Solved

Blocking Microsoft remote desktop connection via Juniper firewall

Posted on 2010-09-07
6
1,367 Views
Last Modified: 2013-11-16
We have a windows webserver running iis behind Juniper firewall. We like to Block admins  from using Microsoft remote desktop connection to this server from outside. Is it possible to make the blocking by Juniper firewall? we only permit admins to use the remote desktop from inside the company not from outside.
thanks
0
Comment
Question by:alex-2010
6 Comments
 
LVL 1

Accepted Solution

by:
microworx earned 250 total points
ID: 33623264
Just block port 3389 on the firewall or remove the existing rule (it's probably an added rule if access is there, normally it's blocked by default).  This will block anyone from outside, but not change access from the internal network.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33626878
Go to Policy - Check the rules From Untrust to Trust for Service RDP (3389). If you find it disable.

You also you are the possibility to create a deny rule:
1. Define the service RDP if it is not yet created:
Go to Policy - Policy Elements - Services - Custom
Create a new service:
RDP      TCP src port: 1024-65535, dst port: 3389-3389

2. In the Policy select From: Untrust - To: Trust and click: New
Source Address – ANY
Destination Adress – ip of the server
Service: RDP
Action: Deny
0
 

Author Comment

by:alex-2010
ID: 33672930
if i block 3389, admins can use Microsoft remote desktop connection via http can't they?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673331
If you make a rule for the outside area this will not affect internal connection. Do not block RDP from the inside lan.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673354
Juniper work with the “zone” not the “interface”. Block the traffic for the zone with the interface connected to the internet. Permit the traffic for the zone with the interface connected to local lan.
0
 
LVL 11

Expert Comment

by:diprajbasu
ID: 33741061
you can do one thing create a host.. for the preferred ip and make a dedicated rule for the same.. if possible allow all port except netbios
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now