Terminal Services and OWA on Port 443 question

Unanswered Question
May 25th, 2010

Hi all,


I currently have a 2800 series router with firewall OS which NATs port 443 to my Exchange server (see below).


ip nat inside source static tcp (exchange IP) 443 interface FastEthernet 0/1 443


I would like to evaluate RDP (Terminal Services) for remote access on a Windows 2008 Box however RDP now uses port 443 which means when I connect through the router I get a certificate error as the OWA certificate is returned from the exchange box instead of the terminal services cert from the 2008 box.


I have port 443 open to any host on my external IP as below:


permit tcp any host (external IP) eq 443


Sorry if this is a bit simplistic I don't often work on Cisco equipment..


David

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 05/25/2010 - 05:12

David,


Not sure I understand.


RDP should be tcp/3389 (AFAIR).


Adding a rule:

---------

ip nat inside source static tcp (rdp_server) 3389  interface FastEthernet 0/1 3389

----------

And an ip access-list entry accordingly should make RDP work.



If for some reason the rdp_server hosts RDP on port 443 you can always "cheat" the system.
--------

ip nat inside source static tcp (rdp_server) 443  interface FastEthernet 0/1 3389

---------


More details appreciated


Marcin

david-allan Tue, 05/25/2010 - 06:18

Thanks for the reply Marcin


Windows 2008 Server now has a TS Gateway which uses port 443, I have used NAT and port 3389 which works fine but this does not allow connection to TS Gateway and therefore the SSL cert.


I have attached my current config, less the IP addresses etc. Would you work around (ip nat inside source static tcp (rdp_server) 443  interface FastEthernet 0/1 3389) solve my problem? Just thought I would ask before I go and change the router config.


Many thanks David

Attachment: 
Marcin Latosiewicz Tue, 05/25/2010 - 07:13

David,


Not sure if the RDP client is smart enough to do SSL/TLS on standard 3389 port.

I would say it's worth a shot.


Marcin

david-allan Wed, 05/26/2010 - 00:50

Hi Marcin,


Unfortunately that didn't work, I still get the certificate name mismatch as the exchange cert is presented instead of the TS Gateway Cert.


(ip nat inside source static tcp +(rdp_server)+ 443  interface FastEthernet 0/1 3389)


I think it's the NAT rule below which is screwing things up..


ip nat inside source static tcp (Exchange IP) 443 interface FastEthernet0/1 443


The above is only for OWA I think, I may have to look at changing the port for this rather than a rule on the firewall.


Any other suggestions would be appreciated though as I would rather have one port open (443) than have to open another for the TS Gateway.


David

Actions

This Discussion