• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

How to secure Terminal Services to DMZ

I am currently following KB816521 to secure terminal services communication to all my servers.  However, when I do the same thing on the servers in my DMZ I can no longer connect to them.  We don't see any reason in the firewall.  In fact I put a laptop in the dmz to try to connect to one of the servers and still was unable to connect.  Anyone have any idea on this or another way to encrypt/secure terminal services/remote desktop connections.  Thanks.
0
ewest111
Asked:
ewest111
1 Solution
 
bignewfCommented:
Hi, ewest111

Without seeing your firewall config, (which you can send me) mostly likely you did not open the following ports I listed below to allow the IPSEC , Kerberos, DNS and SMB (if you need file sharing on this TS), so none of the traffic you need to pass is allowed.
DNS is needed to resolve host names on the domain, Kerberos to authenticate users, LDAP for queries to Active Directory, and most important, the ports to allow IPSEC traffic through.

There are links to the microsoft articles to configure IPSeC policies for this server below:




IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

    * IP Protocol ID 50:
      For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
    * IP Protocol ID 51:
      For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
    * UDP Port 500:
      For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50).

It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
253169  (http://support.microsoft.com/kb/253169/EN-US/ ) Traffic That Can--and Cannot--Be Secured by IPSec
254949  (http://support.microsoft.com/kb/254949/ ) IPSec support for client-to-domain controller traffic and domain controller-to-domain controller traffic

This traffic must be allowed from DMZ to LAN hosts

   KerberosTCP 88, UDP 88
   DNSTCP 53, UDP 53
   LDAPTCP 389, UDP 389
   LDAP over SSLTCP 636
   SMB over IPTCP 445, UDP 445
0
 
ewest111Author Commented:
Issue was due to fact that the servers in the DMZ are not part of the domain so kerberos won't work.  Configured using preshared keys instead of kerberos and all is well now.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now