Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Setting up Admin and Remote Login for Vendor

Posted on 2013-10-22
4
Medium Priority
?
228 Views
Last Modified: 2013-11-07
How do I setup and admin account for my Shoretel Phone Vendor. He needs access to a dedicated server called PHONEX.

Would he RDP into my terminal server, then launch another RDP on the terminal server to get to PHONEX?

What type of credentials does he need. He has to be able to install software and make changes to the local server.

The software may need access to Active directory as well. Last i checked there was something in DNS about Shoretel.
0
Comment
Question by:MEATBALLHERO
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39591435
If he needs to install software and make changes then he will probably need local admin rights only on that one server.  He should not need elevated rights on any other box.

For AD he probably just needs to be able to connect and read info out of AD which all users have by default (read access by default).

Thanks

Mike
0
 
LVL 22

Expert Comment

by:mcsween
ID: 39591442
1. I would create a firewall rule to NAT 3389 on an external IP to the internal IP of the PHONEX server.  This procedure is different for this on every firewall.  If you have limited public IPs you may want to do port translation as well (external port 9999 or something to internal port 3389)  If you tell me what type of firewall you have I can try to help with this rule if I'm familiar with that vendor/model.

2. I would have him RDP directly into the server.

3. He will need Administrator on the local machine if he needs to install software.  If he is modifying DNS records in Active Directory his user account will need to be a member of the "DNSAdmins" AD group.  He will also need the DNS managment console installed on the server so he can access DNS.
0
 

Author Comment

by:MEATBALLHERO
ID: 39591476
I have a sonicwall TZ210. I have 3 IP addresses available from Comcast. One is used for port forwarding for my TERMINAL SERVER for my sales people.

On my paperwork from comcast it says I have 3 static IP addresses I should say.

Does this mean I need another router? Or do the 3 come in on the same WAN?
0
 
LVL 22

Accepted Solution

by:
mcsween earned 2000 total points
ID: 39591519
SonicWALL is easy to do port translation; just use your main IP.  Replace IP addresses with yours in your environment.

Public IP - 8.8.8.8
Private IP of PHONEX - 192.168.1.10
Public Port - 9999 (this can be anything not in use)
Private Port - 3389 (This is default RDP port)

1. Create address object called PHONEX in the LAN zone as a host with ip 192.168.1.10
2. Create Service object "Phonex-WAN-RDP" with TCP port 9999
3. Create NAT Rule that looks like the screenshot. (This assumes X1 is your WAN port)
4. Create Firewall rule that looks like the screenshot (also assumes X1 is WAN port)
5. Ensure port TCP 3389 is open on the Server's firewall.
6. Give the vendor the address 8.8.8.8:9999 to use in their RDP client.  Of course, replace 8.8.8.8 with your actual public IP.
NAT.PNG
Firewall.PNG
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question