Operational Defect Database
BugZero found this defect 431 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000BcfuSAC
Origin IP address for Remote Desktop connections via RD Gateway detected as "::%16777216"
Last update date:
3/15/2023
Affected products:
AuthPoint
Affected releases:
All
AuthPoint
Fixed releases:
All
Description:
Issue
The AuthPoint Logon app (agent for Windows) v2.7 and higher detects the origin IP address of the user from the Remote Desktop servers audit logs in Windows. After you upgrade to v2.7.0 or higher of the agent for Windows, the origin IP address may be detected as "::%16777216" if you connect by RD Gateway to the same system that runs the RD Gateway service. Users that connect to a system that is not the RD Gateway see the origin IP address as the IP of the RD Gateway.
Workaround/Solution
The origin IP address "::%16777216" is how the Windows event logs handle connections from the IPv6 loopback socket when tunneling a connection through an RD Gateway to itself. If you do not have any authentication policies that include network location policy objects and the Logon app, no action is required. If you use network location policy objects to restrict access or to allow different MFA options for users that connect from different locations, you can create an additional authentication policy to handle the connections from the RD gateway. The example below describes how to allow users to authenticate with only their password (no MFA) when they connect from a local network subnet or from the RD Gateway, but require MFA when user connect from other network locations. Log in to WatchGuard Cloud at http://cloud.watchguard.com/.Select Configure > AuthPoint.From the AuthPoint navigation menu, select Policy Objects.Click Add Policy Object.From the Type drop-down list, select Network Location.In the Name text box, type a name to identify this network location policy object. In our example, we name the policy object All IPv4 Addresses.In the IP Mask text box, enter 0.0.0.1/1 and 128.0.0.0/2. Press Enter or Return after each entry. Note: The 0.0.0.1/1 entry is not a typo. AuthPoint does not allow you to enter 0.0.0.0/1. Click Save.From the AuthPoint navigation menu, select Authentication Policies.Create three authentication policies with the settings below. If you have existing authentication policies, you can edit them to match these settings. Policy 1 – A policy that requires only password authentication, and includes your existing network location so that the policy only applies to authentications from a local subnetPolicy 2 – A policy that requires password and MFA authentication, and includes the new network location policy object (All IPv4 Addresses).Policy 3 – A policy that requires only password authentication, and does not include any policy objects. Make sure that your authentication policies are in the order above, so that policy precedence applies correctly. With the three authentication policies in the specified order, users from an internal subnet will match the first authentication policy and authenticate with only a password (no MFA). Users that authenticate from any other subnet will match the second policy and require MFA to log in. Users that connect from the RD Gateway will match the third policy and can log in with just a password.
