Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sydney1323
New Contributor II

Issues with Firewall Policies for RDP Access

Dear Team 

 

Im having issues with RDP Firewall Policies and accessing the Web Gui of Fortigate. This is my WAN to LAN network from the Host Machine to Guest. Im accessing the Firewall from the Host Machine (DMZ network).
I have created a Firewall policy for my Windows RDP Server as follows :

      

 

 

 

  From: WAN(192.168.2.47)   To: LAN(10.10.10.1)
   
   Source: All              Destination: RDP Server Virtual IP
                                         External Network: 0.0.0.0 mapped to 10.10.10.22
                                                                         (Windows Server)                        
                                         External Port: 3389 MappedtoPort: 3389
              SERVICE: RDP
              NAT : ENABLED
              AV: default SSL: deep-inspection

 

 

 

        The Issue with it is once i enable the policy and Remote access to the Server, I loose access to the Firewall at 192.168.2.47 (external Ip). It just wont open. Though in the Windows Server Virtual Machine i can access the firewall at 10.10.10.1

 

Any solutions on the same and what could be the possible reasons for the situation ..... 

 

Regards.....

1 Solution
dbu
Staff
Staff

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

 

vipp.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

7 REPLIES 7
dbhavsar
Staff
Staff

Hi @Sydney1323 ,

 

- Because the VIP you created is for any IP [0.0.0.0], can you bind the specific IP to your internal IP. i.e., 1.1.1.1:3389 -> DNAT -> 192.168.1.1:3389

DNB
Sydney1323
New Contributor II

Hi 

My RDP Server is 10.10.10.22 which is the virtual ip 10.10.10.22 and not 0.0.0.0

 

kubank1
New Contributor

It does tunnelling but it is not demanding. 4 CPUs and 8Go RAM will work for 500 users. I strongly suggest not having too many roles because of port issues https://mobdro.bio/ .

dbu
Staff
Staff

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

 

vipp.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Sydney1323
New Contributor II

Hi 

This worked for me. i missed on the port forwarding part and of mapping port 443. what also has worked for me is adding Addresses rather than a Virtual IP ..

 

Regards ... 

hbac
Staff
Staff

Hi @Sydney1323,

 

Which port are you using for GUI access? You can collect debug flow by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

abelio
SuperUser
SuperUser

Hi Sydney1323,

Just a off topic comment: besides the technical part related to FTG config,  already answered here in the forum, let me say that to publish RDP services to the whole internet is a really bad bad idea nowadays, in terms of cybersecurity.

RDP is a widely used vector for external threats.
The core of Fortinet products is security, but there's no defense against bad or not recommended deployments.

Your Fortigate provides VPN access, ZTNA, and even SASE to enable secure access to your internal

network resources.
(VPN SSL is really straightforward, you don't need open RDP ports to the whole internet)

regards




/ Abel

regards / Abel
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors