No RDP-sessions possible (MeshCentral on Docker behind Reverse Proxy)

[n1smithy]

Hi @ all!

I cannot connect to any Windows-PC by using RDP-connection via MeshCentral (MC). But RDP works well via VPN or within the origin network. NLA is on, too. No RDP-connection via MC even when the Windows-firewall is down.

I installed MC via docker-compose (see the compose-file below). Since my docker-server contains more than just one webserver MeshCentral sits behind a Unified-Tread-Management-firewall (UTM) with its own reverse proxy based on Nginx.

Here are some configuration-things:

services:
    meshcentral:
        restart: always
        container_name: meshcentral
        image: typhonragewind/meshcentral
        ports:
            - 8086:443  #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
        environment:
            - HOSTNAME=meshcentral.my.domain    #your hostname
            - REVERSE_PROXY=10.230.80.1  #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
            - REVERSE_PROXY_TLS_PORT=443
            - IFRAME=false    #set to true if you wish to enable iframe support
            - ALLOW_NEW_ACCOUNTS=false    #set to false if you want disable self-service creation of new accounts besides the first (admin)
            - WEBRTC=false  #set to true to enable WebRTC - per documentation it is not officially released with meshcentral, but is solid enough to work with. Use with caution
        volumes:
            - /home/my_docker_home_dir/meshcentral/data:/opt/meshcentral/meshcentral-data    #config.json and other important files live here. A must for data persistence
            - /home/my_docker_home_dir/meshcentral/user-files:/opt/meshcentral/meshcentral-files    #where file uploads for users live
             # location for the meshcentral-backups - this should be mounted to an external storage
            - /home/my_docker_home_dir/meshcentral/backup:/opt/meshcentral/meshcentral-backups
             # location for site customization files
            - /home/my_docker_home_dir/meshcentral/web:/opt/meshcentral/meshcentral-web
             # Richtige Zeit übernehmen
            - /etc/localtime:/etc/localtime:ro
             # (Klappt noch nicht) Zentral abgelegte Zertifikate für den Webserver übernehmen – wichtig für die Agents!
             #- /home/my_docker_home_dir/.certs/fullchain.pem:/opt/meshcentral/meshcentral-data/webserver-cert-public.crt:ro
             #- /home/my_docker_home_dir/.certs/privkey.pem:/opt/meshcentral/meshcentral-data/webserver-cert-private.key:ro

config.json:

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "cert": "meshcentral.my.domain",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "(CENSORED)",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": false,
    "SelfUpdate": false,
    "AllowFraming": "false",
    "WebRTC": "false",
    "AutoBackup": {
      "backupPath": "/opt/meshcentral/meshcentral-backups",
      "backupInvervalHours": 24,
      "keepLastDaysBackup": "",
      "zippassword": ""
    }
  },
  "domains": {
        "": {
        "title": "(CENSORED)",
    	"title2": "MeshCentral",
	"agentCustomization": {
        	"displayName": "(CENSORED)",
        	"description": "(CENSORED)",
        	"companyName": "(CENSORED)",
        	"serviceName": "(CENSORED)",
        	"fileName": "(CENSORED)",
		"image": "(CENSORED)",
		"installText": "(CENSORED)",
		"foregroundColor": "#2d2d2d",
		"backgroundColor": "#cfcfcf"
    		},
	"assistantCustomization": {
            "description": "(CENSORED)",
            "title": "(CENSORED)",
            "image": "(CENSORED)",
            "fileName": "(CENSORED)",
	    "foregroundColor": "#2d2d2d",
	    "backgroundColor": "#dfdfdf"
	},
    	"_minify": true,
    	"NewAccounts": "false",
        "_userNameIsEmail": true,
    	"_certUrl": "https://10.230.80.1:443"  # can't get the certificate at all, neither if I use the internal or the external reverse-proxy-IP-address
        }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "[email protected]",
    "_names": "myserver.mydomain.com",
        "production": false
  },
}

The reverse proxy is nginx-based and allows websocket-connections too. It shares some url-forwordings and provides my own letsencrypt-certificate for my domain with an asterisk as a wildcard for subdomains. I have to update the certificate on my reverse proxy and on meshcentral as well since the agents check the origin webserver-certificate before connecting to mesh central (as you know).

Any other information needed?

Thanks for any help!

[si458]

Right, so u have a few things wrong.

1. Use the official docker image and not the community one
   https://ylianst.github.io/MeshCentral/install/install2/#docker

2. Some of ur environment variables haven't copied over correctly to ur config.json, so it's best to remove them and set them inside ur config.json instead

3. Tlsoffload in config.json should be set as ur ip address of ur reverse proxy server tlsoffload: "ip of reverse proxy"

4. Add trustedproxy: "ip of reverseproxy" to config.json under settings section

5. _certurl should be uncommented and it should be set to the dns name of ur domain u use certurl: "https://meshcentral.mydomain.com:443

6. U didn't share ur reverse proxy config, but make sure it's talking to http://ipofmeshcentralserver:443 don't use https!

[n1smithy]

Great, when trying to start meshcentral from the official docker-container, it tries "starting self upgrade", which fails all the way. hmpf!

[si458]

Weird? U have selfupdate set as false so this shouldn't happen? What's the image u are using/set in ur compose file?

P.s what does ur config.json look like now?

[n1smithy]

Yes, I'm completely lost with it:

image: ghcr.io/ylianst/meshcentral:master

[si458]

Yes, I'm completely lost with it:

image: ghcr.io/ylianst/meshcentral:master

what does ur config.json look like now?

[n1smithy]

{
"$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
"settings": {
"selfUpdate": false,
"_mongoDb": "mongodb://mongodb:27017/meshcentral",
"_mongoDb": false,
"_mongoDbcol": "meshcentral",
"_mongoDbName": "meshcentral",
"cert": "subdom.my.domain",
"_WANonly": true,
"_LANonly": true,
"sessionKey": "(…)",
"_port": 443,
"_aliasPort": 443,
"redirPort": 80,
"_redirAliasPort": 80,
"AgentPong": 300,
"trustedProxy": "10.XXX.YYY.1",
"TLSOffload": "10.XXX.YYY.1",
"SelfUpdate": "false",
"AllowFraming": "false",
"WebRTC": "false",
"AutoBackup": {
"backupPath": "/opt/meshcentral/meshcentral-backups",
"backupInvervalHours": 24,
"keepLastDaysBackup": "",
"zippassword": ""
}
},
"domains": {
"": {
"title": "(…)",
"title2": "(…)",
"agentCustomization": {
"displayName": "(…)",
"description": "(…)",
"companyName": "(…)",
"serviceName": "(…)",
"fileName": "(…)",
"image": "(…)",
"installText": "(…)",
"foregroundColor": "#2d2d2d",
"backgroundColor": "#cfcfcf"
},
"assistantCustomization": {
"description": "(…)",
"title": "(…)",
"image": "(…)",
"fileName": "(…)",
"foregroundColor": "#2d2d2d",
"backgroundColor": "#dfdfdf"
},
"_minify": true,
"NewAccounts": "false",
"_userNameIsEmail": true,
"certUrl": "https://subdom.my.domain:443"
}
},
"_letsencrypt": {
"comment": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
"_email": "[email protected]",
"_names": "myserver.mydomain.com",
"production": false
},
"smtp": {
"host": "(…)",
"port": "465",
"from": "(…)",
"user": "(…)",
"pass": "(…)",
"tls": true,
"tlsstrict": false,
"_verifyEMail": false
}
}

[n1smithy]

RDP works with the official docker-image! But there are some specialities to be paid attention of.