How to secure Terminal Services to DMZ

Posted on 2008-11-18
Last Modified: 2013-11-21
I am currently following KB816521 to secure terminal services communication to all my servers.  However, when I do the same thing on the servers in my DMZ I can no longer connect to them.  We don't see any reason in the firewall.  In fact I put a laptop in the dmz to try to connect to one of the servers and still was unable to connect.  Anyone have any idea on this or another way to encrypt/secure terminal services/remote desktop connections.  Thanks.
Question by:ewest111
    LVL 15

    Expert Comment

    Hi, ewest111

    Without seeing your firewall config, (which you can send me) mostly likely you did not open the following ports I listed below to allow the IPSEC , Kerberos, DNS and SMB (if you need file sharing on this TS), so none of the traffic you need to pass is allowed.
    DNS is needed to resolve host names on the domain, Kerberos to authenticate users, LDAP for queries to Active Directory, and most important, the ports to allow IPSEC traffic through.

    There are links to the microsoft articles to configure IPSeC policies for this server below:

    IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

        * IP Protocol ID 50:
          For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
        * IP Protocol ID 51:
          For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
        * UDP Port 500:
          For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

    L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50).

    It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
    253169  ( ) Traffic That Can--and Cannot--Be Secured by IPSec
    254949  ( ) IPSec support for client-to-domain controller traffic and domain controller-to-domain controller traffic

    This traffic must be allowed from DMZ to LAN hosts

       KerberosTCP 88, UDP 88
       DNSTCP 53, UDP 53
       LDAPTCP 389, UDP 389
       LDAP over SSLTCP 636
       SMB over IPTCP 445, UDP 445
    LVL 2

    Accepted Solution

    Issue was due to fact that the servers in the DMZ are not part of the domain so kerberos won't work.  Configured using preshared keys instead of kerberos and all is well now.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now