I setup a dual firewall dmz and I have a RD Gateway windows 2019 server in DMZ.
I set port forwarding on First router (external) to the internal, a Pfsense with HAProxy with 3 interface, Wan (DMZ), LAN and another VLAN I use for management purpose.
HAProxy as set to forward remote.mydomain.com to a web server (it has also rd gateway role installed and sstp) on lan and rdp.mydomain.com to the RD Gateway server in DMZ.
The reason is that I try to move rdp in dmz
when I try to connect to a server on lan through rdp in dmz it seems work but the session keep disconnect and reconnect every 30s, so I try to change server timeout from 30000ms to 360000 ms on frontend and on backend but it keep to disconnect and reconnect faster.
I did some tests and the strange things is that if I point the old rd gateway server in lan it works like a charm, also sstp and web server.
It works perfectly even if I set port forwarding on external router directly to the new rdp server in dmz.
could you help me?
i post my configuration
# Automaticaly generated, dont edit manually.
# Generated on: 2022-04-10 03:49
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend web2
bind 10.3.5.39:80 name 10.3.5.39:80
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 3600000
acl httpRedirectACL var(txn.txnhost) -m str -i web2.domain.com
acl httpRedirectACL var(txn.txnhost) -m str -i agenzia.domain.com
acl httpRedirectACL var(txn.txnhost) -m str -i rdp.domain.com
http-request set-var(txn.txnhost) hdr(host)
http-request redirect scheme HTTPS if httpRedirectACL
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
frontend FrontendHTTPS
bind 10.3.5.39:443 name 10.3.5.39:443
mode tcp
log global
timeout client 3600000
tcp-request inspect-delay 5s
acl web2 req.ssl_sni -i web2.domain.com
acl agenzia req.ssl_sni -i agenzia.domain.com
acl rdp req.ssl_sni -i rdp.domain.com
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend BackEnd-web2_ipvANY if web2
use_backend REMOTE_ipvANY if agenzia
use_backend RDP_ipvANY if rdp
backend BackEnd-web2_ipvANY
mode tcp
id 100
log global
timeout connect 30000
timeout server 3600000
retries 3
server web2 10.3.10.71:8443 id 101 check-ssl check inter 1000 verify none
backend REMOTE_ipvANY
mode tcp
id 102
log global
option log-health-checks
timeout connect 30000
timeout server 8000000
retries 3
server REMOTE 10.3.10.25:443 id 103 check-ssl check inter 1000 verify none
backend RDP_ipvANY
mode tcp
id 104
log global
option log-health-checks
timeout connect 30000
timeout server 8000000
retries 3
server RDP 10.3.5.19:443 id 103 check-ssl check inter 1000 verify none