• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1549
  • Last Modified:

Blocking Microsoft remote desktop connection via Juniper firewall

We have a windows webserver running iis behind Juniper firewall. We like to Block admins  from using Microsoft remote desktop connection to this server from outside. Is it possible to make the blocking by Juniper firewall? we only permit admins to use the remote desktop from inside the company not from outside.
thanks
0
alex-2010
Asked:
alex-2010
1 Solution
 
microworxCommented:
Just block port 3389 on the firewall or remove the existing rule (it's probably an added rule if access is there, normally it's blocked by default).  This will block anyone from outside, but not change access from the internal network.
0
 
sibisteanuCommented:
Go to Policy - Check the rules From Untrust to Trust for Service RDP (3389). If you find it disable.

You also you are the possibility to create a deny rule:
1. Define the service RDP if it is not yet created:
Go to Policy - Policy Elements - Services - Custom
Create a new service:
RDP      TCP src port: 1024-65535, dst port: 3389-3389

2. In the Policy select From: Untrust - To: Trust and click: New
Source Address – ANY
Destination Adress – ip of the server
Service: RDP
Action: Deny
0
 
alex-2010Author Commented:
if i block 3389, admins can use Microsoft remote desktop connection via http can't they?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
sibisteanuCommented:
If you make a rule for the outside area this will not affect internal connection. Do not block RDP from the inside lan.
0
 
sibisteanuCommented:
Juniper work with the “zone” not the “interface”. Block the traffic for the zone with the interface connected to the internet. Permit the traffic for the zone with the interface connected to local lan.
0
 
DIPRAJCommented:
you can do one thing create a host.. for the preferred ip and make a dedicated rule for the same.. if possible allow all port except netbios
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now