Issues with Firewall Policies for RDP Access

Sydney1323 · ‎04-09-2024

Dear Team

Im having issues with RDP Firewall Policies and accessing the Web Gui of Fortigate. This is my WAN to LAN network from the Host Machine to Guest. Im accessing the Firewall from the Host Machine (DMZ network).
I have created a Firewall policy for my Windows RDP Server as follows :

  From: WAN(192.168.2.47)   To: LAN(10.10.10.1)
   
   Source: All              Destination: RDP Server Virtual IP
                                         External Network: 0.0.0.0 mapped to 10.10.10.22
                                                                         (Windows Server)                        
                                         External Port: 3389 MappedtoPort: 3389
              SERVICE: RDP
              NAT : ENABLED
              AV: default SSL: deep-inspection

The Issue with it is once i enable the policy and Remote access to the Server, I loose access to the Firewall at 192.168.2.47 (external Ip). It just wont open. Though in the Windows Server Virtual Machine i can access the firewall at 10.10.10.1

Any solutions on the same and what could be the possible reasons for the situation .....

Regards.....

dbu · ‎04-10-2024

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

dbhavsar · ‎04-09-2024

Hi @Sydney1323 ,

- Because the VIP you created is for any IP [0.0.0.0], can you bind the specific IP to your internal IP. i.e., 1.1.1.1:3389 -> DNAT -> 192.168.1.1:3389

DNB

Sydney1323 · ‎04-10-2024

Hi

My RDP Server is 10.10.10.22 which is the virtual ip 10.10.10.22 and not 0.0.0.0

kubank1 · ‎04-09-2024

It does tunnelling but it is not demanding. 4 CPUs and 8Go RAM will work for 500 users. I strongly suggest not having too many roles because of port issues https://mobdro.bio/ .

dbu · ‎04-10-2024

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

Sydney1323 · ‎04-10-2024

Hi

This worked for me. i missed on the port forwarding part and of mapping port 443. what also has worked for me is adding Addresses rather than a Virtual IP ..

Regards ...

hbac · ‎04-10-2024

Hi @Sydney1323,

Which port are you using for GUI access? You can collect debug flow by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Regards,

abelio · ‎04-10-2024

Hi Sydney1323,

Just a off topic comment: besides the technical part related to FTG config, already answered here in the forum, let me say that to publish RDP services to the whole internet is a really bad bad idea nowadays, in terms of cybersecurity.

RDP is a widely used vector for external threats.
The core of Fortinet products is security, but there's no defense against bad or not recommended deployments.

Your Fortigate provides VPN access, ZTNA, and even SASE to enable secure access to your internal

network resources.
(VPN SSL is really straightforward, you don't need open RDP ports to the whole internet)

regards

/ Abel