Remote Desktop



  • Trying to allow remote desktop through my SSG-5 to an internal server with a VIP and I am having trouble getting it to work.
    I think these are the relevant lines from the config:

    set service “Remote Desktop” protocol tcp src-port 4100-4100 dst-port 3389-3389
    set service “Remote Desktop” + udp src-port 4100-4100 dst-port 3389-3389
    set interface ethernet0/0 vip interface-ip 4100 “Remote Desktop” 192.168.1.5
    set address “Trust” “ACME” 192.168.1.5 255.255.255.255 "ACME server"
    set policy id 12 name “Remote Desktop to ACME” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/0)” “Remote Desktop” permit log

    Anything obviously wrong here?



  • exactly, and the policy for 4100TCP (may have to create a custom service):
    set policy id 11 name “Remote Desktop” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/0)” “<port_4100_tcp>” permit log</port_4100_tcp>



  • So I would leave the service as is and just change the VIP settings like this?

    set service “Remote Desktop” protocol tcp src-port 1024-65535 dst-port 3389-3389
    set service “Remote Desktop” + udp src-port 1024-65535 dst-port 3389-3389
    set interface ethernet0/0 vip interface-ip 4100 “Remote Desktop” 192.168.1.5



  • replace 3389 with your prefered port in your VIP+Policy, lets say 4100. in rdp you might try to connect to <yourip dns="">:4100</yourip>



  • Yes - I would prefer to use/open a non-standard port like 4100 for the RDP clients to connect on.



  • What do you want to change? The source port of the RDP Client?



  • OK, I got it working last night using this info:

    set service “Remote Desktop” protocol tcp src-port 1024-65535 dst-port 3389-3389
    set service “Remote Desktop” + udp src-port 1024-65535 dst-port 3389-3389
    set interface ethernet0/0 vip interface-ip 3389 “Remote Desktop” 192.168.1.5
    set policy id 11 name “Remote Desktop” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/0)” “Remote Desktop” permit log

    How can I change the source port to a different one?
    Wouldn’t I just change the tcp src-port numbers?
    Unfortunately, I don’t have a lot of knowledge on how this works.
    when I connected last night using default connection parameters on the RD client, the logs shows:

    Source address: 24.76.xxx.xxx:49598
    Destination address: 66.225.xxx.xxx:3389
    translated Source address/port: 24.76.xxx.xxx:49598
    Translated Destination address/port: 192.168.1.5:3389



  • I didnt know that, thanks for the info!

    Could you post your policies? It seems that eigther there is no attempt to 3389 (routing or anything else) or another policy catches the request and doesnt log it.



  • Looks like there is no traffic? I know you can specify the source port on remote desktop…



  • Im not a RDP specialist, I dont know if you can configure a source port for RDP. whats the output of “get log traffic dst-port 3389” (after trying to access 3389)?



  • I would like the remote user(s) to connect using xxx.xxx.xxx.xxx:4100 and not leave port 3389 open on the firewall. Maybe I am configuring incorrectly?



  • Are you sure about the source port (4100)? I’d say it is 1024-65535


 

24
Online

38.5k
Users

12.7k
Topics

44.5k
Posts