Add rule for Microsoft Remote Desktop Gateway 2008 and R2

(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Remote Desktop Gateway 2008 and R2.

  1. Go to Firewall and select IPv4. using the filter switch.
  2. Click +Add firewall rule and Business application rule.
  3. Specify the general rule details.
    Application template
    Select Microsoft Remote Desktop Gateway 2008 and R2 to configure a rule for Microsoft Remote Desktop Gateway 2008 and R2.
    Enter a description for the rule.
    Rule position
    Specify the position of the rule.
    Available options:
    • Top
    • Bottom
    Rule group
    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.
    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.
    Rule name
    Specify a name to identify the rule.
  4. Specify Hosted server details.
    Hosted address
    Specify the address of the hosted server to which the rule applies. It is the public IP address through which internet users access an internal server/host.
    Note When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client’s real IP address is available in the HTTP header
    Listening port
    Enter a port number on which the hosted web server can be reached externally, over the internet. Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication (HTTPS).
    Click to enable or disable of HTTPS traffic.
    HTTPS certificate (available if HTTPS is enabled)
    Select the HTTPS certificate to be used.
    Redirect HTTP (available if HTTPS is enabled)
    Click to redirect HTTP requests.
    Use FQDN when you enter the domains the web server is responsible for, for example,
  5. Specify Protected server(s) details.
    Path-specific routing
    You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.
    You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
    For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
    Add new path (available if Path-specific routing is enabled)
    Click Add new path to define a new path.
    Note Add new path will only be active after at least one web server and one hosted web server have been created.
    Web server (available if Path-specific routing is disabled)
    Web servers are the application servers that are to be protected. Select from the list of web servers or click Add new item to add a web server.
    A new web server can be created directly from this page or from the Web server > Web servers page.
  6. Specify access permission details. (Available if Path-specific routing is disabled)
    Allowed client networks
    Select the allowed host(s)/network(s).
    Blocked client networks
    Select the blocked host(s)/network(s).
    Select the web application authentication profile from the list of available profiles. You can also create a new authentication profile from this page or from the Web server > Authentication policies page.
  7. Specify path Exceptions for the web servers.

    Click Add new exception to specify new exception.

  8. Specify policies for business applications in the Advanced section.


    Select an application protection policy for the server or create a new one.

    Intrusion prevention

    Select an intrusion prevention policy for the rule or create a new one.

    Traffic shaping

    The traffic shaping policy allocates and limits the maximum bandwidth usage of the user.

  9. Click Save.
    Note As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.