Hi there, I am having trouble getting RDP working, and I feel like I am missing a step. I can RDP fine over the local lan, just not the fabric.
Here is my setup script:
#! /bin/bash
export NAME=jp.rdp
export PORT=3889
ziti edge create config "${NAME}".cfg.intercept.v1 intercept.v1 '{
"addresses": ["*.jp"],
"protocols": ["tcp", "udp"],
"portRanges": [ {"low":'"${PORT}"',"high":'"${PORT}"'} ],
"dialOptions": { "identity": "$dst_hostname" }
}'
ziti edge create config "${NAME}".tcp.cfg.host.v1 host.v1 '{
"address":"127.0.0.1",
"protocol":"tcp",
"port":'"${PORT}"',
"listenOptions": { "identity": "$tunneler_id.name" }
}'
ziti edge create config "${NAME}".udp.cfg.host.v1 host.v1 '{
"address":"127.0.0.1",
"protocol":"udp",
"port":'"${PORT}"',
"listenOptions": { "identity": "$tunneler_id.name" }
}'
ziti edge create service "${NAME}".udp.service \
--configs "${NAME}".cfg.intercept.v1,"${NAME}".udp.cfg.host.v1 \
--role-attributes "${NAME}".dial,"${NAME}".bind
ziti edge create service "${NAME}".tcp.service \
--configs "${NAME}".cfg.intercept.v1,"${NAME}".tcp.cfg.host.v1 \
--role-attributes "${NAME}".dial,"${NAME}".bind
ziti edge create service-policy "${NAME}".bind Bind \
--identity-roles '#'"${NAME}.bind" \
--service-roles '@'"${NAME}".udp.service,'@'"${NAME}".tcp.service
ziti edge create service-policy "${NAME}".dial Dial \
--identity-roles '#'"${NAME}.dial" \
--service-roles '@'"${NAME}".udp.service,'@'"${NAME}".tcp.service
exit
# scorched earth protocol
ziti edge delete config "${NAME}".cfg.intercept.v1
ziti edge delete config "${NAME}".rdp.cfg.host.v1
ziti edge delete config "${NAME}".tcp.cfg.host.v1
ziti edge delete config "${NAME}".udp.cfg.host.v1
ziti edge delete service "${NAME}".tcp.service
ziti edge delete service "${NAME}".udp.service
ziti edge delete service-policy "${NAME}".bind
ziti edge delete service-policy "${NAME}".dial
Here is the log on my (macos) system:
[2023-09-19T21:37:03:417Z] INFO PacketTunnelProvider:ZitiTunnelDelegate.swift:222 tunnelEventCallback() ZitiTunnelEvent: <CZiti.ZitiTunnelServiceEvent: 0x138f111b0>
identity: falkor.jp:"QzsXz46HR"
status:
removed: (0)
added: (2)
0:{"id":"E6x7M62kC7VPewX8P3v5u","intercept.v1":{"protocols":["tcp","udp"],"portRanges":[{"low":3889,"high":3889}],"addresses":["*.jp"],"dialOptions":{"identity":"$dst_hostname"}},"postureQuerySets":[{"policyId":"3ZpywlsygpvRD9Rh63zXNS","policyType":"Dial","isPassing":true}],"encrypted":true,"host.v1":{"port":3889,"protocol":"tcp","listenOptions":{"identity":"$tunneler_id.name"},"address":"127.0.0.1"},"permFlags":1,"name":"jp.rdp.tcp.service"}
1:{"id":"24on9lgJd1zOcY3JWLyhbG","intercept.v1":{"protocols":["tcp","udp"],"portRanges":[{"low":3889,"high":3889}],"addresses":["*.jp"],"dialOptions":{"identity":"$dst_hostname"}},"postureQuerySets":[{"policyId":"3ZpywlsygpvRD9Rh63zXNS","policyType":"Dial","isPassing":true}],"encrypted":true,"host.v1":{"port":3889,"protocol":"udp","listenOptions":{"identity":"$tunneler_id.name"},"address":"127.0.0.1"},"permFlags":1,"name":"jp.rdp.udp.service"}
[2023-09-19T21:37:03:440Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:207 updateTunnelNetworkSettings() route: 100.64.0.1 / 255.192.0.0
[2023-09-19T21:37:03:440Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:210 updateTunnelNetworkSettings() excluding route: 13.xxx.xxx.153 / 255.255.255.255
[2023-09-19T21:37:03:553Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:379 logNetworkPath() Network Path Update:
Status:satisfied, Expensive:false, Cellular:false, DNS:true
Interfaces:
17: name:en1, type:wifi
[2023-09-19T21:37:03:580Z] WARN PacketTunnelProvider:PacketTunnelProvider.swift:325 getUpstreamDns() No fallback DNS configured. Setting to first resolver: 10.1.1.1
[2023-09-19T21:37:03:580Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:364 startNetworkMonitor() Setting fallback DNS to 10.1.1.1
(86595)[2023-09-19T21:37:03.580Z] INFO tunnel-cbs:ziti_dns.c:232 ziti_dns_set_upstream() DNS upstream is set to 10.1.1.1:53
(86595)[2023-09-19T21:37:03.645Z] INFO tunnel-cbs:ziti_dns.c:641 proxy_domain_req() writing proxy resolve [{
"status":0,
"id":52259,
"recursive":0,
"question":[{
"name":"lb._dns-sd._udp.jp",
"type":12
}]
}]
[2023-09-19T21:37:03:682Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:379 logNetworkPath() Network Path Update:
Status:satisfied, Expensive:false, Cellular:false, DNS:true
Interfaces:
17: name:en1, type:wifi
26: name:utun4, type:other
[2023-09-19T21:37:03:696Z] WARN PacketTunnelProvider:PacketTunnelProvider.swift:325 getUpstreamDns() No fallback DNS configured. Setting to first resolver: 10.1.1.1
[2023-09-19T21:37:03:696Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:364 startNetworkMonitor() Setting fallback DNS to 10.1.1.1
(86595)[2023-09-19T21:37:03.696Z] INFO tunnel-cbs:ziti_dns.c:232 ziti_dns_set_upstream() DNS upstream is set to 10.1.1.1:53
(86595)[2023-09-19T21:37:03.980Z] ERROR ziti-sdk:connect.c:965 connect_reply_cb() conn[0.5/Connecting] failed to connect, reason=service 24on9lgJd1zOcY3JWLyhbG has no terminators for instanceId
(86595)[2023-09-19T21:37:03.980Z] ERROR tunnel-cbs:ziti_dns.c:592 on_proxy_connect() failed to establish proxy resolve connection for domain[*.jp]
(86595)[2023-09-19T21:37:03.980Z] INFO tunnel-cbs:ziti_dns.c:627 on_proxy_write() proxy resolve write: -23
(86595)[2023-09-19T21:38:04.293Z] INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:39:47.622Z] INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:45:44.907Z] INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:49:18.117Z] INFO ziti-sdk:ziti.c:1422 ziti_set_api_session() ztx[0] api session set, setting api_session_timer to 1740s
(86595)[2023-09-19T21:50:52.499Z] INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
Ping is ok
Log on the RDP host:
[2023-09-19T21:40:29.877Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:221 on_command_resp() resp[1,len=187] = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"OnOff":true,"Identifier":"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming/NetFoundry/rdphost.jp.json"}},"Code":0}
[2023-09-19T21:40:29.877Z] INFO ziti-sdk:ziti.c:865 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctlr[https://ziti.mydomain.com:8441] api_session_status[0] api_session_expired[TRUE]
[2023-09-19T21:40:30.092Z] INFO ziti-sdk:ziti.c:1531 version_cb() ztx[0] connected to controller https://ziti.mydomain.com:8441 version v0.30.1(c74a60a04f1d 2023-08-22T20:01:59Z)
[2023-09-19T21:40:30.176Z] INFO ziti-sdk:ziti.c:1422 ziti_set_api_session() ztx[0] api session set, setting api_session_timer to 1740s
[2023-09-19T21:40:30.176Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:726 on_ziti_event() ziti_ctx[rdphost.jp] connected to controller
[2023-09-19T21:40:30.180Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1138 on_event() ztx[C:\Windows\system32\config\systemprofile\AppData\Roaming/NetFoundry/rdphost.jp.json] context event : status is OK
[2023-09-19T21:40:30.380Z] INFO ziti-sdk:channel.c:234 new_ziti_channel() ch[1] (ziti.mydomain.com@tls://ziti.mydomain.com:8442) new channel for ztx[0] identity[rdphost.jp]
[2023-09-19T21:40:30.380Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:797 on_ziti_event() ztx[rdphost.jp] added edge router ziti.mydomain.com@tls://ziti.mydomain.com:8442@ziti.mydomain.com
[2023-09-19T21:40:30.383Z] INFO ziti-sdk:channel.c:733 reconnect_channel() ch[1] reconnecting NOW
[2023-09-19T21:40:30.517Z] INFO ziti-sdk:posture.c:204 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2023-09-19T21:40:30.517Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:701 on_service() hosting server_address[tcp:127.0.0.1:3889] service[jp.rdp.tcp.service]
[2023-09-19T21:40:30.517Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:701 on_service() hosting server_address[udp:127.0.0.1:3889] service[jp.rdp.udp.service]
[2023-09-19T21:40:30.517Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1263 on_event() =============== service event (added) - jp.rdp.tcp.service:E6x7M62kC7VPewX8P3v5u ===============
[2023-09-19T21:40:30.517Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1263 on_event() =============== service event (added) - jp.rdp.udp.service:24on9lgJd1zOcY3JWLyhbG ===============
[2023-09-19T21:40:30.660Z] INFO ziti-sdk:channel.c:631 hello_reply_cb() ch[1] connected. EdgeRouter version: v0.30.1|c74a60a04f1d|2023-08-22T20:01:59Z|linux|amd64
[2023-09-19T21:40:30.660Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:801 on_ziti_event() ztx[rdphost.jp] router ziti.mydomain.com@tls://ziti.mydomain.com:8442 connected
[2023-09-19T21:41:36.051Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:620 on_cmd() received from client - EOF. Closing connection.
[2023-09-19T21:41:36.051Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:632 on_cmd() IPC client connection closed, count: 1
[2023-09-19T21:41:39.569Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:774 send_events_message() Events client write operation failed, received error - EPIPE
[2023-09-19T21:41:39.569Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:779 send_events_message() Events client connection closed
[2023-09-19T21:41:39.569Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:785 send_events_message() Events client connection current count : 1
Output of policy advisor:
$ zpa services -q
OKAY : zitihost.jp (1) -> jp.https.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.https.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdphost.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest1.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest3.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest2.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.https8443.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.https8443.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : pbs.jp (1) -> jp.pbs.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.pbs.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve2.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pbs.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: Y Bind: Y
OKAY : pve1.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: Y Bind: Y
OKAY : pve3.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve2.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : pve1.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve3.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : rdphost.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest1.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest3.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest2.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.http.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.http.service (1) Common Routers: (1/1) Dial: Y Bind: N
Firewall rules and rdphost