Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
5
Replies

Terminal Services and OWA on Port 443 question

david-allan
Level 1
Level 1

‎05-25-2010 04:32 AM - edited ‎03-11-2019 10:50 AM

Hi all,

I currently have a 2800 series router with firewall OS which NATs port 443 to my Exchange server (see below).

ip nat inside source static tcp (exchange IP) 443 interface FastEthernet 0/1 443

I would like to evaluate RDP (Terminal Services) for remote access on a Windows 2008 Box however RDP now uses port 443 which means when I connect through the router I get a certificate error as the OWA certificate is returned from the exchange box instead of the terminal services cert from the 2008 box.

I have port 443 open to any host on my external IP as below:

permit tcp any host (external IP) eq 443

Sorry if this is a bit simplistic I don't often work on Cisco equipment..

David

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-25-2010 05:12 AM

David,

Not sure I understand.

RDP should be tcp/3389 (AFAIR).

Adding a rule:

---------

ip nat inside source static tcp (rdp_server) 3389  interface FastEthernet 0/1 3389

----------

And an ip access-list entry accordingly should make RDP work.


If for some reason the rdp_server hosts RDP on port 443 you can always "cheat" the system.
--------

ip nat inside source static tcp (rdp_server) 443  interface FastEthernet 0/1 3389

---------

More details appreciated

Marcin

0 Helpful

david-allan
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-25-2010 06:18 AM

Thanks for the reply Marcin

Windows 2008 Server now has a TS Gateway which uses port 443, I have used NAT and port 3389 which works fine but this does not allow connection to TS Gateway and therefore the SSL cert.

I have attached my current config, less the IP addresses etc. Would you work around (ip nat inside source static tcp (rdp_server) 443  interface FastEthernet 0/1 3389) solve my problem? Just thought I would ask before I go and change the router config.

Many thanks David

Preview file
32 KB
0 Helpful

david-allan
Level 1
Level 1
In response to david-allan

‎05-25-2010 06:39 AM

Thought this picture might explain the new TS Gateway a bit better then me...

Preview file
18 KB
0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to david-allan

‎05-25-2010 07:13 AM

David,

Not sure if the RDP client is smart enough to do SSL/TLS on standard 3389 port.

I would say it's worth a shot.

Marcin

0 Helpful

david-allan
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-26-2010 12:50 AM

Hi Marcin,

Unfortunately that didn't work, I still get the certificate name mismatch as the exchange cert is presented instead of the TS Gateway Cert.

(ip nat inside source static tcp +(rdp_server)+ 443  interface FastEthernet 0/1 3389)

I think it's the NAT rule below which is screwing things up..

ip nat inside source static tcp (Exchange IP) 443 interface FastEthernet0/1 443

The above is only for OWA I think, I may have to look at changing the port for this rather than a rule on the firewall.

Any other suggestions would be appreciated though as I would rather have one port open (443) than have to open another for the TS Gateway.

David

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card