Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, March 22, 2013

Remote Desktop Services Server behind a firewall 
El Rol de Remote Desktop Gateway (RD Gateway) es usado en la infraestructura de Remote Desktop Services como punto de entrada desde el exterior, y es el servidor que acepta conexiones desde internet y las direcciona hacia adentro
Obviamente al estar expuesto a internet este servidor debe estar dentro de una zona como una DMZ
Puerto usados desde internet a Remote Desktop Gateway (RD Gateway)
Puertos usados desde Remote Desktop Gateway (RD Gateway) a la red interna
Para autenticación
Kerberos   Port = TCP: 88   (destino Domain Controllers)
RPC Endpoint Mapper Port = TCP: 135 (destino Domain Controllers) 
RPC Puerto dinámico (ver KB
Para Autorización
LDAP: Port = TCP: 389, UDP: 389 (destino Domain Controllers)
Resolución DNS
DNS TCP: 53, UDP: 53 (destino DNS Server)
Trafico RDP
RDP Port = TCP: 3389 (destino RDS Servers)
Trafico Certificate Revocation
LDAP: port = TCP: 389, UDP: 389. For HTTP: port = 80. For FTP: Port = 21 (destino Domain Controllers/CA Interna)
Trafico RADIUS (en caso de usar NPS)
Radius Port = UDP: 1812  ( Radius Server )
RADIUS Accounting Port = UDP: 1813 ( Accounting Server)

article by Jason Jones for information regarding required ports for a domain member:
In addition to what is mentioned in the article you will need to open destination port TCP 3389 from your lan to your test lab if you want lan users to be able to use Remote Desktop to connect to your RDSH server.  Additionally if your RD Licensing is on your LAN you will need to open many more ports because RDSH uses RPC to connect to the RDL server
Change the SSL port for Remote Desktop Gateway
Can you please let us know clearly why the port 443 can not be used for Gateway service ?  Is your external firewall can have destination IP based rules to forward the traffic to 443 port.
No I can't because the public port of the firewall has a built in VPN that runs on SSL and takes up 443.   What is the rationale of not allowing this to configure a port.  You could have an internal website that you run SSL or any number of other reasons.
The firewall is a Netgear that is running it's VPN SSL.
If you try to setup a rule to forward port 443, you get an error stating you'll have to disable the feature.
I know the firewall won't forward it the way it is and I'm not changing it for now. 
The question is why make something like this to where you can't configure the port it uses.  Chances are, 443 is going to be used for something else in environments. 
Also, what's the use of the RD Web Access if you can access Remote Desktops from the web.  I've read about RD Virtualization which sounds like it has a place, but not being able to use the RD Web Access to connect to internal RD's via the web just doesn't make sense.  MS already has the technology.  Again, look at SBS which does this nicely.
Assumming everybody can use a specific port and trying to force them to use it or else is a terrible design flaw for products that otherwise look to have a lot of promise.
You cannot change the RD Gateway server's port and you cannot change the port the RD client attempts to connect to the gateway on.
You can accomplish your goal by adding an additional public ip to your firewall's external interface and then forward port 443 from that to your RD Gateway.
This depends on the capabilities of your firewall.  They key thing I mentioned is adding a second public ip address to the external interface.  Once you have done that you can tell the firewall to have the SSL VPN on the first public ip address whereas the second public ip address is directed to your RD Gateway.
The type of need you are describing is one of the primary reasons for obtaining multiple public ip addresses from your ISP.
It is not uncommon to have a firewall with many public ip addresses, each one listening on the same port but forwarding to different internal machines.  Port 443 is a common example of this, for example you may have one address that is dedicated to your Exchange server OWA port 443/smtp port 25/etc., another for a secure Extranet port 443, while still another for a separate division of the company.
I agree it would be nice to have the ability to change the RD Gateway port, however, at the present time you cannot change it.  The solution I have provided will work well (I have this type of config in my own office) if you have a second public ip available *and* your firewall supports multiple public ips fully.  Most business-class firewalls support this without problem.
Keep in mind I am not a Microsoft employee, and they did not get my approval on the RD Gateway feature list.
I am pretty sure (not 100%) that all Netgear routers do *not* support the feature you need. :-(  A couple of years ago I did research trying to find a low-cost firewall/router that had proper support for multiple ips as well as port forwarding based on same, and found that all of them did not.  When I say low-cost I mean units like Linksys, Netgear, Dlink, etc. with prices less than $250, many less than $100.
What I have done in your situation is simply purchase a second firewall/router, for example, a linksys or similar that sells for less than $60.  I plugged the connection from the ISP's device into a small switch, and then plugged the WAN port of each firewall into the switch as well.  This allowed me to have multiple public ip addresses with different port forwarding rules without purchasing a more expensive firewall/router.
Again, I agree with you on the ability to configure the port.  I have used this many times (with RDP) as a way to support multiple RD hosts behind a single ip address.
As an FYI. After working with our data provider, I have a second IP address but the router binds VPN via SSl on both ports so as long as it's being used, you can't forward port 443 to anything else without turning it off. So it brings me back to the points. 1) With a software solution like this, it doesn't make sense not to allow a user to configure the port. 2) The Remote Desktop Web Access. What's the point of this if you can access computers via Remote Desktop via the web? Users can't remember machine names anyway so you'd be creating RDP connectoids for them to put on their desktop or somewhere anyway so this seems about useless the way it is.
Windows Server 8 will support changing the port of the RD Gateway More info:
In addition to what is mentioned in the article you will need to open destination port TCP 3389 from your lan to your test lab if you want lan users to be able to use Remote Desktop to connect to your RDSH server.  Additionally if your RD Licensing is on your LAN you will need to open many more ports because RDSH uses RPC to connect to the RDL server.
A list of appropriate references is provided below for further bedtime reading :)
Active Directory focused:
How to configure a firewall for domains and trusts
Active Directory in Networks Segmented by Firewalls
Active Directory Replication over Firewalls
Domain and Forest Trust Tools and Settings
Service overview and network port requirements for the Windows Server system
Restricting Active Directory replication traffic and client RPC traffic to a specific port
Windows 2000 Resource Kit Tool: Rpccfg.exe (RPC Configuration Tool)
ISA Server focused:
Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers
Allowing Intradomain Communications through the ISA Firewall (2004)
Using ISA Server 2006 to Protect Active Directory One-Way Forest Trusts
So, not exactly ground-breaking information, but hopefully handy for those looking for a concise list of Active Directory related protocols (with associated references) when defining ISA Server firewall policies.

No comments: