Meraki

Community

L3 Rule for RDP Gateway

Solved
BradHarrison
Conversationalist
‎Nov 22 2023 12:20 PM
‎Nov 22 2023 12:20 PM

L3 Rule for RDP Gateway

Hi, I am having trouble setting up a rule and wanted to see if I could get some help from the community. I setup an RDP Gateway and I want to restrict all traffic over port 3389 so that it has to come from the RDP Gateway. I've set the rule up a few different ways, but none of them look correct. Can anyone help me with what should be the Source and Destination? I've added a screenshot below of how I think the rule should be setup. Im kind of new to Meraki so any help would be greatly appreciated. 

 

BradHarrison_1-1700684292834.png

 

Labels:
0 Kudos
1 Accepted Solution
BradHarrison
Conversationalist
‎Nov 24 2023 6:56 AM
‎Nov 24 2023 6:56 AM

I understand that you are looking to configure a firewall rule to restrict traffic passing through port 3389 to a specific device. In this case, you would need to configure 2 firewall rules; 1 to allow the specific client via IP address (assuming the client has a static IP configured) to port 3389 using TCP and another to deny all traffic to port 3389.
Firewall rules are processed in a top-down manner, which means you would need to order the rules to allow the traffic from the specific IP to port 3389 first, followed by a deny all traffic to port 3389.

View solution in original post

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 22 2023 12:37 PM
‎Nov 22 2023 12:37 PM

Let me get this straight, you can only access other machines via RDP through your RDP gateway, would that be it?

If yes, the source will be your RDP gateway, set the source port to any and the destination will be the IP of the machines that must access and the destination port will be 3389.

This is the logic of any firewall, regardless of vendor.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
BradHarrison
Conversationalist
‎Nov 22 2023 12:43 PM
‎Nov 22 2023 12:43 PM

Thanks for the reply. You are correct in saying that all RDP traffic must go through the RDP Gateway. This requires a certificate to be installed on any machine that you want to RDP from, as well as AD permissions for the user. We do this so that we can control who is able to RDP. I will do some testing over the weekend to see if this works. Again, thanks for the quick reply. 

0 Kudos
In response to BradHarrison
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 22 2023 12:56 PM
‎Nov 22 2023 12:56 PM

I also believe you need a rule allowing target users' machines to access the RDP gateway server.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
JJRiebeling
Meraki Employee
Meraki Employee
‎Nov 22 2023 12:43 PM
‎Nov 22 2023 12:43 PM

Could you share the dashboard network link? What is the IP of the RDP gateway?

0 Kudos
Fletch
Meraki Employee
Meraki Employee
‎Nov 22 2023 10:14 PM
‎Nov 22 2023 10:14 PM

I think your issue here is setting the source port to 3389. Your RDP Gateway will pick an ephemeral high-port for its source port.

In response to Fletch
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 23 2023 11:42 AM
‎Nov 23 2023 11:42 AM

+1 to @Fletch .  The source has to be any, and the destination has to be tcp/3389 AND udp/3389.

 

This would only apply if you have the RDP gateway inside of the MX on one VLAN, and it needs to connect to an RDP server on another VLAN (so the actual RDP traffic is flowing through MX VLAN interfaces).

 

Also note there is a setting that in the Server Management console tells the RDP client not to use the gateway for local traffic.  You'll have to make sure you have that turned off so it always uses the gateway.

0 Kudos
BradHarrison
Conversationalist
‎Nov 24 2023 6:56 AM
‎Nov 24 2023 6:56 AM

I understand that you are looking to configure a firewall rule to restrict traffic passing through port 3389 to a specific device. In this case, you would need to configure 2 firewall rules; 1 to allow the specific client via IP address (assuming the client has a static IP configured) to port 3389 using TCP and another to deny all traffic to port 3389.
Firewall rules are processed in a top-down manner, which means you would need to order the rules to allow the traffic from the specific IP to port 3389 first, followed by a deny all traffic to port 3389.

0 Kudos
In response to BradHarrison
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 24 2023 7:01 AM
‎Nov 24 2023 7:01 AM

Yes, like any other firewall. 😊

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.