WAN PAT RDP
I have a network of 15 windows machines that currently have RDP port forwarded through a mikrotik RouterOS using Dst-nat (destination - nat's) that forward port 3389 to each workstation using the syntax of WAN IP : "unique port number" in the Remote Desktop Connection dialog. E.g., 215.93.43.43:60001 lands the RDP protcol on one local workstation, 215.93.43.43:60002 lands the RDP protocol on another, etc....
I thought it would be straight forward to implement this on a Cisco RV 260, but am not seeing a way to tie the RDP svc (port 3389) into port forwarding rules associated with dynamic port numbers that are then forwarded.
Thank you for your help.
I thought it would be straight forward to implement this on a Cisco RV 260, but am not seeing a way to tie the RDP svc (port 3389) into port forwarding rules associated with dynamic port numbers that are then forwarded.
Thank you for your help.
Last Comment
Note that it is not safe to port forward RDP. RDP really needs to be protected by VPN or RDP Gateway. RDP is a major ransomware vector.
If you insist on opening naked RDP to the world, be sure that the but in administrator account is disabled or has a long random password. Make sure machines are automatically patching. Make sure that account lockout policies are enabled. Be sure all accounts have long strong passwords.
If you insist on opening naked RDP to the world, be sure that the but in administrator account is disabled or has a long random password. Make sure machines are automatically patching. Make sure that account lockout policies are enabled. Be sure all accounts have long strong passwords.
Truedat, but if possible, just have each machine available to a small whitelist of allowed IP numbers. You're already in the Firewall section anyway :)
ASKER
I examined this prior to posting, and don't see it working, It doesn't provide for interpreting the syntax 215.93.43.43:60001? The GUI doesn't allow using colons, so where is 60001 interpreted as 3389?
Although I can label the custom Service rule as 60001, and assign any port as the port start and another as the port end, the issue is to allow external devices to be able to enter the same WAN IP with a colon and distinct port number that then routes RDP (port 3389) to a specific internal workstation.
If you think it will work, please provide executable steps. Thank you.
Although I can label the custom Service rule as 60001, and assign any port as the port start and another as the port end, the issue is to allow external devices to be able to enter the same WAN IP with a colon and distinct port number that then routes RDP (port 3389) to a specific internal workstation.
If you think it will work, please provide executable steps. Thank you.
ASKER
VPN implementation is the next step (within a few weeks). All the steps mentioned by Kevinhsieh are in play. Thanks for the input Kevin. What am I missing on the ability to associate the dynamic port number tacked onto the external IP with routing a specific protocol (port 3389) to a specific internal address?
Have not accessed RV or the Cisco small business, models.
It used to have wan port ton the external is the same port on the internal to which it is forwarding.
ypu could alter the Port on which each workstation listens to match the wan port you are setting.
Note, you would need to change when the VPn functionality is setup.
It used to have wan port ton the external is the same port on the internal to which it is forwarding.
ypu could alter the Port on which each workstation listens to match the wan port you are setting.
Note, you would need to change when the VPn functionality is setup.
Sorry, I don't have access to any SMB Cisco gear. All my experience is with their enterprise kit.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Wow. Thank you for your explanation Kimputer. My mind wasn't wrapped around the OSI model.
Now I must thank you for your indulgence as I reveal my (prior?) ignorance and attempt to solidify my understanding with 2 questions:
1) If 215.93.43.43:60001 is entered in the RDC dialog, will the application/session data be encapsulated and routed on port 60001 rather than 3389? 2) Would that mean that the RDP would not be recognized as RDP until it is PAT'd back onto port 3389 and received on that port by the endpoint?
Thanks again. Whatever the maximum reward is on Experts Exchange, you've earned it!
Now I must thank you for your indulgence as I reveal my (prior?) ignorance and attempt to solidify my understanding with 2 questions:
1) If 215.93.43.43:60001 is entered in the RDC dialog, will the application/session data be encapsulated and routed on port 60001 rather than 3389? 2) Would that mean that the RDP would not be recognized as RDP until it is PAT'd back onto port 3389 and received on that port by the endpoint?
Thanks again. Whatever the maximum reward is on Experts Exchange, you've earned it!
Have not seen the interface for the rv router you are using,
Commonly they had a
WAN port, local IP, local port
60001. 192.168.0.3 3389
The formatting of this rule might differ.
In an smb, retail type router, the WAN ip is implied.
Commonly they had a
WAN port, local IP, local port
60001. 192.168.0.3 3389
The formatting of this rule might differ.
In an smb, retail type router, the WAN ip is implied.
When using 215.93.43.43:60001 in your RDP Window,
The Cisco RV will accept it, as your rule states 60001 should go to internal IP nr xxx (which you've input in one of the FIFTEEN rules), to port 3389. If your rule doesn't exist, nothing will happen with the RDP connection.
The Cisco RV will accept it, as your rule states 60001 should go to internal IP nr xxx (which you've input in one of the FIFTEEN rules), to port 3389. If your rule doesn't exist, nothing will happen with the RDP connection.
ASKER
Right. I was over-complicating things. Conflating the need for data payload recognition ( port 3389 ), which doesn't need to happen until the endpoint with routing/transporting that payload.
Thanks again for your patience.
Thanks again for your patience.
Windows OS
This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Go to the PDF page 89 (printed as page 81). Firewall > Port Forwarding
It's EXACTLY the same principle, External service (you need to add 15 custom ones, starting with 60001, all the way up to 600015).Internal service is RDP (or port 3389). The rest should be quite obvious.