(s) with insufficient system resources to route users appropriately.

Ready To Get Started?

Are you ready to add comprehensive monitoring and management to your RDS environment? Would you like to have that “single pane of glass” that can show you all the critical metrics related to your Remote Desktop Services deployment, with active session management/shadowing, deep dive performance troubleshooting, user activity monitoring, license tracking, connection quality, and more just a few mouse clicks away? If so, start a very affordable subscription to our Complete Monitoring and Management Bundle for RDS for only $17.99 per server monitored per month, with volume discounts available. Or, if you’re not ready to purchase just yet, contact us for a web demo and let us answer all of your pre-purchase questions.