ScreenOS Firewalls (NOT SRX)
Reply
Contributor
FXRguy
Posts: 10
Registered: ‎08-15-2008
0

RDP Policy

Could someone please help.  I am trying to set access for remote desktop to a machine on my network.  I need to be able to "remote" into the machine from home by using windows remote desktop.  It seems I did not set it my 5gt correctly since I can not gain access.  When I am onsite RDP works fine.  PLEASE HELP.  I have a netscreen 5gt with firmware 5.4.0r10.0
Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008
0

Re: RDP Policy

Post a sanitized and applicable portion of your config.

 

 

-=Q
Contributor
FXRguy
Posts: 10
Registered: ‎08-15-2008
0

Re: RDP Policy

 

Source Address > Any

Destination Address > 192.168.X.X  (Computer I want the RDP to rediret to)

Service > RDP

Application > none

Action > permit

Tunnel > VPN > none

            >L2TP >None

 

Is this all you need?  Thank You for your help

Contributor
AndyT
Posts: 52
Registered: ‎11-21-2008
0

Re: RDP Policy

[ Edited ]
if i understand this correctly you have a netscreen with two zones - trust and untrust? trust is your local lan, and untrust is connected to the internet? and you want to be able to access a pc on your local lan from home? if this is the case then you need to sort out address translation and a policy. in terms of address translations you have two options - either a mip or a vip. then you need a policy from untrust -> trust which permits the required source address to the destination translated address for rdp.  then, from home you need to connect to the translated address you have setup at the office.  if you only need to connect from home then i would recommend restricting the policy to the public ip address of your home connection if it is static...or if it is dynamic then i would recommend setting up something like dyndns.
Message Edited by AndyT on 11-21-2008 03:47 AM
Contributor
FXRguy
Posts: 10
Registered: ‎08-15-2008
0

Re: RDP Policy

Andyt,

It looks like I dont have the first part complete.  Could you please help me out wiht how to set up the mip or vip. 

 

Thanks in advance

Contributor
AndyT
Posts: 52
Registered: ‎11-21-2008
0

Re: RDP Policy

sure.

 

if you only have a single public address, the one assigned to your untrust interface, then i would probably recommend the use of a vip for address translation.  this will allow you to do multiple translations using your one ip address to multiple internal addresses based upon destinatin port number.

 

i'm using an ns50 running 5.4.0r10 code to go through this, but the steps should be similar on your kit...   from the webui...

 

create the internal host as an object:

 

objects | addresses | list | untrust > new | address name : [insert hostname here] | ip address/netmask : [insert ip/snm here] > ok 

 

create your external source address as an object: 

 

objects | addresses | list | trust > new | address name : [insert hostname here] | ip address/netmask : [insert ip/snm here] > ok 

 

add rdp as a custom service: 

 

objects | services | custom > new | service name: [rdp] | transport protocol : [tcp] | source port : [1 - 65535] | dest port : [3389] > ok 

 

create your vip pointing incoming rdp requests to the public ip address to the internal host: 

 

network | interfaces | untrust | vip | add/modify vip entry | same as untrused interface ip address > add

 

new vip service | virtual ip : [leave as public ip address auto-populated] | virtual port : [3389] | map to service : [rdp] | map to ip: [insert internal host ip here] > ok

 

create the policy to permit the inbound connections:

 

policies | from : [untrust] | to : [trust] > new | source : [external source] | dest : [vip(ethernet3)] | service : [rdp] : action : [permit] > ok

 

and that should get you up and running...just point the rdp client running on your home pc at the public ip address of your office... 

 

Contributor
FXRguy
Posts: 10
Registered: ‎08-15-2008
0

Re: RDP Policy

Thank you... I got it!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.