Yes why not. The overview steps mentioned by you are correct. Please don't forget that the remote host connecting using mstsc needs to specify the port (as it will not be the default 3389).

Regards

Farrukh

Has anyone actually done this?  I've had no luck.

Initial RDP service:          TCP Source 0-65535, Destination 3389-3389

Initial VIP service:             VIP same as untrusted interface, Virtual Port 3389, Mapped to Intial RDP service, Mapped to Host A

Policy Untrust to Trust:    Source Any, Destination VIP(untrust), Service Inital RDP service, Action Permit

set vip multi-port

2nd RDP service:            TCP Source 3390-3390, Destination 3389-3389

2nd VIP serivce:               VIP same as untrusted interface, Virtual Port 3390, Mapped to 2nd RDP service, Mapped to Host B

Policy Untrust to Trust:    Source Any, Destination VIP(untrust), Service 2nd RDP service, Action Permit

Intial RDP connection works, 2nd doesn't

Yes, it should work fine, you will need to make sure the VIP mapping is correct thats all eg:

set interface ethernet0/0 vip 172.24.28.139 + 1332 "RDP" 192.168.4.50

set interface ethernet0/0 vip 172.24.28.139 + 1330 "RDP" 192.168.4.220

From the above you can see that I am mapping ports 1332 and 1330 to the RDP service for clients 192.168.4.50 and 192.168.4.220 respectively.

I think you probably did not map the vip probably in your configuration. If you are using the WebUI, you need to:

Network > Interfaces > Edit > VIP/VIP Services

It should look something like this:

Ok, I see you only need one RDP custom service defined.  I now have in my config:

set service "Remote Desktop 3389" protocol tcp src-port 0-65535 dst-port 3389-3389 

set interface untrust vip untrust 3389 "Remote Desktop 3389" 10.0.1.2 manual
set interface untrust vip untrust 3392 "Remote Desktop 3389" 10.0.1.1 manual

set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "Remote Desktop 3389" permit

RDP to untrustip works

RDP to untrustip:3392 doesn't

Hmm, I think the windows RDP will try on 3389 by deafult did you check on that?

Or you can do  in the RDP windowL

X.X.X.X: Y (X is the IP, Y is the port)

Yes, that's what I meant when I typed in my last post:

RDP to untrustip works

RDP to untrustip:3392 doesn't

Launch Remote Desktop, Computer is untrustedIP (x.x.x.x) works

Launch Remote Desktop, Computer is untrustedIP:3392 (x.x.x.x:3392) doesn't work.

I am familiar with remote desktop.  I was using RDP to 4 different Windows hosts with port forwarding on a broadband router.  I am trying to replace the broadband router with a Netscreen 5GT with ScreenOS 5.4.0r12..

Can you run a quick debug flow basic?

set ff src-ip X.X.X.X

set ff dst-ip X.X.X.X (X is the PC you are trying to initiate the RDP from )

debug flow basic

--> try to rdp

--> fails

--> Press esc key

get db str (post this)

the debugs will tell us more why its failing

Here's the debug.

Thanks for taking the time to look at this.

Hi

I looked through but I did not see any packets on the 3392 port ? Am I missing something?