I can't seem to get RDP working

1

Hi there, I am having trouble getting RDP working, and I feel like I am missing a step. I can RDP fine over the local lan, just not the fabric.

Here is my setup script:

#! /bin/bash

export NAME=jp.rdp
export PORT=3889

ziti edge create config "${NAME}".cfg.intercept.v1 intercept.v1 '{
   "addresses": ["*.jp"],
    "protocols": ["tcp", "udp"],
    "portRanges": [ {"low":'"${PORT}"',"high":'"${PORT}"'} ],
    "dialOptions": { "identity": "$dst_hostname" }
  }'

ziti edge create config "${NAME}".tcp.cfg.host.v1 host.v1 '{
  "address":"127.0.0.1",
  "protocol":"tcp", 
  "port":'"${PORT}"',
  "listenOptions": { "identity": "$tunneler_id.name" }
  }'

ziti edge create config "${NAME}".udp.cfg.host.v1 host.v1 '{
  "address":"127.0.0.1",
  "protocol":"udp", 
  "port":'"${PORT}"',
  "listenOptions": { "identity": "$tunneler_id.name" }
  }'

ziti edge create service "${NAME}".udp.service \
  --configs "${NAME}".cfg.intercept.v1,"${NAME}".udp.cfg.host.v1 \
  --role-attributes "${NAME}".dial,"${NAME}".bind

ziti edge create service "${NAME}".tcp.service \
  --configs "${NAME}".cfg.intercept.v1,"${NAME}".tcp.cfg.host.v1 \
  --role-attributes "${NAME}".dial,"${NAME}".bind

ziti edge create service-policy "${NAME}".bind Bind \
  --identity-roles '#'"${NAME}.bind" \
  --service-roles '@'"${NAME}".udp.service,'@'"${NAME}".tcp.service

ziti edge create service-policy "${NAME}".dial Dial \
  --identity-roles '#'"${NAME}.dial" \
  --service-roles '@'"${NAME}".udp.service,'@'"${NAME}".tcp.service

exit

# scorched earth protocol


ziti edge delete config "${NAME}".cfg.intercept.v1
ziti edge delete config "${NAME}".rdp.cfg.host.v1
ziti edge delete config "${NAME}".tcp.cfg.host.v1
ziti edge delete config "${NAME}".udp.cfg.host.v1
ziti edge delete service "${NAME}".tcp.service
ziti edge delete service "${NAME}".udp.service
ziti edge delete service-policy "${NAME}".bind
ziti edge delete service-policy "${NAME}".dial

Here is the log on my (macos) system:

[2023-09-19T21:37:03:417Z]    INFO PacketTunnelProvider:ZitiTunnelDelegate.swift:222 tunnelEventCallback() ZitiTunnelEvent: <CZiti.ZitiTunnelServiceEvent: 0x138f111b0>
   identity: falkor.jp:"QzsXz46HR"
   status: 
   removed: (0)
   added: (2)
      0:{"id":"E6x7M62kC7VPewX8P3v5u","intercept.v1":{"protocols":["tcp","udp"],"portRanges":[{"low":3889,"high":3889}],"addresses":["*.jp"],"dialOptions":{"identity":"$dst_hostname"}},"postureQuerySets":[{"policyId":"3ZpywlsygpvRD9Rh63zXNS","policyType":"Dial","isPassing":true}],"encrypted":true,"host.v1":{"port":3889,"protocol":"tcp","listenOptions":{"identity":"$tunneler_id.name"},"address":"127.0.0.1"},"permFlags":1,"name":"jp.rdp.tcp.service"}
      1:{"id":"24on9lgJd1zOcY3JWLyhbG","intercept.v1":{"protocols":["tcp","udp"],"portRanges":[{"low":3889,"high":3889}],"addresses":["*.jp"],"dialOptions":{"identity":"$dst_hostname"}},"postureQuerySets":[{"policyId":"3ZpywlsygpvRD9Rh63zXNS","policyType":"Dial","isPassing":true}],"encrypted":true,"host.v1":{"port":3889,"protocol":"udp","listenOptions":{"identity":"$tunneler_id.name"},"address":"127.0.0.1"},"permFlags":1,"name":"jp.rdp.udp.service"}

[2023-09-19T21:37:03:440Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:207 updateTunnelNetworkSettings() route: 100.64.0.1 / 255.192.0.0
[2023-09-19T21:37:03:440Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:210 updateTunnelNetworkSettings() excluding route: 13.xxx.xxx.153 / 255.255.255.255
[2023-09-19T21:37:03:553Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:379 logNetworkPath() Network Path Update:
Status:satisfied, Expensive:false, Cellular:false, DNS:true
   Interfaces: 
     17: name:en1, type:wifi
[2023-09-19T21:37:03:580Z]    WARN PacketTunnelProvider:PacketTunnelProvider.swift:325 getUpstreamDns() No fallback DNS configured. Setting to first resolver: 10.1.1.1
[2023-09-19T21:37:03:580Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:364 startNetworkMonitor() Setting fallback DNS to 10.1.1.1
(86595)[2023-09-19T21:37:03.580Z]    INFO tunnel-cbs:ziti_dns.c:232 ziti_dns_set_upstream() DNS upstream is set to 10.1.1.1:53
(86595)[2023-09-19T21:37:03.645Z]    INFO tunnel-cbs:ziti_dns.c:641 proxy_domain_req() writing proxy resolve [{
	"status":0,
	"id":52259,
	"recursive":0,
	"question":[{
		"name":"lb._dns-sd._udp.jp",
		"type":12
		}]
	}]
[2023-09-19T21:37:03:682Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:379 logNetworkPath() Network Path Update:
Status:satisfied, Expensive:false, Cellular:false, DNS:true
   Interfaces: 
     17: name:en1, type:wifi 
     26: name:utun4, type:other
[2023-09-19T21:37:03:696Z]    WARN PacketTunnelProvider:PacketTunnelProvider.swift:325 getUpstreamDns() No fallback DNS configured. Setting to first resolver: 10.1.1.1
[2023-09-19T21:37:03:696Z]    INFO PacketTunnelProvider:PacketTunnelProvider.swift:364 startNetworkMonitor() Setting fallback DNS to 10.1.1.1
(86595)[2023-09-19T21:37:03.696Z]    INFO tunnel-cbs:ziti_dns.c:232 ziti_dns_set_upstream() DNS upstream is set to 10.1.1.1:53
(86595)[2023-09-19T21:37:03.980Z]   ERROR ziti-sdk:connect.c:965 connect_reply_cb() conn[0.5/Connecting] failed to connect, reason=service 24on9lgJd1zOcY3JWLyhbG has no terminators for instanceId 
(86595)[2023-09-19T21:37:03.980Z]   ERROR tunnel-cbs:ziti_dns.c:592 on_proxy_connect() failed to establish proxy resolve connection for domain[*.jp]
(86595)[2023-09-19T21:37:03.980Z]    INFO tunnel-cbs:ziti_dns.c:627 on_proxy_write() proxy resolve write: -23
(86595)[2023-09-19T21:38:04.293Z]    INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:39:47.622Z]    INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:45:44.907Z]    INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]
(86595)[2023-09-19T21:49:18.117Z]    INFO ziti-sdk:ziti.c:1422 ziti_set_api_session() ztx[0] api session set, setting api_session_timer to 1740s
(86595)[2023-09-19T21:50:52.499Z]    INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:rdphost.jp]

Ping is ok

Log on the RDP host:

[2023-09-19T21:40:29.877Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:221 on_command_resp() resp[1,len=187] = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"OnOff":true,"Identifier":"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming/NetFoundry/rdphost.jp.json"}},"Code":0}
[2023-09-19T21:40:29.877Z]    INFO ziti-sdk:ziti.c:865 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctlr[https://ziti.mydomain.com:8441] api_session_status[0] api_session_expired[TRUE]
[2023-09-19T21:40:30.092Z]    INFO ziti-sdk:ziti.c:1531 version_cb() ztx[0] connected to controller https://ziti.mydomain.com:8441 version v0.30.1(c74a60a04f1d 2023-08-22T20:01:59Z)
[2023-09-19T21:40:30.176Z]    INFO ziti-sdk:ziti.c:1422 ziti_set_api_session() ztx[0] api session set, setting api_session_timer to 1740s
[2023-09-19T21:40:30.176Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:726 on_ziti_event() ziti_ctx[rdphost.jp] connected to controller
[2023-09-19T21:40:30.180Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1138 on_event() ztx[C:\Windows\system32\config\systemprofile\AppData\Roaming/NetFoundry/rdphost.jp.json] context event : status is OK
[2023-09-19T21:40:30.380Z]    INFO ziti-sdk:channel.c:234 new_ziti_channel() ch[1] (ziti.mydomain.com@tls://ziti.mydomain.com:8442) new channel for ztx[0] identity[rdphost.jp]
[2023-09-19T21:40:30.380Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:797 on_ziti_event() ztx[rdphost.jp] added edge router ziti.mydomain.com@tls://ziti.mydomain.com:8442@ziti.mydomain.com
[2023-09-19T21:40:30.383Z]    INFO ziti-sdk:channel.c:733 reconnect_channel() ch[1] reconnecting NOW
[2023-09-19T21:40:30.517Z]    INFO ziti-sdk:posture.c:204 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2023-09-19T21:40:30.517Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:701 on_service() hosting server_address[tcp:127.0.0.1:3889] service[jp.rdp.tcp.service]
[2023-09-19T21:40:30.517Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:701 on_service() hosting server_address[udp:127.0.0.1:3889] service[jp.rdp.udp.service]
[2023-09-19T21:40:30.517Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1263 on_event() =============== service event (added) - jp.rdp.tcp.service:E6x7M62kC7VPewX8P3v5u ===============
[2023-09-19T21:40:30.517Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1263 on_event() =============== service event (added) - jp.rdp.udp.service:24on9lgJd1zOcY3JWLyhbG ===============
[2023-09-19T21:40:30.660Z]    INFO ziti-sdk:channel.c:631 hello_reply_cb() ch[1] connected. EdgeRouter version: v0.30.1|c74a60a04f1d|2023-08-22T20:01:59Z|linux|amd64
[2023-09-19T21:40:30.660Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:801 on_ziti_event() ztx[rdphost.jp] router ziti.mydomain.com@tls://ziti.mydomain.com:8442 connected
[2023-09-19T21:41:36.051Z]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:620 on_cmd() received from client - EOF. Closing connection.
[2023-09-19T21:41:36.051Z]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:632 on_cmd() IPC client connection closed, count: 1
[2023-09-19T21:41:39.569Z]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:774 send_events_message() Events client write operation failed, received error - EPIPE
[2023-09-19T21:41:39.569Z]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:779 send_events_message() Events client connection closed
[2023-09-19T21:41:39.569Z]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:785 send_events_message() Events client connection current count : 1

Output of policy advisor:

$ zpa services -q
OKAY : zitihost.jp (1) -> jp.https.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.https.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdphost.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest1.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest3.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest2.jp (1) -> jp.rdp.udp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.https8443.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.https8443.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : pbs.jp (1) -> jp.pbs.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.pbs.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve2.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pbs.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: Y Bind: Y
OKAY : pve1.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: Y Bind: Y
OKAY : pve3.jp (1) -> jp.ssh.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve2.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : pve1.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : pve3.jp (1) -> jp.pve.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : rdphost.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest1.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest3.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rdpguest2.jp (1) -> jp.rdp.tcp.service (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : zitihost.jp (1) -> jp.http.service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : falkor.jp (1) -> jp.http.service (1) Common Routers: (1/1) Dial: Y Bind: N

Firewall rules and rdphost
image
image
image
image

2

I have a question, you combined "tcp" and "udp" protocol in the intercept v1. but you have them separated for host.v1. Is there a reason for that?

Maybe try to create an host.v1 with both protocol and try again?

3

I think it was an inference on my part. The spec, I infer, is calling for 'protocol' with type string for host.v1, but protocols with type list in intercept.v1. If I try the below I get the error underneath. It's the same with the port type, it accepts a single port, not a range. There is an option to port forward, but I haven't been doing that because it doesn't always support my config. (there is another thread if you look for 'forwards'.

ziti edge create config "${NAME}".cfg.host.v1 host.v1 '{
  "address":"127.0.0.1",
  "protocols":["udp", "tcp"], 
  "port":'"${PORT}"',
  "listenOptions": { "identity": "$tunneler_id.name" }
  }'

$ ./ziti-rdp.sh
New config jp.rdp.cfg.intercept.v1 created with id: mrvZzEGm1ydaVcCAutut8
error: error creating configs instance in Ziti Edge Controller at https://mydomain.com:8441/edge/management/v1. Status code: 400 Bad Request, Server returned: {
    "error": {
        "cause": {
            "field": "(root)",
            "reason": "(root) is invalid: (root): Must validate \"else\" as \"if\" was not valid",
            "value": "map[address:127.0.0.1 listenOptions:map[identity:$tunneler_id.name] port:3889 protocols:[udp tcp]]"
        },
        "code": "COULD_NOT_VALIDATE",
        "message": "The supplied request contains an invalid document or no valid accept content were available, see cause",
        "requestId": "aJmfOmaYK"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
4

can you try port 3389?

unless you change it.. that should be the default rdp port

5

Hi @jptechnical

Just adding on to what @JamminSoleng is asking.

The config you're creating is using 3889 via the export variable PORT, but the screenshots showing the RDP server configuration shows the standard 3389. So this could just be an issue with the wrong port being in the config.

6

OH MY GOD! Yes, I was so focused on the ziti parts I overlooked the most simple of all components. I can't believe it. Thank you so much.

Works great now. HAHA!
tenor-72166357