RDP/RemoteApp via FQDN only!

entr0py · Jan 12, 2018, 9:52 PM

I'm hoping to find a way to restrict RDP/RemoteApp access via WAN IP and only allow connections using FQDN. In other words, when connecting remotely via "any.domain.com:port" a RDP/RemoteApp connection would be established, but RDP/RemoteApp connections using "WAN IP (x.xx.x.xx):port" would get blocked. Is this at all possible and what is the best way to accomplish this?

Grimson · Jan 12, 2018, 11:45 PM

@entr0py:

Is this at all possible…

Nope, all connections use the IP to connect, whether they resolve it via DNS or use it directly is not known by the firewall.

You really should learn the basics of networking first.

keyser · Jan 13, 2018, 9:55 AM

You can’t do that with RDP directly.
But if you install “Remote Desktop Gateway Services” on a Windows Server, that will provide RDP access tunneled through HTTPS.
When going through HTTPS you can do exacly what you are looking for with fx. HAproxy as a reverse proxy on pfsense. There you can do an ACL that only allows connections over HTtPS with the proper URL entered by the client.

Harvy66 · Jan 13, 2018, 6:01 PM

An analogy would be "I want people to get to my house using a map and not just driving from memory". The only way to do this is to directly control the client, nothing you can know when someone shows up at your house.

Mats · Jan 13, 2018, 7:52 PM

@keyser:

You can’t do that with RDP directly.
But if you install “Remote Desktop Gateway Services” on a Windows Server, that will provide RDP access tunneled through HTTPS.
When going through HTTPS you can do exacly what you are looking for with fx. HAproxy as a reverse proxy on pfsense. There you can do an ACL that only allows connections over HTtPS with the proper URL entered by the client.

This works - I have it running on my home fw.