RE: Internal access to remote external TS?
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>,"[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 30 Nov 2004 12:08:24 -0800
Two problems:
1 - This only works for ISA 2004; ISA 2000 cannot perform port translation for
server publishing.
2 - This is the same thing as I decried before as "security by obscurity"; it's
a fool's errand
Tiago was correct; use the highest encryption level on the TS configuration
(not "FIPS Compliant")
________________________________
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Tue 11/30/2004 5:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal access to remote external TS?
http://www.ISAserver.org
Krisna,
I was not talking about changing RDP's port internally like that link
suggests you do not do, I am suggesting you change it externally on your
ISA machine. When it comes in ISA will still talk to your RDP box on
3389. ;)
Andrew
-----Original Message-----
From: Krisna Keo [mailto:krisnak@xxxxxxxxxxxxxxx]
Sent: Tuesday, November 30, 2004 3:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal access to remote external TS?
http://www.ISAserver.org
http://www.ISAserver.org
Thank you very much Andrew for alerting the hot point to me.
Changing the RDP port is one of highest risk stuff, and it does not
recommend changing as well from Microsoft unless necessary.
http://support.microsoft.com/kb/187623/EN-US/
Could let me know the RDP port can be usefully changed by most people?
I followed the link to configure my server
http://support.microsoft.com/default.aspx?scid=kb;en-us;294720
Jim, could you please detail on "set the encryption to
"ungodly high" and leave it there." Due to I'm not a native English
speaker.
(Sorry)
Regards,
Krisna
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, November 30, 2004 1:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal access to remote external TS?
http://www.ISAserver.org
"Security by obscurity".
This isn't worth your time as any script kiddie worth his (her) salt can
easily find listening ports with some readily-available tools.
Once they have those; they can hit them with some standard
"banner-chasing" toys that'll ferret out your RDP service in no time.
Rather than wasting your time in useless pursuits, set the encryption to
"ungodly high" and leave it there.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, November 29, 2004 8:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal access to remote external TS?
http://www.ISAserver.org
I would suggest that you do not use port 3389 as your external port.
3389 is the first thing hackers look for when port hunting because TS is
easy to hack. When you select RDP (Term Services) Server click on ports
and then enable the firewall port publish and give it a value of 33000
or higher. This way when you RDP in from the internet into your box(es)
you just need to put a :33000 or whatever the port number is and your
in. :-)
Andrew
________________________________
From: Krisna Keo [mailto:krisnak@xxxxxxxxxxxxxxx]
Sent: Monday, November 29, 2004 8:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal access to remote external TS?
http://www.ISAserver.org
Hi Rajia,
Protocol rule:
Allow Terminal Services - OUT
Description :
Enabled : True
Action taken with requests : Allow
Rule applies to : Selected Protocols
Protocols : RDP (Terminal Services)
Rule Applies to : Any Request
Protocol Definition:
RDP (Terminal Services)
Description : Remote Desktop Protocol (Terminal Services)
Initial Connection Port Number : 3389
Initial Protocol Type : TCP
Initial Direction : Outbound
Hope this will helps
Krisna
-----Original Message-----
From: Raji Arulambalam [mailto:RajiA@xxxxxxxxxxxxxx]
Sent: Tuesday, November 30, 2004 8:47 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Internal access to remote external TS?
http://www.ISAserver.org
Hi
Using ISA Server 2000, whats required to allow an internal client to
access a remote Terminal Services server.
The client has a FW client.
Thanks
RajiA
All mail to and from this domain is GFI-scanned.
Other related posts:
