Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Configure RDP through to Windows Server 2008 on Secure Computing SG560 Firewall

Posted on 2010-11-25
7
Medium Priority
?
855 Views
Last Modified: 2012-05-10
Hello,

I run a Secure Computing SG560 Firewall.
I am replacing our Windows Server 2003 Terminal Server with a 2008 Terminal Server.
Within our firewall rules, I have created a Definition and given the definition a name of the server plus the servers IP.
In Packet Filtering, I have created a rule, given it a descriptive name, set the action to Accept,
Type: forward
Incoming Interface: any
Outgoing Interface: any
Source Address: A defined IP address
Destination Address: The defined IP address of the terminal Server
Services: RDP

Upon trying to RDP in, I get the following message: This computer can't connect to the remote computer.

So I enable logging, I can't even see the attempt in the log.

As some troubleshooting, I have changed the destination back to the old Terminal Server. Straight away, I get in and within the logging on the SG560 I can see the attempt.

Internally, I can RDP to the 2008 Server with no problem.
I read a KB stating to recreate the connection under Terminal Services Configuration in which I have.

It has made no difference. I have tried a few different version of RDP with the same problem when external but works fine internally.

Thanks

0
Comment
Question by:paulwoz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34215822
Hi,

since by your post you don't have a problem with your internet facing firewall nor the ability of new terminal server to yccept RDP connections you might have a problem with Windows Firewall on your new terminal server. Check the inbound rules and make sure that the IP addres (or network) from which you connect externally isn't rejected by WF on TS.

Regards,
Tomislav
0
 

Author Comment

by:paulwoz
ID: 34215977
Oh Sorry, forgot to mention. Firewall is off with RDP as an exception.
I then disabled the firewall service with no joy also.
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34216407
Are you using standard RDP port number (3389) for external access? What port is your firewall listening on for external RDP connections?

What do you mean when you say that you disabled the firewall service? Have you disabled the firewall in setup or stopped the service altogether?

Also - can you please confirm the following:

1) When accessing RDP externaly, with absolutely nothing changed other than destination IP on your external firewall everything works fine when destination IP in forward rule points to W2K3 server but stops working when destination IP points to W2K8 server.
2) In both cases the destination IPs are internal to your network and you can access your W2K8 server through RDP by that same IP when connected directly to your internal network.
3) You are not using any custom setup or records (like SRV records) in your public domain DNS to redirect RDP traffic to custom address/port.
4) Your firewall and your RDP client don't require that your terminal servers authenticate through certificates or some other way?

Regards,
Tomislav
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:paulwoz
ID: 34220062
Hi tstritof.

I am using 3389

I have done all of the above with the firewall. Firstly I turned it off via control panel.
Then stopped the firewall service
Then disabled the firewall Service.

Answering your questions:
Q1: Yes that is correct, works fine with W2K3, not 2K8 with only the dest IP changed.
Q2: I can definitely connect to it fine internally with the same IP as I set in the dest IP
Q3: No custom records from what I know and it definitely is listening on 3389. I confirmed via checking the registry.
Q4: Not at all.

Cheers

0
 
LVL 7

Accepted Solution

by:
tstritof earned 1000 total points
ID: 34222269
Hi,

I'm guessing this has to do with your internet firewall. However, empty logs are confusing element.

Another thing that confuses me a bit is the setup of what you call "Definition". I interpret this term as means of creating a group of internal resources serving some purpose and using that definition when specifying firewall rules. I don't see how this is used if you set your firewall rule simply by explicitly setting the IP address of destination in firewall rules. Could you please explain how you use this definition in the setup of firewall rule?

Basically (and I'm guessing here) the rule you've set up only allows/disallows the traffic through firewall based on source/target IP address and TCP port used. However, firewall rules aren't normally used for routing so I believe there should be some other rule (usually called NAT forwarding) that tells your router that traffic on port 3389 coming from internet for public IP address must be routed to a certain internal IP address. I'm guessing again that you have such forwarding rule and that it still points to the W2K3 server. So basically, your traffic always routes to W2K3 server, only your firewall rule drops it when you change destination in it to allow only IP of W2K8 server.

Regards,
Tomislav
0
 

Author Closing Comment

by:paulwoz
ID: 34224415
tstritof,

Thank you so much!

You were spot on, I was configuring via Packet Filtering and creating a "definition" to the server.

As soon as you mentioned NAT, I added it there and low and behold it worked!

Thank you so much!
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34224914
:) Glad it worked.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question