Endpoint Protection

Hello Community,

We are using SEP version 12.1.6 (RU6, MP3) and have some trouble with the firewall on our clients, especially with RDP connections.

With enabled firewall the connections will be randomely disconnected. I followed an article in the Symantec knowledge base to create an application rule for mstsc.exe to prevent the firewall from doing this and also enabled keep-alive on all our Windows Server.

There are days which are better and then there are days when the disconnects happen every 5-10 minutes. It's strange!

I am not really sure if the order of the rules is the problem. I have changed some rules today and created new entries, but the problem exists.

On the server is no firewall enabled at the moment, it's only installed on clients which want to access.

I have attached a picture where you can see the rules.

Do you find any configuration mistake?

If RDP was blocked by SEP, it would always be blocked, it wouldn't disconnect/re-connect.

Is there anything showing in your traffic log? Does it work fine with SEP firewall disabled?

You could try testing it following the guideline here:

Troubleshoot blocked network traffic due to the Endpoint Protection firewall

Yes, you are right and this is the point which is so confusing.

With firewall disabled it is fine. I have created exactly this rule and I'm looking at the moment if I can see anything.

The rule order you can see on my screenshot is ok?
 

Yea looked good.

OK.

To allow TCP / UDP all inbound and outbound, is it better to use service "IP" which protocol no 6 and 17 or just create two services in the rule, UDP and TCP in / out?

Depends on how you want to manage the rule. It's easier to manage only one rule but it's better security overall to to keep separate.

OK, thanks!

Today I'm struggling again...

UDP 3389 Remote is blocked, but I have a rule which allow it. It is very strange!

And this is causing the RDP disconnections because the keep-alive packet is not reaching the client.

Please have a look on my attachments.

Do you have any idea?

No idea? I have also the feeling it is a problem with the Terminal Server itself. On other machines we are working with RDP (no proper Terminal Server) there are no problems. It is strange!

Fact is, if I allow all inbound / outbound it's working, if I apply the rules above it's disconnecting from time to time.

For your new rule allowing inbound UDP from remote port 3389, does this work if you remove the restriction to mstsc alone and match it to any application?

Does the block entry in your firewall log actually name an application?

I also changed a setting on the Terminal Servers and now we test it today and on Monday and then we will see.

I have the feeling it's the Terminal Server and not the firewall which cause that problem.

If it is not working I will allow the suggested 3389 inbound for UDP on any applications to see what happens.

I'll let you know, thanks for your help!

Hello,

I would like to give some feedback. The "problem" was a setting on the Terminal Servers - it's all working well now.

Thanks for every help!