Screen OS

First off I'm a newbie at this so take it easy on me :).

I'm running an SSG5 with ScreenOS 6.3.0r15a.0 (Firewall+VPN) hardware version 710(0).

I've been trying to get my remote desktop to connect using a different port other than 3389 but I cannot get it to work! When I use port 3389 I can connect fine.

Here are my config settings for the recent steps I've taken:

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "RDP" + udp src-port 0-65535 dst-port 3389-3389
set interface ethernet0/0 vip interface-ip < port number other than 3389 > "RDP" ##.##.##.##
set policy id 6 name "FTP-RDP" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "FTP" permit
set service "RDP"

I've trolled the internet for the past couple of days looking for answers and it seems this is the correct setup .. but nothing? Any help with this would be greatly appreciated.

Thanks,

Ron

Hi 

First , RDP uses TCP protocol , so you can delete UDP from your service definition 

second , you security policy is permiting FTP not RDP , so you need replace or add new policy that allow RDP the same that you did for FTP

Regards

Thanks for the reply Red1! I have one policy that is tied to two services (FTP & RDP) permitting both. Should I create a separate policy for RDP? I'll remove the UDP from the service.

Ok .. I added another policy for RDP and still nothing on ports other than 3389 through VIP 😞 . I must be missing something obvious.

My goal in the end is to be able to type myserver.com:##### in RD and connect.

Ron

Hi 

Did you remove the UDP from the service ? 

could you please post your config again to see how it looks like 

Regards

Red1,

Here is the config. Thanks for your help.

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 

set interface ethernet0/0 vip interface-ip 3389 "RDP" 10.0.10.112  <-works

exit
set policy id 7 name "RDP" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "RDP" permit log
set policy id 7
exit

Just to check , replace the service RDP with Any in the security policy

set policy id 7 name "RDP" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "Any" permit log 

you need to monitor the policy log to see if the policy is matching a traffic or not using the blow commad :

get log traffic policy 7

Regards

Hi,

set interface ethernet0/0 vip interface-ip 3389 "RDP" 10.0.10.112  <-works >>>>>>>>>> So, it works if using the default 3389 port?

If not, then I would suggest you to try get it working on 3389, before going to a different port.

Few more checks:

1. confirm custom port is not one of the ports FW uses for management (80, 443 etc.,)

2. the VIP policy is on top of the policy list

3. check policy logs to see if there is any activity

4. if you see one directional traffic in policy logs and no response from server, try enabling source NAT with I/F IP on policy

5. no blocking of custom port between client machine and FW

@ Red1

Your suggestion on setting the service to ANY on the RDP policy fixed the port forwarding issue 🙂 ??

set policy id 7 name "RDP" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)"

@Gokul

I have gotten this to work using the default port (3389).

Could either of you explain why this is now working when the service is set to ANY rather than RDP?

Thanks,

Ron

Good to know that  ,  you can check using the policy log to make sure that the policy is matching traffic , you can also enable debug on your SRX and see what happen to the received packets destination port TCP 3389

please check this link 

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Troubleshooting-Tips-Debug-commands/td-p/6203

let me know if you need help on debuging

Regards

Red1

Thanks for your help Red1. Seems all is working right now.

you are welcome , could you flag this a accepted solution.

thanks