Solved

Can't get RD Web Connection to work through WatchGuard Firewall

Posted on 2008-10-05
9
1,236 Views
Last Modified: 2013-11-21
I am trying to setup Remote Desktop Web Connection on Windows XP. It is working internally but I am trying to publish the connection to the internet so I can connect from outside my company's firewall. I have a WatchGuard Firebox III. I have added a new server in on the firewall and tried to forward it to my computer several different ways but no matter what it won't work. Could somebody please help.

Thank you,
Bob
0
Comment
Question by:ob1_
  • 3
  • 2
  • 2
9 Comments
 
LVL 5

Expert Comment

by:valheru_m
ID: 22646467
You'll need to forward port 3389 from the outside IP to whatever box you want to gain access to internally.  In addition, since you're trying to use the web client, you'll need to have 80 and 443 forwarded to the web server that serves the RDP web connection page.
0
 
LVL 6

Author Comment

by:ob1_
ID: 22646533
There is no web server that serves the page, there is only the client with Remote Desktop Web Connection installed. So I tried forwarding the external ip:port -> internal ip:80. The Remote Desktop Web Connection page comes up, but I can't connect from there. I've also tried opening 3389 and forwarding it.

I am using an additional port to specify my machine from the outside, so the address I am trying in is http://209.60.213.98:113/tsweb - b/c I only have 1 external IP and I want to set this up for many machines on my network. So I am trying to forward traffic from my external ip on port 113 to my internal ip on port 80.

So how forward 3389? Traffic on port 3389 on my external ip gets forward to 3389 on my internal ip? Or is it traffic to my external ip on 113 gets forwarded to 3389 on my internal ip?
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22646556
Ah, you're trying to use that multiple RDP fucntionality.  Haven't fully configured that before.  Standard RDP uses port 3389, to communicate, and then only on a 1 to 1 basis (i.e. you can forward each external IP to one internal IP on the same port).

Sorry but that's all the help I can be on that issue.  Anyone else?
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 6

Author Comment

by:ob1_
ID: 22646865
please see http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_23789072.html#a22646686

i had to cfg each machine to listen on a different port for RD, and forward pubip:3389=>privip:newport for RD and pubip:whatever=>privip:80 for each user!

:)
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22656994
As I understand you wish to have incoming traffic on one specific port and then to forward it internally to a different port to different machines.

Let me take an example:
Incoming TCP traffic on port 5000 needs to be directed to 192.168.1.1 on port 3389
Incoming TCP traffic on port 5001 needs to be directed to 192.168.1.2 on port 3389
Incoming TCP traffic on port 5002 needs to be directed to 192.168.1.3 on port 3389

I am assuming you are using WSM version 7.x

In Policy Manager; create a custom service; select protocol as TCP; port as 5000; client port as ignore [this is important]

Now add the service created above and configure as below:
Incoming connections are "Enabled and allowed"; from Any; to click Add->Add NAT; in the External IP address the public IP would be listed; in internal IP specify 192.168.1.1; check the box, Set internal port  to a different port than this policy and specify port as 3389; click OK all the way back.

If there are more ports [please note this port also should not be common], you can either add them in the specific custom service [when adding 5000 as in example above]; or add specific service for each port.

Repeat for 5001 and 5002 as well.

Save to firebox; please implement and update.

Thank you.
0
 
LVL 6

Author Comment

by:ob1_
ID: 22658802
here is the problem it needs to be:

Incoming TCP traffic on port 5000 needs to be directed to 192.168.1.1 on port 3389 and port 80.

Can you forward to 2 ports? Port 80 is the IIS website for TSWEB (Remote Desktop Web Connection). Currently I have the traffic forwarded to 3389 and Remote Desktop works fine through the firewall, but I'd like to use TSWEB.

Thanks,
Bobby

0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22660722
yes you can forward two port, 5000 and 80 to 3389 and port 80 respectively; but port 80 can be forwarded only for 192.168.1.1. If you wish to forward port to more than one machine, then you would need to configure different port for the webserver as well.

You would need two services, one for each port, because we need internal port redirection.

So assuming that you have 5000 and 80 port 192.168.1.1; and 5001 for .2 and 5003 for .3; then the services needed would be:
service-1 for port 5000; getting redirected to 192.168.168.1.1 on port 3389
service-2 for port 80; getting redirected to 192.168.168.1.1 on port 80
service-3 for port 5001; getting redirected to 192.168.168.1.2 on port 3389
service-4 for port 5002; getting redirected to 192.168.168.1.3 on port 3389

Thank you.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now