I've had this one going for a while & no luck... until tonight! (even Juniper didnt have any answers when i raised the case)...
The SSL VPN firewall rules ALWAYS apply to the non NC machine... ALWAYS!!!
If you RDP from the NC to a Server, the rule is:
Resource IP: Server
Resource Port: RDP
If you want to RDP from a machine on the inside LAN to the NC Client (to support remote users!!!)
Resource IP: Server
Resource Port: RDP connection source port on the server!!!!! --> i.e. randomised high port!!!
The next question is, how to lock down the source port of RDP connections so i can secure it a little...
anyone know any reg hax etc to force source port connections?
varying source ports is one way firewalls and VPNs keep track of individual sessions. I'm don't know if I would hard code source ports, it may screw up some state tables.
It's odd to me that you'd need to hardcode source ports in firewall rules. Typically firewalls are statefull and will support return traffic to those high randomized source ports automatically.
I'm trying to lockdown the source port the RDP session is coming from on the internal network, not a firewall/vpn etc.
I know there's a few reg hax out there to lock source ports down to ranges for other protocols, just not sure if there's one for RDP.
If you cant lock it down, then you'll have to allow a heap of ports through the VPN both to & from the internal networks.
The firewall maintains state. The initial 3-way handshake would include the src/dest IP pair (along with port info). You just need to concern yourself with tying down what IP src/dest addresses/ranges you are going to allow RDP access for.
Look at the original issue...
To access (via RDP) the NC clients through the juniper from say, Computer C, in the NC access rules i must specify the IP & Src ports of computer C, NOT the destination of the NC IP ranges & 3389
Every rule in the NC access rules ONLY ONLY applies to the non-NC host, whether its the destination or source of the traffic, it will always be the non-NC host details.
Network connect host: 22.214.171.124
Server on the inside LAN: 126.96.36.199
If i want to connect FROM the Server (188.8.131.52) to the NC client (184.108.40.206), the rule required is:
It is NOT
Nate, this situation is odd because I think most of us here do not add rules the way you are describing.
For my remotes coming in from company owned laptops, I block a certain amount of what I call "dangerous ports" but then in a lower rule I allow everything for employees. I can initiate to them on 3389 and I dont specify a source port.
One thing you could do is create a access policy and for action choose "Detailed Rules". Then if you want to lock it down, Add a SourceIP condition to the rule which includes your internal network. Then for resources add a tcp://*.* or a tcp://*:3389. I would think that would cover you.