Win Server 2019 RDS HTML 5 web client not working behind nginx web proxy

Question

Our environment requires that our Windows Server 2019 RDS Gateway (with the HTML 5 web client installed on it) be behind an nginx web proxy. The website portion of things work fine, but the connection drops when trying to connect the RDS terminal session app in the HTML 5 web client. Using the RDS client works just fine.

Here's our setup:

• Server 2019 RDS gateway is gateway.corp.domain.com
• RDS gateway is configured to use remote.domain.com as the public address
• remote.domain.com is pointed to the nginx web server
• the nginx web server (using the correct web socket headers) passes traffic to and from the RDS gateway (gateway.corp.domain.com)

On the client side, we're getting the error in the web browser:

The connection to the remote PC was lost

In the web inspector console, we're seeing an error about not being able to establish a web socket connection:

Gateway channel creation failed with error code=2147965402

and

Could not connect to wss://remote.domain.com/remotedesktopgateway/...

Does anyone have any insight on what we can do to fix this so we can access our RDS apps through the web client?

I can't seem to find any documentation on this to see what exactly is needed by the HTML 5 web client server. Unfortunately, removing the reverse web proxy is not an option.

Answer 1

I finally figured it out while fixing another issue: the issue was caused by an overly restrictive Content-Security-Policy header added by the nginx reverse proxy.

Before, the header only had default-src; now it has image-src and media-src to allow data: and blob: data types. This is the header that is working currently (probably overly permissive, but it works until we can review it further):

default-src * data: 'unsafe-eval' 'unsafe-inline'; img-src * data: blob:; media-src * data: blob:

---

Edit

Here is the associated nginx configuration (with everything else, too):

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name remote.example.com;

  # SSL
  ssl_certificate /path/to/ssl/fullchain.pem;
  ssl_certificate_key /path/to/ssl/privkey.pem;
  ssl_trusted_certificate /path/to/ssl/chain.pem;

  # reverse proxy
  location / {
    ### IP address is permissible here
    proxy_pass      https://gateway.corp.domain.com:443/;
    include         conf.d/proxy.part;
  }

  # security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block;" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;

  ### This is the header referenced above ###
  add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'; img-src * data: blob:; media-src * data: blob:" always;

  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  ### Be careful with this header; this will cause your site to break if it ever stops serving over TLS
  add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";

  # . files
  location ~ /\. {
    deny all;
  }

  # gzip
  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
}

I also included an IIS rewrite rule on the RDS server to automatically rewrite to the path to the web client (e.g. remote.example.com to remote.example.com/rdweb/webclient), though this could also be done in nginx as well.