Solved

Blocking Microsoft remote desktop connection via Juniper firewall

Posted on 2010-09-07
6
1,408 Views
Last Modified: 2013-11-16
We have a windows webserver running iis behind Juniper firewall. We like to Block admins  from using Microsoft remote desktop connection to this server from outside. Is it possible to make the blocking by Juniper firewall? we only permit admins to use the remote desktop from inside the company not from outside.
thanks
0
Comment
Question by:alex-2010
6 Comments
 
LVL 1

Accepted Solution

by:
microworx earned 250 total points
ID: 33623264
Just block port 3389 on the firewall or remove the existing rule (it's probably an added rule if access is there, normally it's blocked by default).  This will block anyone from outside, but not change access from the internal network.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33626878
Go to Policy - Check the rules From Untrust to Trust for Service RDP (3389). If you find it disable.

You also you are the possibility to create a deny rule:
1. Define the service RDP if it is not yet created:
Go to Policy - Policy Elements - Services - Custom
Create a new service:
RDP      TCP src port: 1024-65535, dst port: 3389-3389

2. In the Policy select From: Untrust - To: Trust and click: New
Source Address – ANY
Destination Adress – ip of the server
Service: RDP
Action: Deny
0
 

Author Comment

by:alex-2010
ID: 33672930
if i block 3389, admins can use Microsoft remote desktop connection via http can't they?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673331
If you make a rule for the outside area this will not affect internal connection. Do not block RDP from the inside lan.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33673354
Juniper work with the “zone” not the “interface”. Block the traffic for the zone with the interface connected to the internet. Permit the traffic for the zone with the interface connected to local lan.
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 33741061
you can do one thing create a host.. for the preferred ip and make a dedicated rule for the same.. if possible allow all port except netbios
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question