Connecting to NC Clients from the Office LAN

Nate_ · ‎11-09-2008

I've had this one going for a while & no luck... until tonight! (even Juniper didnt have any answers when i raised the case)...

The SSL VPN firewall rules ALWAYS apply to the non NC machine... ALWAYS!!!

If you RDP from the NC to a Server, the rule is:

Resource IP: Server

Resource Port: RDP

If you want to RDP from a machine on the inside LAN to the NC Client (to support remote users!!!)

Resource IP: Server

Resource Port: RDP connection source port on the server!!!!! --> i.e. randomised high port!!!

The next question is, how to lock down the source port of RDP connections so i can secure it a little...

anyone know any reg hax etc to force source port connections?

Jickfoo_ · ‎11-11-2008

varying source ports is one way firewalls and VPNs keep track of individual sessions. I'm don't know if I would hard code source ports, it may screw up some state tables.

It's odd to me that you'd need to hardcode source ports in firewall rules. Typically firewalls are statefull and will support return traffic to those high randomized source ports automatically.

Nate_ · ‎11-11-2008

Jickfoo,

I'm trying to lockdown the source port the RDP session is coming from on the internal network, not a firewall/vpn etc.

I know there's a few reg hax out there to lock source ports down to ranges for other protocols, just not sure if there's one for RDP.

If you cant lock it down, then you'll have to allow a heap of ports through the VPN both to & from the internal networks.

willj_ · ‎11-27-2008

Why?

The firewall maintains state. The initial 3-way handshake would include the src/dest IP pair (along with port info). You just need to concern yourself with tying down what IP src/dest addresses/ranges you are going to allow RDP access for.

Nate_ · ‎11-27-2008

Will,

Look at the original issue...

To access (via RDP) the NC clients through the juniper from say, Computer C, in the NC access rules i must specify the IP & Src ports of computer C, NOT the destination of the NC IP ranges & 3389

Every rule in the NC access rules ONLY ONLY applies to the non-NC host, whether its the destination or source of the traffic, it will always be the non-NC host details.

i.e.

Network connect host: 1.1.1.1

Server on the inside LAN: 2.2.2.2

If i want to connect FROM the Server (2.2.2.2) to the NC client (1.1.1.1), the rule required is:

"Resources"

2.2.2.2:<src port>

It is NOT

1.1.1.1:3389

Jickfoo_ · ‎12-01-2008

Nate, this situation is odd because I think most of us here do not add rules the way you are describing.

For my remotes coming in from company owned laptops, I block a certain amount of what I call "dangerous ports" but then in a lower rule I allow everything for employees. I can initiate to them on 3389 and I dont specify a source port.

tcp://*.*

One thing you could do is create a access policy and for action choose "Detailed Rules". Then if you want to lock it down, Add a SourceIP condition to the rule which includes your internal network. Then for resources add a tcp://*.* or a tcp://*:3389. I would think that would cover you.

Good Luck

Connecting to NC Clients from the Office LAN

Connecting to NC Clients from the Office LAN

Re: Connecting to NC Clients from the Office LAN

Re: Connecting to NC Clients from the Office LAN

Re: Connecting to NC Clients from the Office LAN

Re: Connecting to NC Clients from the Office LAN

Re: Connecting to NC Clients from the Office LAN