This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop using non-standard ports - issues

Good Day.

This problem just started (well, noticed it last week, but may have been going on longer).

With the Sophos VPN running from a remote PC, I could RDP to several internal servers and a workstation or two. On most, using a non-standard protocol port # (say 41265 vice 3389). Have all the protocols defined, rules, etc. all done. And it had been working fine for quite a while. The servers and PC's are configured to use the nonstandard port (not doing a port translation to 3389)

Now, when I try through the VPN, it will try and connect - after putting in the logon account and password info, then gives an error message that "an internal error has occurred". As a test, I put in an incorrect password and it immediately tells me "the logon attempt has failed" - just what I would expect. So, it is getting through the authentication stage.

If I am physically on-site, and try RDP from a workstation on the same network, using the same non-standard RDP protocol, it works. So looks like the issue is not with the rdp on the boxes.

There is one PC and one server that are set to use the standard 3389, and through the VPN, they work.

I've gone back over all the rules, and found nothing amiss. Hadn't changed anything.

 

Any ideas? PC's are Win 10. Mix of server versions.

 

John S.



This thread was automatically locked due to age.
  • Forgot to mention the firewall is a SG330, running latest software.

  • Hey John,

    Do you learn anything from doing #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Got the same issue on SG135 , UTM 9.5 No solution so far Marco
  • same here. possible:

    - false positive caused by actual snort patterns (I assume this after reading your issue)

    - Hacker attack wave that raised some days ago searching for a vulnerbility in RDP servers

  • I was able to bypass the problem in Microsoft RDP Client, disabling "Use RD Gateway" in Advanced Settings

    Marco

  • I've been out of town, then got a cold. I saw some things in the logs. I'll copy them here. They didn't make any sense, but oh well.

  • Here is what the live monitoring shows when attempting:

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3

    When I try and connect, I got a logon, and if I enter an incorrect password, it will say so. If I put in the correct password, get the warnings about do you recognize this PC, etc. etc.,, then get "an internal error has occurred". If I'm on site, I can RDP from another workstation using the 52000 port with no problems. And, as I said, this has worked for years, until recently. The remote PC and the destination PC are both Win 10.

     

    TCP  
    10.240.2.4 : 15216
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:40 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.21.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

    09:55:49 Packet filter rule #30 TCP  
    10.240.2.4 : 15220
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

  • Check the IPS log, I have seen similar cases where it triggers a signature for non-standard RDP connections. 

  • John, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the lines corresponding to those above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I monitored my logs for a while now.

     

    Seems, many people run public RDP servers on tcp/443 (to avoid restrictions in Hotel and guest networks).

    This is noticed by attackers in China and Russia and the well known attack sources try to find RDP servers like this