Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop using non-standard ports - issues

Good Day.

This problem just started (well, noticed it last week, but may have been going on longer).

With the Sophos VPN running from a remote PC, I could RDP to several internal servers and a workstation or two. On most, using a non-standard protocol port # (say 41265 vice 3389). Have all the protocols defined, rules, etc. all done. And it had been working fine for quite a while. The servers and PC's are configured to use the nonstandard port (not doing a port translation to 3389)

Now, when I try through the VPN, it will try and connect - after putting in the logon account and password info, then gives an error message that "an internal error has occurred". As a test, I put in an incorrect password and it immediately tells me "the logon attempt has failed" - just what I would expect. So, it is getting through the authentication stage.

If I am physically on-site, and try RDP from a workstation on the same network, using the same non-standard RDP protocol, it works. So looks like the issue is not with the rdp on the boxes.

There is one PC and one server that are set to use the standard 3389, and through the VPN, they work.

I've gone back over all the rules, and found nothing amiss. Hadn't changed anything.

 

Any ideas? PC's are Win 10. Mix of server versions.

 

John S.



This thread was automatically locked due to age.
Parents
  • Hey John,

    Do you learn anything from doing #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here is what the live monitoring shows when attempting:

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3

    When I try and connect, I got a logon, and if I enter an incorrect password, it will say so. If I put in the correct password, get the warnings about do you recognize this PC, etc. etc.,, then get "an internal error has occurred". If I'm on site, I can RDP from another workstation using the 52000 port with no problems. And, as I said, this has worked for years, until recently. The remote PC and the destination PC are both Win 10.

     

    TCP  
    10.240.2.4 : 15216
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:40 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.21.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

    09:55:49 Packet filter rule #30 TCP  
    10.240.2.4 : 15220
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

Reply
  • Here is what the live monitoring shows when attempting:

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3

    When I try and connect, I got a logon, and if I enter an incorrect password, it will say so. If I put in the correct password, get the warnings about do you recognize this PC, etc. etc.,, then get "an internal error has occurred". If I'm on site, I can RDP from another workstation using the 52000 port with no problems. And, as I said, this has worked for years, until recently. The remote PC and the destination PC are both Win 10.

     

    TCP  
    10.240.2.4 : 15216
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:40 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.21.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

    09:55:49 Packet filter rule #30 TCP  
    10.240.2.4 : 15220
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

Children
  • Check the IPS log, I have seen similar cases where it triggers a signature for non-standard RDP connections. 

  • John, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the lines corresponding to those above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks all. It was the Intrusion Prevention. I put in an exception to skip Intrusion Prevention for all requests going to the internal PC's IP address and using the non-standard RDP tcp port.

    Just tried through the VPN and kicked right in.