Sonicwall TZ200 Set up port 3389 for exclusive access
I need to give my software vendor the ability to access our Windows 2003 Small Business Server so that he can work on his program. He had been getting access through Terminal Services, but so did a friggin hacker using a brute force type of attack to try and log in.
I removed Terminal Services from our Sonicwall TZ200 and no more hackers, but no access for the software vendor. I know using something like Teamviewer would allow him to work on his software, but he says that he won't be able to do everything he needs to do that way. I don't see what the problem would be - other than the fact that I think he wants to work at night when nobody would be in our office to give him access.
My question: Is there a way that the TZ200 can be set up to give the vendor and only the vendor access to terminal services through port 3389, or would I need to set up something like a VPN with them? We are a small company with only one office, so we have not needed to set up any inter-office connections before and I don't see a need to do so in the future.
Thanks in advance for any assistance,
Mike
I removed Terminal Services from our Sonicwall TZ200 and no more hackers, but no access for the software vendor. I know using something like Teamviewer would allow him to work on his software, but he says that he won't be able to do everything he needs to do that way. I don't see what the problem would be - other than the fact that I think he wants to work at night when nobody would be in our office to give him access.
My question: Is there a way that the TZ200 can be set up to give the vendor and only the vendor access to terminal services through port 3389, or would I need to set up something like a VPN with them? We are a small company with only one office, so we have not needed to set up any inter-office connections before and I don't see a need to do so in the future.
Thanks in advance for any assistance,
Mike
Vendors will typically have static ip addresses for the offices they work out of. Filter down the RDP (Terminal Server) access to only his IP, hackers will not see that port open. Port will only be available for your vendor, no VPN needed.
This is the way we have vendors connect in and it passes PCI compliance scans.
This is the way we have vendors connect in and it passes PCI compliance scans.
ASKER
Hi diverseit,
Thanks for the reply. Please excuse my newbie-type questions, but I want to make sure I am understanding what we're doing so that I don't screw anything up.
By saying "lock down his access to a specific IP based resource", do you mean we are setting his IP address as the only one able to access our server via this VPN tunnel? How would this be used by other vendors (although as of now, I would probably be the only one who might use it)?
If you wouldn't mind, step-by-step instructions would be great. That is how I find I learn best.
Again, thanks for your reply,
Mike
Thanks for the reply. Please excuse my newbie-type questions, but I want to make sure I am understanding what we're doing so that I don't screw anything up.
By saying "lock down his access to a specific IP based resource", do you mean we are setting his IP address as the only one able to access our server via this VPN tunnel? How would this be used by other vendors (although as of now, I would probably be the only one who might use it)?
If you wouldn't mind, step-by-step instructions would be great. That is how I find I learn best.
Again, thanks for your reply,
Mike
Hi Mike,
No question is a bad question here on EE!
I will reply when I get in front of a computer...I'm on a mobile right now.
No question is a bad question here on EE!
I will reply when I get in front of a computer...I'm on a mobile right now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is what I would do:
Create Address Object for your Internal Server:
Go into Network > Address Objects > Add under Address Objects
Server Name, LAN, HOST, (IP Address_Internal IP address of the Server)
Create address object for your "Vendor's" Public IP address. You can find out what his IP address is by them going to www.whatismyip.com
Go into Network > Address Objects > Add under Address Objects
Vendor Name, WAN, HOST, (IP Address_Public IP address from www.whatismyip.com)
Create as many of these you need for each Vendor that needs to access your TS.
If you want to add multiple public IP addresses (or multiple vendors) for any one server go into Network > Address Objects > Add under Address Groups > Add Group
Here you will create a name for the group and then select all the public IPs (Vendors) you want to assign to that server.
Lastly create address objects for your WAN IPs assigned to you by your ISP the same way.
Name: (IP ADDRESS just for easy identification), WAN, Host, WAN IP.
Then create your NAT policy to re-direct traffic to that internal server you created on the first Address group.
Go to Network > NAT Policies > Add > For Source use (ANY + Original), for Destination (SELECT YOUR ADDRESS OBJECT for your Public IP; the public IP you are giving your vendor so he can Terminal Server into you + Translated: The address group for the internal server they are to manage), for Service user ANY + Original, Inbound Interface use X1, outbound use ANY.
The reason you do not need to be specific on the services or vendor IP here is because the firewall rule is the one that will be processes before the NAT rule on the firewall. So no need to get crazy on specifying ports or IPs here.
Then go and create your Firewall rule that allows port 3389 from WAN to LAN. Here you will use the vendors public IP under the SOURCE, DESTINATION will be your Public IP you are giving your vendor to access your server, SERVICE will be only for port 3389, ACTION is to allow.
This configuration here is safe enough for PCI compliance.
Create Address Object for your Internal Server:
Go into Network > Address Objects > Add under Address Objects
Server Name, LAN, HOST, (IP Address_Internal IP address of the Server)
Create address object for your "Vendor's" Public IP address. You can find out what his IP address is by them going to www.whatismyip.com
Go into Network > Address Objects > Add under Address Objects
Vendor Name, WAN, HOST, (IP Address_Public IP address from www.whatismyip.com)
Create as many of these you need for each Vendor that needs to access your TS.
If you want to add multiple public IP addresses (or multiple vendors) for any one server go into Network > Address Objects > Add under Address Groups > Add Group
Here you will create a name for the group and then select all the public IPs (Vendors) you want to assign to that server.
Lastly create address objects for your WAN IPs assigned to you by your ISP the same way.
Name: (IP ADDRESS just for easy identification), WAN, Host, WAN IP.
Then create your NAT policy to re-direct traffic to that internal server you created on the first Address group.
Go to Network > NAT Policies > Add > For Source use (ANY + Original), for Destination (SELECT YOUR ADDRESS OBJECT for your Public IP; the public IP you are giving your vendor so he can Terminal Server into you + Translated: The address group for the internal server they are to manage), for Service user ANY + Original, Inbound Interface use X1, outbound use ANY.
The reason you do not need to be specific on the services or vendor IP here is because the firewall rule is the one that will be processes before the NAT rule on the firewall. So no need to get crazy on specifying ports or IPs here.
Then go and create your Firewall rule that allows port 3389 from WAN to LAN. Here you will use the vendors public IP under the SOURCE, DESTINATION will be your Public IP you are giving your vendor to access your server, SERVICE will be only for port 3389, ACTION is to allow.
This configuration here is safe enough for PCI compliance.
ASKER
Thanks for the info. Yes, it makes sense, especially not opening up port 3389 at all.
I will be back in the office tomorrow and will then attempt this setup. I will post back and let you know what happened.
Thanks for the KB links - I know I will be searching and printing through their knowledge bases!
I will be back in the office tomorrow and will then attempt this setup. I will post back and let you know what happened.
Thanks for the KB links - I know I will be searching and printing through their knowledge bases!
Sounds good. I'll be here!
ASKER
It looks like I won't be able to get to this until tomorrow - there are problems at the vendors end and I won't be able to get to the person who handles these things until then.
I have, however, set up my side with your help. Hopefully by this time tomorrow I'll be all set up. Thanks for your assistance and patience.
I have, however, set up my side with your help. Hopefully by this time tomorrow I'll be all set up. Thanks for your assistance and patience.
My pleasure. Just let me know when you're ready and we'll get'r done!
Any update on this?
ASKER
Sorry for the delay - I've been dealing with hardware failures on both servers as well as battery backup failures and workstation problems.
I have scheduled a 10AM session tomorrow with my vendor to hopefully get this done.
I have scheduled a 10AM session tomorrow with my vendor to hopefully get this done.
ooo ouch! Hope everything gets settled for you. I'll be here when you're ready!
This is small business server so why isnt your vendor just using remote web workplace? It doesnt have the same vulernabilities as a direct port translate due to wrapping the connection through RPC over HTTP.
HTH
Gary
HTH
Gary
You listed this question in the SBS zone...are you using SBS and if so, what version?
@CrisHanna_MVP - mmed810132 is using
Windows 2003 Small Business Server
ASKER
Step-by-step instructions are the best for us newbies!
I'm glad I could help. Thanks for the points!
mmed810132,
I'm curious why you selected comment http:#a39458678 as an answer too when you said,
Thoughts?
I'm curious why you selected comment http:#a39458678 as an answer too when you said,
Yes, it makes sense, especially not opening up port 3389 at all.That comment recommends opening port 3389, which is a vulnerability. It also assumes the vendor has a static Public IP. If the vendor uses a dynamic Public IP and/or the vendor works from multiple locations that solution will not only leave you compromised but it will fail to provide the vendor access.
Thoughts?
ASKER
@diverseit,
There is a very real explanation for why I recommended it - I was at work, being stopped every 10 seconds (or so it seemed), so when I was selecting the answer, I thought I was selecting your answer. I saw the step-by-step list and clicked that answer thinking it was your answer. Because I was in such a hurry, I did not realize I had already selected your answer and I did not check myself before I responded.
Closing off port 3389 has stopped the brute force attempts and I have not had any problems since closing it. It was the best and easiest thing to do.
So the short version of my answer - I did it because I was a D.E.U. (Dumb End User).
Nobody to blame but myself!
There is a very real explanation for why I recommended it - I was at work, being stopped every 10 seconds (or so it seemed), so when I was selecting the answer, I thought I was selecting your answer. I saw the step-by-step list and clicked that answer thinking it was your answer. Because I was in such a hurry, I did not realize I had already selected your answer and I did not check myself before I responded.
Closing off port 3389 has stopped the brute force attempts and I have not had any problems since closing it. It was the best and easiest thing to do.
So the short version of my answer - I did it because I was a D.E.U. (Dumb End User).
Nobody to blame but myself!
Ok - no problem! Thanks for getting back to me on this.
With your explanation, I am going to remove comment http:#a39458678 as part your solution so other EE users in the future don't get confused.
Thanks.
With your explanation, I am going to remove comment http:#a39458678 as part your solution so other EE users in the future don't get confused.
Thanks.
ASKER
No problem - sorry I screwed up in the first place!
It's a best practice to setup a VPN, especially since you have already been compromised. Opening port 3389, is not advisable even since having it open is targeted and pretty simple to exploit.
Once you setup VPN you can lock down his access to a specific IP based resources and managing this for other vendors will be easier and more secure.
Let me know if you need step by step instructions and I can provide that if need be.