Hi, I am having trouble setting up a rule and wanted to see if I could get some help from the community. I setup an RDP Gateway and I want to restrict all traffic over port 3389 so that it has to come from the RDP Gateway. I've set the rule up a few different ways, but none of them look correct. Can anyone help me with what should be the Source and Destination? I've added a screenshot below of how I think the rule should be setup. Im kind of new to Meraki so any help would be greatly appreciated.
Solved! Go to solution.
I understand that you are looking to configure a firewall rule to restrict traffic passing through port 3389 to a specific device. In this case, you would need to configure 2 firewall rules; 1 to allow the specific client via IP address (assuming the client has a static IP configured) to port 3389 using TCP and another to deny all traffic to port 3389.
Firewall rules are processed in a top-down manner, which means you would need to order the rules to allow the traffic from the specific IP to port 3389 first, followed by a deny all traffic to port 3389.
Let me get this straight, you can only access other machines via RDP through your RDP gateway, would that be it?
If yes, the source will be your RDP gateway, set the source port to any and the destination will be the IP of the machines that must access and the destination port will be 3389.
This is the logic of any firewall, regardless of vendor.
Thanks for the reply. You are correct in saying that all RDP traffic must go through the RDP Gateway. This requires a certificate to be installed on any machine that you want to RDP from, as well as AD permissions for the user. We do this so that we can control who is able to RDP. I will do some testing over the weekend to see if this works. Again, thanks for the quick reply.
I also believe you need a rule allowing target users' machines to access the RDP gateway server.
Could you share the dashboard network link? What is the IP of the RDP gateway?
I think your issue here is setting the source port to 3389. Your RDP Gateway will pick an ephemeral high-port for its source port.
+1 to @Fletch . The source has to be any, and the destination has to be tcp/3389 AND udp/3389.
This would only apply if you have the RDP gateway inside of the MX on one VLAN, and it needs to connect to an RDP server on another VLAN (so the actual RDP traffic is flowing through MX VLAN interfaces).
Also note there is a setting that in the Server Management console tells the RDP client not to use the gateway for local traffic. You'll have to make sure you have that turned off so it always uses the gateway.
I understand that you are looking to configure a firewall rule to restrict traffic passing through port 3389 to a specific device. In this case, you would need to configure 2 firewall rules; 1 to allow the specific client via IP address (assuming the client has a static IP configured) to port 3389 using TCP and another to deny all traffic to port 3389.
Firewall rules are processed in a top-down manner, which means you would need to order the rules to allow the traffic from the specific IP to port 3389 first, followed by a deny all traffic to port 3389.
Yes, like any other firewall. 😊