I needed to allow, temporarily, a vendor access to one of our servers using something like VNC or Remote Desktop (Terminal Services).
Problem was, I couldn't seem to figure out how to set it up on the firewall, our Netscreen 10.
Figured out that for something like VNC or Terminal Services that uses (presumably) a random port on the source PC to talk to port 3389 on the destination system, you can't use what is called a Virtual IP (VIP) address in Netscreen parlance. A VIP is an IP address that you then map to specific services for specific IP addresses on another interface. For example, if you want to have a web site hosted internally by one server and an SMTP server available externally through the same external IP address as the web site but going to a different internal server, you would use a VIP for this.
Now the problem is, that each service in a VIP must have a specific source port (unless the service is one of the preconfigured ones like SMTP, POP3, etc.). Of course, as I've already said, VNC or Terminal services don't seem to work like that.
So, I had to set up what is known as a Mapped IP in the Netscreen world (I think a SonicWall would refer to this as a one to one NAT). A Mapped IP is where one external IP is mapped to one internal IP. This happens for all services. So only services on the internal server that has that IP can be accessed and only if a rule exists to allow such access.
In short, I had to first set up a service called Terminal Services with Source ports of 0 to 65535 (since I do not know what ports it uses to send from) and destination port of 3389. Then I had to set up a Mapped IP from an available external IP to the server that I wanted to give access to. Then I had to set up a rule that allowed traffic for the Terminal Services service to come in from specific external IPs to the Mapped IP.
This took me quite a while to figure out, which is why I'm blogging it down, so I have my own written notes to refer back to (since finding the information on Google is usually difficult at best). I have a second reason though, if someone knows of a better way, I'd like to know what it is.
BTW, I did try just telling the firewall to create a rule from specific external IP address to specific internal IP address over the Terminal Services service, but it would not let me.
Also, usually there should be a rule for any external but inbound traffic going to any internal server to be denied and logged, but I can't set that up either and of course my Netscreen is out of support, so I can't really call Juniper to see what's what either.
That's OK, though, since it will most likely be replaced by a brand new firewall before the end of the year.
Hi Alex,
Looking for solution for my netscreen 25 on port forwarding 3389 - Remote Desktop Connection.
Your approach enlightened me cuz Juniper's knowledgebase never mention about creating a custom service for RDC.
My approach is creating the RDC custom service first, then using VIP solve my problem because i only have a single valid ip instead of multiple.
I can't seem to put MIP to work as you have described.
regards,
Kirby
Posted by: Kirby Chong | Monday, August 07, 2006 at 10:46 PM