Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 32873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RDP from external network

Nigel Baker

I have tried Dnat to allow RDP access to internal network via XG 210 to no avail

I was going to use the business app template for non http policy to get remote access with port forwarding but it is no longer listed in the templates

Very frustrating when you follow the articles but they are either out of date or dont work as stated

 

I need to get RDP remote access to the internal server via the XG210 working first so then I can set up site to site ipsec vpn or ssl vpn via 2 remote sites with xg's

 

Need help

Thanks

 



This thread was automatically locked due to age.
  • 0

    Nigel,

    Can you share the dnat you have created?

    Make sure windows firewall is allowing the rdp traffic too.

    Thanks

  • 0 in reply to lferrara

    Hi Luk

    The remote sites were connecting to the server via RDP with no probs until I added the xg into the equation

    The server has a static IP and receives RDP traffic on port 10000

    Here is the link I followed.. https://community.sophos.com/kb/en-us/122976

    • Source Zones: WAN
    • Allowed Client Networks: Any
    • Destination Host/Network: WAN Interface    192.168.3.3
    • Forward Type: Select the port, port range or port list that need to be forward from the WAN to the internal server    10000
    • Protected Servers: Select or create an existing host entry for the server     Server_IP (172.16.30.10)
    • Protected Zone: Select the Zone in which the host resides (LAN or DMZ)    LAN
    • Change Destination Port(s): Only check this if you wish to change ports like redirecting port 80 to port 9000   Not Applicable
    • Rewrite source address (Masquerading): Check    Enabled
    • Optional
    • Create Reflexive Rule: Check if the server will be initiating outgoing connections.

     

    I was going to use this KB ... https://community.sophos.com/kb/en-us/123070 but non http based template no longer listed

    So is the DNat Rule the closest to the non http based template

    Thanks

    Nigel

  • 0 in reply to Nigel Baker

    Nigel,

    since your XG is behind another NAT device, make sure this one is forwarding the port 10.000 to XG WAN interface.

    Regards

  • 0 in reply to lferrara

    Hi Luk

    I tested port 10000 forwarded to wan interface, no RDP access

    Confirmed tonight that the traffic is not passing through the modem to the XG

    No log activity

    It points the modem

    Even after disabling it's firewall settings still no traffic passing through

    I will try a basic modem and let you know

    Thanks

     

    Nigel

  • 0 in reply to Nigel Baker

    Hi Nigel,

    You need to forward the RDP traffic on port 3389 if the incoming port is configured as 1000 then, change the Destination Port to 3389(Default RDP port). Make sure modem forwards the incoming traffic to the firewall's interface. Take a packet capture on port 1000 and verify if the XG receives the traffic on the configured Port? Refer the KBA here to do a packet capture.

    If you don't see any traffic on the configured port then you need to check the modem configurations.

    Thanks

  • 0

    Hi Nigel, 

    You may need to check the issue by following the steps below. 

    Step 1: Check the Port you wish to use to connect the RDP to your internal server, by default if you did not mention the port it would follow TCP:3389 

    Note: 3389 is the default RDP port, I would advise you to use a custom port (to improve security) e.g as per the snapshot I have used to connect internal server using port 8763 and it will be DNAT with port 3389 as per the configuration of the Business policy 

    Step 2: Check the Firewall rule , it would need a DNAT rule Business Application Rule . 

    If configured Properly . 

    Test 3:Check in system Diagnostics > Packet Capture and Configure> BPF String ; port 3389 or port 8763 

    You should see the incoming traffic and Outgoing traffic . If there is no incoming traffic then you may need to check your ISP or your Gateway (if there is any).

    Command on console > tcpdump 'port 3389 or port 8763 

    This would give an idea what may cause the issue.

     

     

  • 0 in reply to sachingurung

    Hi Sachingurung

    Thanks for your reply

    Will be re-testing with your info

    Nigel

  • 0 in reply to Aditya Patel

    Hi Aditya

    Thanks for your reply

    Will be re-testing with your info

    Nigel