Solved

Blocking Microsoft remote desktop connection via Juniper firewall

Posted on 2010-09-07
6
1,386 Views
Last Modified: 2013-11-16
We have a windows webserver running iis behind Juniper firewall. We like to Block admins  from using Microsoft remote desktop connection to this server from outside. Is it possible to make the blocking by Juniper firewall? we only permit admins to use the remote desktop from inside the company not from outside.
thanks
0
Comment
Question by:alex-2010
6 Comments
 
LVL 1

Accepted Solution

by:
microworx earned 250 total points
ID: 33623264
Just block port 3389 on the firewall or remove the existing rule (it's probably an added rule if access is there, normally it's blocked by default).  This will block anyone from outside, but not change access from the internal network.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33626878
Go to Policy - Check the rules From Untrust to Trust for Service RDP (3389). If you find it disable.

You also you are the possibility to create a deny rule:
1. Define the service RDP if it is not yet created:
Go to Policy - Policy Elements - Services - Custom
Create a new service:
RDP      TCP src port: 1024-65535, dst port: 3389-3389

2. In the Policy select From: Untrust - To: Trust and click: New
Source Address – ANY
Destination Adress – ip of the server
Service: RDP
Action: Deny
0
 

Author Comment

by:alex-2010
ID: 33672930
if i block 3389, admins can use Microsoft remote desktop connection via http can't they?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673331
If you make a rule for the outside area this will not affect internal connection. Do not block RDP from the inside lan.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673354
Juniper work with the “zone” not the “interface”. Block the traffic for the zone with the interface connected to the internet. Permit the traffic for the zone with the interface connected to local lan.
0
 
LVL 11

Expert Comment

by:diprajbasu
ID: 33741061
you can do one thing create a host.. for the preferred ip and make a dedicated rule for the same.. if possible allow all port except netbios
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now