none
Firewall to block external remote desktop connections

    Question

  • Hi,
    Im having a few problems with the Firewall on Server 2008. Im trying to set up a rule to allow all internal RDP connections (port 3389) but want to block any connections on this port from outside the network. Basically it was opened to allow a couple of users to access from home, however they have Static IPs so a bypass list would also need to be present.

    I have tried setting a rule for this already but managed to block all connections to the server, which kinda screwed me over because I had to go turn it off on the server itself.

    Cheers
    Thursday, November 19, 2009 4:54 PM

Answers

  • Hello,

     

    Thank you for your post here.

     

    From the description, you want to allow RDP connections (port 3389) from internal network but block from outside the network.

     

    To allow RDP connection from specific IP addresses, you may set the scope in the Remote Desktop (TCP-in) rule to only allow the specific IP addresses or internal IP network. Moreover, if you want to prevent RDP connections from Internet (outside the network) please understand that no incoming connection will be redirected if you didn't configure the NAT forward on the router.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

    Friday, November 20, 2009 10:42 AM
    Moderator

All replies

  • Hi,

    You should not allow anybody connections on Port 3389 from "outside the network" which means from the Internet i guess ??

    Suggestion:

    Setup an VPN Server, so the users have to login to your Network and then they can connect to your Server running RDP.

    http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html

    Cause in this Scenario you dont have to manage IP Lists and it is much (!) more safer then an open 3389.
    Friday, November 20, 2009 1:58 AM
  • Hello,

     

    Thank you for your post here.

     

    From the description, you want to allow RDP connections (port 3389) from internal network but block from outside the network.

     

    To allow RDP connection from specific IP addresses, you may set the scope in the Remote Desktop (TCP-in) rule to only allow the specific IP addresses or internal IP network. Moreover, if you want to prevent RDP connections from Internet (outside the network) please understand that no incoming connection will be redirected if you didn't configure the NAT forward on the router.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

    Friday, November 20, 2009 10:42 AM
    Moderator