ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

RDP Policy

11.19.08   |  
‎11-19-2008 07:00 PM
Could someone please help.  I am trying to set access for remote desktop to a machine on my network.  I need to be able to "remote" into the machine from home by using windows remote desktop.  It seems I did not set it my 5gt correctly since I can not gain access.  When I am onsite RDP works fine.  PLEASE HELP.  I have a netscreen 5gt with firmware 5.4.0r10.0
6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

11.19.08   |  
‎11-19-2008 10:58 PM

Post a sanitized and applicable portion of your config.

 

 

-=Q
ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

11.20.08   |  
‎11-20-2008 05:22 AM

 

Source Address > Any

Destination Address > 192.168.X.X  (Computer I want the RDP to rediret to)

Service > RDP

Application > none

Action > permit

Tunnel > VPN > none

            >L2TP >None

 

Is this all you need?  Thank You for your help

ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

[ Edited ]
11.21.08   |  
‎11-21-2008 03:42 AM
if i understand this correctly you have a netscreen with two zones - trust and untrust? trust is your local lan, and untrust is connected to the internet? and you want to be able to access a pc on your local lan from home? if this is the case then you need to sort out address translation and a policy. in terms of address translations you have two options - either a mip or a vip. then you need a policy from untrust -> trust which permits the required source address to the destination translated address for rdp.  then, from home you need to connect to the translated address you have setup at the office.  if you only need to connect from home then i would recommend restricting the policy to the public ip address of your home connection if it is static...or if it is dynamic then i would recommend setting up something like dyndns.
Message Edited by AndyT on 11-21-2008 03:47 AM
ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

11.21.08   |  
‎11-21-2008 05:24 AM

Andyt,

It looks like I dont have the first part complete.  Could you please help me out wiht how to set up the mip or vip. 

 

Thanks in advance

ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

11.21.08   |  
‎11-21-2008 06:17 AM

sure.

 

if you only have a single public address, the one assigned to your untrust interface, then i would probably recommend the use of a vip for address translation.  this will allow you to do multiple translations using your one ip address to multiple internal addresses based upon destinatin port number.

 

i'm using an ns50 running 5.4.0r10 code to go through this, but the steps should be similar on your kit...   from the webui...

 

create the internal host as an object:

 

objects | addresses | list | untrust > new | address name : [insert hostname here] | ip address/netmask : [insert ip/snm here] > ok 

 

create your external source address as an object: 

 

objects | addresses | list | trust > new | address name : [insert hostname here] | ip address/netmask : [insert ip/snm here] > ok 

 

add rdp as a custom service: 

 

objects | services | custom > new | service name: [rdp] | transport protocol : [tcp] | source port : [1 - 65535] | dest port : [3389] > ok 

 

create your vip pointing incoming rdp requests to the public ip address to the internal host: 

 

network | interfaces | untrust | vip | add/modify vip entry | same as untrused interface ip address > add

 

new vip service | virtual ip : [leave as public ip address auto-populated] | virtual port : [3389] | map to service : [rdp] | map to ip: [insert internal host ip here] > ok

 

create the policy to permit the inbound connections:

 

policies | from : [untrust] | to : [trust] > new | source : [external source] | dest : [vip(ethernet3)] | service : [rdp] : action : [permit] > ok

 

and that should get you up and running...just point the rdp client running on your home pc at the public ip address of your office... 

 

ScreenOS Firewalls (NOT SRX)

Re: RDP Policy

11.21.08   |  
‎11-21-2008 07:34 AM

Thank you... I got it!