This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Desktop using non-standard ports - issues

Good Day.

This problem just started (well, noticed it last week, but may have been going on longer).

With the Sophos VPN running from a remote PC, I could RDP to several internal servers and a workstation or two. On most, using a non-standard protocol port # (say 41265 vice 3389). Have all the protocols defined, rules, etc. all done. And it had been working fine for quite a while. The servers and PC's are configured to use the nonstandard port (not doing a port translation to 3389)

Now, when I try through the VPN, it will try and connect - after putting in the logon account and password info, then gives an error message that "an internal error has occurred". As a test, I put in an incorrect password and it immediately tells me "the logon attempt has failed" - just what I would expect. So, it is getting through the authentication stage.

If I am physically on-site, and try RDP from a workstation on the same network, using the same non-standard RDP protocol, it works. So looks like the issue is not with the rdp on the boxes.

There is one PC and one server that are set to use the standard 3389, and through the VPN, they work.

I've gone back over all the rules, and found nothing amiss. Hadn't changed anything.

 

Any ideas? PC's are Win 10. Mix of server versions.

 

John S.



This thread was automatically locked due to age.
Parents
  • I tried again today, after updating to version 9.601-5 last night.

    The IPS log shows something interesting.

    The firewall log doesn't seem to show anything different than live log.

     

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3
     Firewall external IP is 86.5.5.10

    (the IP's have been changed to protect the innocent)

        IPS Log

    2019:03:08-08:59:31 86.5.5.10 snort[5362]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="10.240.2.4" dstip="192.168.1.200" proto="6" srcport="16360" dstport="52000" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"


         Firewall Log

    08:59:22 Packet filter rule #30 TCP   
    10.240.2.4 : 16356
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:23 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:26 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:30 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:31 Packet filter rule #30 TCP   
    10.240.2.4 : 16360
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc

Reply
  • I tried again today, after updating to version 9.601-5 last night.

    The IPS log shows something interesting.

    The firewall log doesn't seem to show anything different than live log.

     

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3
     Firewall external IP is 86.5.5.10

    (the IP's have been changed to protect the innocent)

        IPS Log

    2019:03:08-08:59:31 86.5.5.10 snort[5362]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="10.240.2.4" dstip="192.168.1.200" proto="6" srcport="16360" dstport="52000" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"


         Firewall Log

    08:59:22 Packet filter rule #30 TCP   
    10.240.2.4 : 16356
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:23 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:26 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:30 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:31 Packet filter rule #30 TCP   
    10.240.2.4 : 16360
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc

Children