Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[blm225]

I am having big problems getting the firewall to work with Remote Desktop Gateway (2008 R2 Enterprise). I do not use a DMZ nor do I want to expose any Windows Server to the DMZ.
I also cannot get my bizhubs to relay SMTP with port 25 outbound for a scan to PDF email function.
iPhones, iPAD's, and iTunes are unable to download and update Apps unless I allow All TCP/UDP service on Allow_Standard rule.
I am using the following rules:
http-outbound-av-wcf ALG with the default http-outbound-av-wcf service port 80
allow_dns rule with dns-all service port 53
allow_https with the https service (no ALG) port 443
allow_smtp with the smtp_inbound_av service port 25
allow_pop3 with the pop3_inbound_av service port 110
I am using OSPF routing. I have internet access to most sites. Outbound SSL/TLS seems to work and we are using Microsoft BPOS hosted Exchange that communicates with RPC over HTTP successfully. DNS works and the DFL can access and obtain updates to AV and IDP.

There does not appear to be any rules that are specific for outbound or inbound services that I can set explicitly. The documentation states that opening a port in a rule allows for inbound and outbound traffic.

The rule based access control NetDefend is much more difficult to configure that Cisco IOS but we are a DLink shop with a large number of layer 2 & 3 switches.

So what is the deal ? I can't seem to get these critical services configured properly. Help is needed here.
Thanks

[danilovav]

Show your rules as screen
What DNS server do you use on clients?
Can you just ping from client to internet by DNS? By IP?

[blm225]

I am using an internal AD DNS and forward to the Netdefend and Wan DNS.
I can ping IP addresses and resolve names.

For remote desktops, even using a static IP does not connect from the gateway.


#  Name  Action  Source interface  Source network  Destination interface  Destination network  Service 
1  drop_smb-all  Drop  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  smb-allDestination ports: 135-139, 445
2  allow_ping-outbound  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  ping-outbound
3  allow_ftp-passthrough_av  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  ftp-passthrough-avDestination ports: 21
4  allow_standard  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  all_tcpudpDestination ports: 0-65535
5  Allow_DNS  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  dns-allDestination ports: 53
6  Allow_SSL  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  httpsDestination ports: 443, 587
7  allow_smtp  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  smtp-inbound-avDestination ports: 25, 33333
8  Allow_pop3  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  pop3-inbound-avDestination ports: 110

[danilovav]

Following you rules, all TCP/UDP/ICMP traffic are allowed for outbound
Also, rules 5-8 are not working because of rule 4 (all_tcpudp)

So, you try to connect from lan behind DFL to RDP where? Internet?

[blm225]

I reset rule 4 to:
4  allow_standard  NAT  lan  lannetAddress: 192.168.0.0/24  wan1  all-netsAddress: 0.0.0.0/0  http-outbound-av-wcf Destination ports: 80, 2086 (2086 is for one of my users to access a web console)

I opened up the wan to allow for iPad updates to pass through. I have since closed the Allow_Standard to above.

For Windows 2008 Server R2, the Remote Desktop Gateway is supposed to only use port 443 for RDP communications with an internet based client. With a old style internet router (netgear FVS124G) an allow TCP/UDP rule to the send to server by IP from the destination WAN IP worked without issues.

Here I am not using UDP but from what I understand, it is not used in this situation.

I have tried a port mapping rule to no avail. Below is just one of the configurations.

1  Allow_rdp_1  SAT  any  all-netsAddress: 0.0.0.0/0  core  wan_ip_1Address: 209.33.76.80  SSL_TLSDestination ports: 443

[danilovav]

I dont understand - what's your traffic direction??? Inbound (WAN>LAN) or outbound (LAN>WAN)?

Regarding SAT rule, after it need to make similar Allow/NAT rule (same source/destination/service)

[blm225]

For RD Gateway, the traffic is going to be inbound from WAN to RD Gateway server using port 443. The traffic is secure using the SSL certficate so AV and WCF do not work here.
An Allow rule to the WAN get blocked because of internal private IP traffic leaking out on the internet. ( I actually did a Spiceworks scan of 172.26.x.x and was able to look at a lot of internal networks because of bad firewall configurations).

For the iPads and iPhones connecting to the AppStore I believe the issue lies in secure traffic (port 443) since it works when I use the all_tcpudp service.

I don't understand why the SMTP send does not work since it is using port 25 and as long as my authentication is using the same domain from sender to recipient, the email goes through. I may have to use some SAT rules for the Multifunction-printers as well (we use Konica Bizhubs scan and send function).

Part of my problems seem to be understanding what the rule based system is actually doing. When there are clear outcome based examples such as:
Rule XXX SAT or NAT
From interface x net x to interface y net y using service Z with route x net to ip y will result in traffic flow where service Z uses source port(s) k and destination port(s) j

Don't even get me started on setting up ipsec VPN tunnels since one of the examples shut down all internet traffic when I configured it ( I have since removed that configuration).

I know that AV and WCF are blocking some traffic on port 80 and I do use AV on port 25 SMTP and pop3 port 110 but I am not blocking external web based email, music downloads, or anything else reasonable. Even when I turn off the ALG's I am not getting through on the iTunes downloads. I removed blocked file extensions also.

Basically in a nutshell:
RD Gateway <- WAN works with old firewall router with rule for port 443 TCP/UDP
SMTP outbound port 25 -> WAN works with old firewall no rules necessary
iTunes AppStore < - > allows authentication on NetDefend but not secure download of apps or updates. Works (of course) with old firewall no rule necessary.

Thanks for your replies.

[danilovav]

To publish some port (get inbound traffic), you need to make rule chain
SAT wan/all-nets core/wan_ip yourservice, SAT: new destination = yourprivatehost
Allow wan/all-nets core/wan_ip yourservice

If you need to publish HTTP, HTTPS, SSH, SNMP ports (used by DFL), first you need to change it for DFL. For example, HTTP/HTTPS - go to System > Remote management > Advanced settings

[blm225]

ok. Let me see if I can this correct.
One port mapping rule:
Allow_rdp_1  SAT  wan1  all-netsAddress: 0.0.0.0/0  core  wan_ip  SSL_TLS Destination ports: 443
This part I don't quite get (SAT: new destination = yourprivatehost) unless you are referring to above.
Next rule:
 Allow_WAN_RDG  Allow  wan1  all-netsAddress: 0.0.0.0/0  core  wan_ip  SSL_TLS Destination ports: 443

Now if you mean I need a SAT rule from LAN Privatehost(RD Gateway) to core, I am not sure what you are doing exactly. That is where things are bit confusing are far as how the rule logic determines the traffic flow.

My remote management works fine over the lan and I can backdoor VPN into the old firewall to directly connect to a server if necessary to access the network. I only use HTTPS and SSH for remote management.

[danilovav]

Change HTTPS management port in System > Remote management > Advanced settings
Then, your HTTPS SAT+Allow will work