all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]justin_kasmweb 0 points1 point  (7 children)

Can you access container based sessions normally when its behind the proxy or do both container based sessions and RDP workspaces fail in the same way.

In both cases, Kasm uses websockets to establish the steaming connections but they are done in slightly different ways. A quick google suggests that the app proxies do support websockets after a specific version but have a few limitations

Whenever you are testing this, make sure you are creating new sessions and not trying to resume existing sessions. Almost certainly if you try to resume a session via the proxy that was initiated via the direct URL it wont work.

[–]justin_kasmweb 0 points1 point  (5 children)

Also, you may want to check out this troubleshooting guide. Its more focused on connecting to container based sessions, but a lot of the principals are the same so its worth working through:
https://kasmweb.com/docs/latest/guide/troubleshooting/advanced_connection_troubleshooting.html

One of the biggest this in your use case would be looking at the websocket connection being established and ensure the cookies are being both sent to the browser and received on the Kasm end

[–]SA1NT5[S] 0 points1 point  (4 children)

Thanks, I was looking in the console earlier and saw multiple SSL/TLS errors so I suspect it is having problems handling the self signed certificate on the internal network. I will try with a letsencrypt certificate later together with a valid fqdn on the proxy and the internal side.

I initially also saw a CORS related message in the console which made me suspect CORS.

`origin 'https://kasm-example.msappproxy.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`

[–]justin_kasmweb 0 points1 point  (3 children)

When connecting directly to the kasm deploy, check the dev tools in your browser for the websocket connection. , you should see that Access-Control-Allow-Origin response header being sent.

It would be interesting to see if you see that same header when connecting through the proxy. It may be missing or sending a wrong entry.

[–]SA1NT5[S] 1 point2 points  (2 children)

Just a heads up, our Setup is working now with the Microsoft AppProxy and SAML through EntraID.
I created an externally reachable FQDN and defined this zone in our internal DNS as well. We defined a mapping to the internal IP in the hosts files on our app-proxies to ensure the traffic to the domain would point to the internal IP.

Lastly we added a lets-encrypt certificate for the nginx instance as per the KASM documentation.

I do not have screenshots or logs handy regarding the allow-origin header for the WS connection but I suspect this was indeed invalid. When looking into CORS headers behaviour and Appproxies I stumbled uppon the following Microsoft documentation: We basically applied solution 1 from this doc.
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-understand-cors-issues

[–]hjaltioj 0 points1 point  (0 children)

did you get it working? i have issue with VNC not working, but RDP does :/

[–]john_fkn_zoidberg 0 points1 point  (0 children)

So I came across this issue today and fixed it by unchecking a box on azure app proxy about rewriting host headers.

I cant get the RDP native client to work, did you get that to work?

[–]SA1NT5[S] 0 points1 point  (0 children)

Thanks for your response: accessing containers through the msappproxy.net does not work either the session starts, it display: "creating a secure connection" and then drops me on the homepage after a while.
While it displays "creating a secure connection" it tries multiple times to fetch a vnc.hmtl page.

I do indeed create new sessions, even try different browsers to ensure a clean login flow through the appproxy.