Terminal Services not working

[belyache]

Hi:

I have an internal server running Terminal Services that I can't access after installing our PIX 506e.

I was able to allow access to SMTP, FTP, DNS (do I need to allow port 53?), WWW.

However, using the same access list as all of the rest above Terminal Services still doesn't work, here is the access-list for Terminal Services:

"access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx eq 3389"
"static (inside,outside) tcp interface 3389 servername 3389 netmask 255.255.255.255 0 0"

Does anyone have any ideas?

Thanks,

Glenn Belyea
belyache@yahoo.com

 

[yizhar]

HI.

First of all, allowing TS access could be a security risk, but also are FTP and

http://WWW access.

You should limit the exposure to minimum, and consider using VPN and/or limiting access to TS only from specific source addresses.

There is no need to allow access to your internal DNS server - you should disable this.

Use syslog messages to troubleshoot your problem, in addition to the Event Viewer on the server.

You should try different TS clients (like MSRDPCLI.EXE from the WinXP pro CDROM support folder that can run on any Win9x client).
You should try connecting the TS client directly to the outside interface to troubleshoot routing problems.
Can you use TS from the internal network?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[belyache]

Thanks Yizhar,

I was able to gain access to the terminal server using the XP Remote Desktop Client. I wonder what the difference is?

Thanks for the DNS advice, I killed the access.

My future plans include gaining access to our servers using a VPN, which is why I bought the PIX. I am a little curious about VPN access. When a user connects via VPN, what does the user see? I have never used a VPN before. What client do you use?

Thanks

Glenn

 

[yizhar]

HI.

About the Terminal Services problem, you can look at the server Event logs when the failed connections ocour, then search the Internet for the error messages and event id.

About VPN, there are several different solutions.
The recommended solution with pix is using the Cisco unity VPN client (current version 3.5.x) on the remote PC.
Ask your Cisco dealer for the VPN software.
Look at Cisco web site for info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

For VPN configuration on the pix, if you have PIX version 6.2x and PDM version 2.02 or newer, then you can use PDM for the VPN (and other) configuration options.
For older versions and also for the newest you can also use pixcript for VPN config:

http://teachers.sivan.co.il/yizhar#pixcript

What the VPN client will see and be able to access - this is up to you. I recommend that also for VPN clients you should allow only the minimal required services on only the needed server, and not to allow full LAN access unless you really need it.
Remember that VPN no matter how strong you secure it, is still another security risk and permitted access through your firewall. (But is still much better then allowing unauthenticated and unsecure access to internal data).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar