FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nptimbalopez
Staff
Staff
Description

This article describes how to use RDP via VIP.

 

End user will connect via RDP to external (WAN) IP address to access internal (LAN) host with customized RDP port.

 

Standard RDP port is 3389.

Customized RDP port at internal host is 4865. 

Scope FortiGate
Solution

1) Configure the VIP for RDP. 

 

External IP address (WAN IP): 10.47.3.70

Internal IP address (LAN IP): 10.154.3.73

External RDP port: 3389

Internal RDP port: 4865

 

Version 7.0.5 from CLI: 

 

# config firewall vip
    edit "RDP_VIP"
        set id 0
        set uuid 5dea9a42-bc94-51ec-f537-f62f295c39ba
        set comment "RDP_VIP"
        set type static-nat
        set extip 10.47.3.70
        set nat44 enable
        set nat46 disable
        set mappedip "10.154.3.73"
        set extintf "any"
        set arp-reply enable
        set nat-source-vip disable
        set portforward enable
        set gratuitous-arp-interval 0
        set ssl-client-rekey-count 0
        set color 0
        set protocol tcp
        set extport 3389
        set mappedport 4865
        set portmapping-type 1-to-1
    next
end

 

From GUI: 

 

RDP_VIP.jpg

 

2) Configure firewall policy to allow RDP via VIP.

 

Source Interface: External/WAN (port1)

Destination Interface: Internal/LAN (port3)

Source Address: all

Destination Address: RDP_VIP

Action: Accept

 

Version 7.0.5 from CLI: 

 

# config firewall policy
    edit 6
        set name "VIP_RDP"
        set uuid 9b63637c-bc94-51ec-a41f-8dd40c0681bf
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "RDP_VIP"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next

 

From GUI:

 

FW Policy.jpg

 

3) Update the RDP port from 3389 to 4865 at the registry editor of internal LAN host.

 

Windows 10:

 

- Press Windows logo +  R then key in regedit (Registry Editor).

- Navigate to:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

 

- Search for PortNumber.

Select Edit -> Decimal.

- Enter the new port number (4865) and select 'OK'.

- Close the registry editor and restart desktop.

 

RDP_4865.jpg

 

IMPORTANT:

- Enable RDP connection at Control Panel -> System & Security -> System and allow 'Remote Access'. 

- If there is a Windows Defender Firewall, create an inbound rule to allow port 4865 as customized RDP port.

 

4) Test the RDP connection.

 

Go to RDP (Remote Desktop Connection) application then input the external (WAN) IP address and the username of the internal (LAN) host.

 

RDP.jpg

 

5) Refer to the debug flow output below at successful RDP connection.

 

# diag debug reset
# diag debug flow filter addr 10.47.3.70
# diag debug flow filter port 3389
# diag debug flow show fun enable
# diag debug flow show iprope enable
# diag debug console time enable
# diag debug flow trace start 100
# diag debug enable

 

To end:

 

# diag debug disable

# diag debug reset


# 2022-04-22 19:11:37 id=20085 trace_id=24 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.244.165:50447->10.47.3.70:3389) tun_id=0.0.0.0 from port1. flag [S], seq 530146839, ack 0, win 64240"
2022-04-22 19:11:37 id=20085 trace_id=24 func=init_ip_session_common line=6003 msg="allocate a new session-0663ec13, tun_id=0.0.0.0"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_check line=5306 msg="in-[port1],

out-[]"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_tree_check line=830 msg="len=1"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_dnat_policy line=5166 msg="checking gnum-100000 policy-1"
2022-04-22 19:11:37 id=20085 trace_id=24 func=get_new_addr line=1227 msg="find DNAT: IP-10.154.3.73, port-4865"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_dnat_policy line=5261 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_check line=5318 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
2022-04-22 19:11:37 id=20085 trace_id=24 func=fw_pre_route_handler line=178 msg="VIP-10.154.3.73:4865, outdev-port1"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__ip_session_run_tuple line=3502 msg="DNAT 10.47.3.70:3389->10.154.3.73:4865"
2022-04-22 19:11:37 id=20085 trace_id=24 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.154.3.73 via port3"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_check line=788 msg="in-[port1], out-[port3], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=2"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-6, ret-matched, act-accept"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_user_identity_check line=1817 msg="ret-matched"
2022-04-22 19:11:37 id=20085 trace_id=24 func=get_new_addr line=1227 msg="find SNAT: IP-10.154.3.70(from IPPOOL), port-50447"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_policy line=2247 msg="policy-6 is matched, act-accept"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_auth_check line=844 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_reverse_dnat_check line=1306 msg="in-[port1], out-[port3], skb_flags-020000c0, vid-1"
2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_reverse_dnat_tree_check line=923 msg="len=0"
2022-04-22 19:11:37 id=20085 trace_id=24 func=fw_forward_handler line=874 msg="Allowed by Policy-6: SNAT"
2022-04-22 19:11:37 id=20085 trace_id=24 func=__ip_session_run_tuple line=3489 msg="SNAT 192.168.244.165->10.154.3.70:50447"
2022-04-22 19:11:37 id=20085 trace_id=25 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.244.165:50447->10.47.3.70:3389) tun_id=0.0.0.0 from port1. flag [.], seq 530146840, ack 784303826, win 1026"
2022-04-22 19:11:37 id=20085 trace_id=25 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-0663ec13, original direction"
2022-04-22 19:11:37 id=20085 trace_id=25 func=__ip_session_run_tuple line=3502 msg="DNAT 10.47.3.70:3389->10.154.3.73:4865"
2022-04-22 19:11:37 id=20085 trace_id=25 func=npu_handle_session44 line=1162 msg="Trying to offloading session from port1 to port3, skb.npu_flag=00000400 ses.state=04000204 ses.npu_state=0x00000100"
2022-04-22 19:11:37 id=20085 trace_id=25 func=fw_forward_dirty_handler line=410 msg="state=04000204, state2=00000001, npu_state=00000100"