Screen OS

I have RDP working on the standard port of 3389 to a single host from untrust to trust.  Is it possible to RDP to more than one host with port forwarding, untrust tcp port 3390 to trust tcp port 3389 for host B, untrust tcp port 3391 to trust tcp port 3389 for host C, etc?

Yes why not. The overview steps mentioned by you are correct. Please don't forget that the remote host connecting using mstsc needs to specify the port (as it will not be the default 3389).

 

Regards

 

Farrukh

Has anyone actually done this?  I've had no luck.

 

Initial RDP service:          TCP Source 0-65535, Destination 3389-3389

Initial VIP service:             VIP same as untrusted interface, Virtual Port 3389, Mapped to Intial RDP service, Mapped to Host A

Policy Untrust to Trust:    Source Any, Destination VIP(untrust), Service Inital RDP service, Action Permit

set vip multi-port

 

2nd RDP service:            TCP Source 3390-3390, Destination 3389-3389

2nd VIP serivce:               VIP same as untrusted interface, Virtual Port 3390, Mapped to 2nd RDP service, Mapped to Host B

Policy Untrust to Trust:    Source Any, Destination VIP(untrust), Service 2nd RDP service, Action Permit

 

Intial RDP connection works, 2nd doesn't

Yes, it should work fine, you will need to make sure the VIP mapping is correct thats all eg:

 

set interface ethernet0/0 vip 172.24.28.139 + 1332 "RDP" 192.168.4.50

set interface ethernet0/0 vip 172.24.28.139 + 1330 "RDP" 192.168.4.220

 

From the above you can see that I am mapping ports 1332 and 1330 to the RDP service for clients 192.168.4.50 and 192.168.4.220 respectively.

 

I think you probably did not map the vip probably in your configuration. If you are using the WebUI, you need to:

Network > Interfaces > Edit > VIP/VIP Services

 

It should look something like this:

 

Ok, I see you only need one RDP custom service defined.  I now have in my config:

 

set service "Remote Desktop 3389" protocol tcp src-port 0-65535 dst-port 3389-3389 

 

set interface untrust vip untrust 3389 "Remote Desktop 3389" 10.0.1.2 manual
set interface untrust vip untrust 3392 "Remote Desktop 3389" 10.0.1.1 manual

 

set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "Remote Desktop 3389" permit

 

 

 

RDP to untrustip works

RDP to untrustip:3392 doesn't

Hmm, I think the windows RDP will try on 3389 by deafult did you check on that?

 

Or you can do  in the RDP windowL

X.X.X.X: Y (X is the IP, Y is the port)

Yes, that's what I meant when I typed in my last post:

 

RDP to untrustip works

RDP to untrustip:3392 doesn't

 

Launch Remote Desktop, Computer is untrustedIP (x.x.x.x) works

Launch Remote Desktop, Computer is untrustedIP:3392 (x.x.x.x:3392) doesn't work.

 

I am familiar with remote desktop.  I was using RDP to 4 different Windows hosts with port forwarding on a broadband router.  I am trying to replace the broadband router with a Netscreen 5GT with ScreenOS 5.4.0r12..

Can you run a quick debug flow basic?

 

set ff src-ip X.X.X.X

set ff dst-ip X.X.X.X (X is the PC you are trying to initiate the RDP from )

 

debug flow basic

--> try to rdp

--> fails

--> Press esc key

get db str (post this)

 

the debugs will tell us more why its failing

Here's the debug.

 

Thanks for taking the time to look at this.

Hi

 

I looked through but I did not see any packets on the 3392 port ? Am I missing something?

 

I think I will contact Juniper support directly.  Thanks for your help

Ok, got it working with help from Juniper support

 

set service "RDP 3389" protocol tcp src-port 0-65535 dst-port 3389-3389

set service "RDP 3392" protocol tcp src-port 0-65535 dst-port 3392-3392

 

set vip multi-port

 

set interface untrust vip untrust 3389 "RDP 3389" Host A manual

set interface untrust vip untrust 3392 "RDP 3389" Host B manual

 

set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "RDP 3389" permit

set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "RDP 3392" permit