RDP not happening
-
I have WAN connections from 3 different ISPs.
- ISP 'A'
- ISP 'B'
- ISP 'C'.
They all terminate to pfsense box which work as failover.
The desktops on LAN segment need to access a Windows Server at client location using RDP at port 1010. (Well they are doing port forwarding at client location. I know very bad idea.. but that's beyond my control)My concern is that the RDP is not happening randomly at times. After 4 days of breaking my head I discovered whenever the RDP packet goes through ISP 'A' Windows Server is not accessible.
So I added a firewall rule which passes the packet through ISP 'B or ISP 'C' if destination is Windows Server Static IP.Well that solves the issue. But I am not able to understand why it is not working through ISP 'A'
To my surprise, Client's ISP is also ISP 'A'.
I am not able to understand is it the ISP which needs to be blamed or misconfiguration at Client end.
I know it is not exactly a pfsense issue. but this forum has always come to my rescue.
Any pointers will be helpful.
Regards,
Ashima -
Urgent Update...
Our ISP is saying that the static IP given by them to us has got blacklisted. Today morning they provided us new Static IP. After working for two hours RDP is again not happening,
I doubt it is to do with IP getting black listed. I checked at mxtoolbox.com the IP is showing black listed in website by baracudda. Rest all is green.
Can any one help. It is getting critical as the work is getting struck.Thanks
Ashima -
You‘re using a port which is used by the malware DolyTrojan. Change the port to default and test again.
Be happy to have an ISP that blocks malware traffic. Since it is working for a couple of hours, I‘m pretty sure that your ISP A is blocking traffic in order to prevent malware traffic.
-
Thanks Bahsig for replying.
The Server is at client location. Our Branches access them using rdp. We don't have much say in configuring server at client location.
Btw, wiki says 1010 as unofficial assigned port to ThinLinc.
Also its not that the RDp is some time working n sometime not.... It is working through certain ISPs from one particular branch and other ISP at some other location.
I'll google more about DolyTrojan.
Any other suggestions.
Regards,
Ashima -
Use a VPN for the RDP traffic. You should be doing that anyway but that will also hide the port in use so should prevent this.
Of course if you can't change the port you probably also can't setup a VPN.
Steve
-
thanks @stephenw10 .
Few queries :
-
Is it possible to do VPN even when the IP is black listed either side (client as well as our side) .
-
Can we run IPSEc server on Pfsense firewall ( We have a Pfsense firewall already running as OpenVPN server) and make client connect through IPSec Client. Basically client wants to install any commercial firewall (Fortinet or Sophos).
We don't have much say on client side.
Any pointers, Please help.
Regards,
Ashima -
-
Hi,
1 => You (LAN) clients ()the servers) could run their own VPN server on these servers - they will use this VPN server to access their RDP (on the same server) after VPN connection. VPN clients wouldn't blacklist their own IP's one- or both sides ;)
You will have to NAT a port for every incoming VPN connection - no more need to NAT RDP access (one should never use RDP over the net without VPN or IPSEC).- VPN, IPSEC, whatever.
any commercial firewall (Fortinet or Sophos)
Same thing : clients can do what they want with their servers. Not a problem or issue for you.
-
Yes, it depends where the blacklist filtering is happening but it's probably at the client firewall. They might be able to just whitelist your IP.
But running RDP over a VPN of some sort is definitely what you should be doing there.Steve
-
Yes, I agree RDP over VPN is the safest solution. That's how all our branches are connected to HO. But this particular client refusing to put up a firewall, specially pfsense (all bad politics). He has done port forwarding for rdp at port 1010. Also he has enable wan side pinging of his router.
The blacklisting is happening at the ISP level. Our WAN IP and client's IP keeps reappearing on the blacklist.
Let's wait n watch till the server gets hacked and he understands the importance of firewall.
Thank you all for the suggestion.
-
I guess that will do it but....
Can he not just change the port he's forwarding from?
Steve
-
How will changing port help ? Right now he is using 1010 for rdp. Can you suggest which port should he use ?
To my surprise his router's login page is accessible from the WAN side at port 80 and 443. He is using Huawei HG630 modem.
Thanks
Ashima -
@ashima said in RDP not happening:
To my surprise his router's login page is accessible from the WAN side at port 80 and 443. He is using Huawei HG630 modem.
Can you suggest which port should he use ?Seeing it that way, I suggest port "3389".
This probably triggers your ISP : "blocked because no reasonable network setup permits RDP access".
When this happens you could change your client's ideas about the subject. -
Port 1010 which they are using now is commonly used by malware as discussed above. It's probably that triggering whatever is adding it to the blacklist.
They can forward from any port so just choose some higher unknown port.
If his Router is open to the internet he has bigger problems! But it might be because you are coming from a known subnet he has opened rules for.
Steve