Solved: Re: Run Microsoft remote applications (RemoteApp service) via We

serg_shipaev · ‎10-12-2010

Hi,

Have been troubled with the following thing:

I've got Cisco ASA 8.2 configured to use WebVPN. And seems that everything works correctly.

But, when I try to run the remote application via Microsoft TS (RemoteApp service web-page), it returns me the error: The host is unreachable.

The application running correct inside the lan, and the execution profile includes IP address of the host. The application installed on the same host where the Microsoft RemoteApp service is running. So, if I have an access to the server, than I should have an access to the application as well..

So, does anyone know where the hook?

! acl

access-list acl_vpn_clients remark *** VPN access for Customers to resources ***
access-list acl_vpn_clients extended permit ip 172.16.13.0 255.255.255.0 host 172.16.3.101

! web-acl

access-list acl_web_clients webtype permit url http://172.16.3.101/* log default

access-list acl_web_clients webtype permit url rdp://172.16.3.101/* log default

! default policy

dynamic-access-policy-record ClientsAccessPolicy

description "Default Access Policy for clients WebVPN/Anyconnect users"

network-acl acl_vpn_clients

webvpn

appl-acl acl_web_clients

url-list value Corporative

...

wbr,

Serg

Marcin Latosiewicz · ‎10-13-2010

Serg,

can you say try adding:

iexplore.exe

mstsc.exe

TSWbPrxy.exe

This is the process involved as far as I understand which app you're using. 

The processes were "reverse engineered" by looking at process monitor duing execution ;-)

Marcin

View solution in original post

Marcin Latosiewicz · ‎10-12-2010

Serg,

Can you try it out with split-tunneling enabled?

What's most likely failing is a connection open by mstsc to the host itself...

Sniff traffic, logs... I wonder if it makes it through ASA at all.

Marcin

serg_shipaev · ‎10-12-2010

Marcin,

Well, I have split-tunneling enabled there.

group-policy col.clients attributes
vpn-filter value acl_vpn_clients
vpn-tunnel-protocol svc webvpn
group-lock value col.clients
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_clients

access-list vpn_clients extended permit ip host 172.16.3.101 172.16.13.0 255.255.255.0

172.16.13.0/24 - webvpn clients

172.16.3.101 - mstsc and the remoteapp as well

The matter is that that I have no access to the remote host.. But, as I said the remote app runs properly while running within the 172.16.3.0/24 inside. as well as while anyconnect client is running, btw. So, I have no idea where the problem could be..

wbr,

Serg

Marcin Latosiewicz · ‎10-12-2010

Serg,

Apologies! I think I was tired yesterday night. I meant smart tunneling and not split tunneling. Split tunneling will not affect clientlless access.

Marcin

serg_shipaev · ‎10-13-2010

Marcin,

Well, the smart tunelling is enabled as well.

webvpn

...

smart-tunnel list ST_Clients App1 app1.exe platform windows

smart-tunnel list ST_Clients App2 app2.exe platform windows

...

group-policy col.clients attributes

...

webvpn

...

smart-tunnel auto-start ST_Clients

Marcin Latosiewicz · ‎10-13-2010

Serg,

This is copy and paste from configuration? :O

What applications are being smart tunneled (and is your browser itself smart tunneled).

Marcin

serg_shipaev · ‎10-13-2010

Marcin,

Yes. This is copy/paste from current asa running-config.

I just replaced the names of the applications, and nothing more.

But first one is a billing one, another one is an accounting. Both are working under windows environment.

And as I wrote before, both working properly under anyconnect and LAN inside..

Dunno what to think..

P.S. No, I haven't added the browser itself into the smart-tunneling environment.

wbr,

Serg

Marcin Latosiewicz · ‎10-13-2010

Serg,

can you say try adding:

iexplore.exe

mstsc.exe

TSWbPrxy.exe

This is the process involved as far as I understand which app you're using. 

The processes were "reverse engineered" by looking at process monitor duing execution ;-)

Marcin

serg_shipaev · ‎10-13-2010

Marcin,

Wow!! Everything goes on after adding three lines you wrote above! Reversed engineering hooks awesome!))

THANK YOU!!!!!

-)

wbr,

Serg

Marcin Latosiewicz · ‎10-13-2010

Serg,

Awesome

Can you run two more tests for me? (If you have the time)

1) Try with smart tunneling only

mstsc.exe

2) Try with smart tunneling :

mstsc.exe
and

TSWbPrxy.exe


At least we'd understand which one makes it work exactly :-)

Marcin

serg_shipaev · ‎10-13-2010

Marcin,

It's been started properly with mstsc.exe helper only.

So, I suppose the other additional helpers (iexplorer/proxy) can be removed with no influence to the service execution.

THANKS)

wbr,

Serg

Run Microsoft remote applications (RemoteApp service) via WebVPN