Solved

Can't get RD Web Connection to work through WatchGuard Firewall

Posted on 2008-10-05
9
1,243 Views
Last Modified: 2013-11-21
I am trying to setup Remote Desktop Web Connection on Windows XP. It is working internally but I am trying to publish the connection to the internet so I can connect from outside my company's firewall. I have a WatchGuard Firebox III. I have added a new server in on the firewall and tried to forward it to my computer several different ways but no matter what it won't work. Could somebody please help.

Thank you,
Bob
0
Comment
Question by:ob1_
  • 3
  • 2
  • 2
9 Comments
 
LVL 5

Expert Comment

by:valheru_m
ID: 22646467
You'll need to forward port 3389 from the outside IP to whatever box you want to gain access to internally.  In addition, since you're trying to use the web client, you'll need to have 80 and 443 forwarded to the web server that serves the RDP web connection page.
0
 
LVL 6

Author Comment

by:ob1_
ID: 22646533
There is no web server that serves the page, there is only the client with Remote Desktop Web Connection installed. So I tried forwarding the external ip:port -> internal ip:80. The Remote Desktop Web Connection page comes up, but I can't connect from there. I've also tried opening 3389 and forwarding it.

I am using an additional port to specify my machine from the outside, so the address I am trying in is http://209.60.213.98:113/tsweb - b/c I only have 1 external IP and I want to set this up for many machines on my network. So I am trying to forward traffic from my external ip on port 113 to my internal ip on port 80.

So how forward 3389? Traffic on port 3389 on my external ip gets forward to 3389 on my internal ip? Or is it traffic to my external ip on 113 gets forwarded to 3389 on my internal ip?
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22646556
Ah, you're trying to use that multiple RDP fucntionality.  Haven't fully configured that before.  Standard RDP uses port 3389, to communicate, and then only on a 1 to 1 basis (i.e. you can forward each external IP to one internal IP on the same port).

Sorry but that's all the help I can be on that issue.  Anyone else?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 6

Author Comment

by:ob1_
ID: 22646865
please see http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_23789072.html#a22646686

i had to cfg each machine to listen on a different port for RD, and forward pubip:3389=>privip:newport for RD and pubip:whatever=>privip:80 for each user!

:)
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656994
As I understand you wish to have incoming traffic on one specific port and then to forward it internally to a different port to different machines.

Let me take an example:
Incoming TCP traffic on port 5000 needs to be directed to 192.168.1.1 on port 3389
Incoming TCP traffic on port 5001 needs to be directed to 192.168.1.2 on port 3389
Incoming TCP traffic on port 5002 needs to be directed to 192.168.1.3 on port 3389

I am assuming you are using WSM version 7.x

In Policy Manager; create a custom service; select protocol as TCP; port as 5000; client port as ignore [this is important]

Now add the service created above and configure as below:
Incoming connections are "Enabled and allowed"; from Any; to click Add->Add NAT; in the External IP address the public IP would be listed; in internal IP specify 192.168.1.1; check the box, Set internal port  to a different port than this policy and specify port as 3389; click OK all the way back.

If there are more ports [please note this port also should not be common], you can either add them in the specific custom service [when adding 5000 as in example above]; or add specific service for each port.

Repeat for 5001 and 5002 as well.

Save to firebox; please implement and update.

Thank you.
0
 
LVL 6

Author Comment

by:ob1_
ID: 22658802
here is the problem it needs to be:

Incoming TCP traffic on port 5000 needs to be directed to 192.168.1.1 on port 3389 and port 80.

Can you forward to 2 ports? Port 80 is the IIS website for TSWEB (Remote Desktop Web Connection). Currently I have the traffic forwarded to 3389 and Remote Desktop works fine through the firewall, but I'd like to use TSWEB.

Thanks,
Bobby

0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22660722
yes you can forward two port, 5000 and 80 to 3389 and port 80 respectively; but port 80 can be forwarded only for 192.168.1.1. If you wish to forward port to more than one machine, then you would need to configure different port for the webserver as well.

You would need two services, one for each port, because we need internal port redirection.

So assuming that you have 5000 and 80 port 192.168.1.1; and 5001 for .2 and 5003 for .3; then the services needed would be:
service-1 for port 5000; getting redirected to 192.168.168.1.1 on port 3389
service-2 for port 80; getting redirected to 192.168.168.1.1 on port 80
service-3 for port 5001; getting redirected to 192.168.168.1.2 on port 3389
service-4 for port 5002; getting redirected to 192.168.168.1.3 on port 3389

Thank you.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question