topic Re: Terminal Services and OWA on Port 443 question in Network Security

Terminal Services and OWA on Port 443 question

david-allan — Mon, 11 Mar 2019 17:50:18 GMT

Hi all,

I currently have a 2800 series router with firewall OS which NATs port 443 to my Exchange server (see below).

ip nat inside source static tcp (exchange IP) 443 interface FastEthernet 0/1 443

I would like to evaluate RDP (Terminal Services) for remote access on a Windows 2008 Box however RDP now uses port 443 which means when I connect through the router I get a certificate error as the OWA certificate is returned from the exchange box instead of the terminal services cert from the 2008 box.

I have port 443 open to any host on my external IP as below:

permit tcp any host (external IP) eq 443

Sorry if this is a bit simplistic I don't often work on Cisco equipment..

David

Re: Terminal Services and OWA on Port 443 question

Marcin Latosiewicz — Tue, 25 May 2010 12:12:07 GMT

David,

Not sure I understand.

RDP should be tcp/3389 (AFAIR).

Adding a rule:

---------

ip nat inside source static tcp (rdp_server) 3389 interface FastEthernet 0/1 3389

----------

And an ip access-list entry accordingly should make RDP work.

If for some reason the rdp_server hosts RDP on port 443 you can always "cheat" the system.
--------

ip nat inside source static tcp (rdp_server) 443 interface FastEthernet 0/1 3389

---------

More details appreciated

Marcin

Re: Terminal Services and OWA on Port 443 question

david-allan — Tue, 25 May 2010 13:18:29 GMT

Thanks for the reply Marcin

Windows 2008 Server now has a TS Gateway which uses port 443, I have used NAT and port 3389 which works fine but this does not allow connection to TS Gateway and therefore the SSL cert.

I have attached my current config, less the IP addresses etc. Would you work around (ip nat inside source static tcp (rdp_server) 443 interface FastEthernet 0/1 3389) solve my problem? Just thought I would ask before I go and change the router config.

Many thanks David

Re: Terminal Services and OWA on Port 443 question

david-allan — Tue, 25 May 2010 13:39:49 GMT

Thought this picture might explain the new TS Gateway a bit better then me...

Re: Terminal Services and OWA on Port 443 question

Marcin Latosiewicz — Tue, 25 May 2010 14:13:04 GMT

David,

Not sure if the RDP client is smart enough to do SSL/TLS on standard 3389 port.

I would say it's worth a shot.

Marcin

Re: Terminal Services and OWA on Port 443 question

david-allan — Wed, 26 May 2010 07:50:54 GMT

Hi Marcin,

Unfortunately that didn't work, I still get the certificate name mismatch as the exchange cert is presented instead of the TS Gateway Cert.

(ip nat inside source static tcp +(rdp_server)+ 443 interface FastEthernet 0/1 3389)

I think it's the NAT rule below which is screwing things up..

ip nat inside source static tcp (Exchange IP) 443 interface FastEthernet0/1 443

The above is only for OWA I think, I may have to look at changing the port for this rather than a rule on the firewall.

Any other suggestions would be appreciated though as I would rather have one port open (443) than have to open another for the TS Gateway.

David