Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 814
  • Last Modified:

lock down sonic wall router by ipaddress comming into server

hi,
we use terminal services. we have a Sonic wall TZ-170..i know i can lock down terminal server users by IP address. and only allow access when it has been predefined... does anyone know hwere this feature may be in sonic wall's configuration?
0
intelogent
Asked:
intelogent
  • 7
  • 5
  • 2
1 Solution
 
ccomleyCommented:
Yes, it's exactly what the sonicwall is intended for.

Are you running Standard or Enhanced OS?

I assume the TS users you wish to control are OUTSIDE the firewall and the TServer is inside.

If you already have inbound access working I assume you have a "PERMIT" rule allowing anyone from outside to access the TS, you need to ammend this so it only allows your specific IP list to access.

But this is different depending which OS version you are running.

In standard mode you need a WAN to LAN "TS" rule for each IP addres you want to Permit, and to remove the "permit any" rule.

In enhanced mode, you need to create an Address Object for each IP address (e.g. "Fred's Office - 217.123.123.1", then a GROUP of address objects called, say, "Permitted TS Users" which you put each of teh individual address objects into. Then you ammend the Permit TServe rule to permit it only for source =  Permitted Users insteadof for Source = Any.

 
0
 
intelogentAuthor Commented:
your right on point... .
and io am not as familiar as you may think... so help me through this one step at a time.
firstly, my tech is on vacation , and the person filling is not familiar...
he set it up.... we have five stores... and they ae in their by name...and then me... by my personal name.
i can not even find what screen the rules were made on.....
can u point me in that direct.... i need to alter a rule pertaining to me...
0
 
digitapCommented:
login to the sonicwall and go to the System > Status page.  You'll see the information you need to post here so we can help you with the rules.  Standard and Enhanced versions of the sonicwall, as ccomley eluded to above, have different methods of creating the firewall rules.  Report this information and we can give you all the details.

See my screen shot for a sample of the information we need.
greenshot-2010-08-28-13-23-15.jpg
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
intelogentAuthor Commented:
Model: TZ 170 Standard
  Serial Number:
  Authentication Code: 3JLL-VUF7
  Firmware Version: SonicOS Standard 3.1.2.6-97s
  ROM Version: SonicROM 3.1.0.4
  CPU (10s average): 7.17% - SonicWALL Security Processor
  Total Memory: 64MB RAM, 8MB Flash
  System Time: 08/28/2010 12:52:34
  Up Time: 42 Days 21:13:11
  Current Connections: 37
  Last Modified By: Unmodified since reboot


Nodes/Users:      10 Nodes (2 in use)
  Your SonicWALL is not registered.
  Click here to Register your SonicWALL.

  To manually register, remember the following information:  
  Serial Number:  
  Authentication Code:  3JLL-VUF7  
 
  and go to the SonicWALL Web site.  



does this help at all?
0
 
digitapCommented:
you bet!  Here is a sonicwall technote that walks you through the process.

http://www.sonicwall.com/downloads/Configuring_SonicWALL__Port_Forwarding.pdf

In the example, it wants you to configure it for FTP, but you'll want to use terminal services (port 3389).  Additionally, they have the source specified as '*'.  Here, you'll want to specify the source as the public IP address of the user that's accessing the internal terminal server.

How many remote users need access to the internal terminal server?

By the way, I see from the information above that your sonicwall isn't registered.  If you're paying for any services (Global VPN licenses, etc.), you won't be able to use those until you've registered the sonicwall.
0
 
digitapCommented:
By the way, in standard OS, when you're done with Step 4 in the first, example, then you're done.  You only need to add a NAT rule when using the enhanced OS.
0
 
intelogentAuthor Commented:
i really appreciate the help.....

but i still have not found what i am looking for...

there was a section in the sonic wall  configuration where my name was listed... and so was my external ip address i use comming into the router. in this same section i saw the names of other co-workers who are not  on the lan... but rather come in from the wan.....  
this has already been configured.  I was suppose to be able to change my ip address in this sonic wall configuration , as i moved location to location....

i just can not find that area .....specifically that is what i am looking for..
0
 
ccomleyCommented:
Can I suggest an alternate approach.

Is your unit still on 24x7 or 8x5 support? If so, lodge a support call with Sonicwall, they can look at your machine remotely so you don't need to try to describe the current setting, or you can send them a Tech Support Report. Then they can tell you exactly what to do - or they can do it for oyu then you can review the config change and see how it was done, then you'll know for next time.

0
 
intelogentAuthor Commented:
perhaps that is not such a bad idea....

thank you fo royur help
0
 
intelogentAuthor Commented:
the reson i selected the answer was in error....
i quite frankly thought it was he who i selected, and did not notice that another member answered. That other answered a "rather polite"  i do not know, and directed me to technical support. when i thought i was still talking to the same original member, it seemed we were hitting a wall of " not being able to figure it out. and it was just my way of thanking him for at least trying.

the points shoul dproperly be rewarded to Digitap.

certainly, it is not htat i do not care.

0
 
digitapCommented:
My recommendation is a split between the following solutions:

http:#a33548685
http:#a33550765

@intelogent :: No worries.  I assumed there was a misunderstanding.
0
 
intelogentAuthor Commented:
really appreciate taht digitap.....

this place is a valuable reseorce to me.   i was not dis ing  u...

i'll leave it to the moderators.

0
 
digitapCommented:
i know...no worries.  thx!
0
 
intelogentAuthor Commented:
digitap...i have run out of time... my tech returns tomorrow...and i will get an answer.... and be happy to explain exactly where in the software this configuration is...

i do appreciate your input... and mean nothing but respect...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now