Endpoint Protection

  • Private Community
 View Only

  • 1.  Allow RDP Firewall Rule

    Posted Mar 21, 2018 04:44 PM

    This issue has me confused. I've tried a lot of troubleshooting steps. I'm just trying to create a rule to allow all Remote Desktop traffic.

    At first I followed the Symantec guide to allow RDP, and targeted the MSTSC executable. This did not work, and showed the traffic was blocked. So, to test, I've created a rule to explicitly allow all traffic between my computer (202) and the test computer (162):

    I make both computers update Policy via Symantec Endpoint Troubleshoot, and still get:

    3/21/2018 2:29:24 PM Blocked 15 Incoming TCP 192.0.10.202 <Mac> 18007 192.0.10.162 <Mac> 3389 C:\Windows\System32\svchost.exe NETWORK SERVICE NT AUTHORITY Default 3 3/21/2018 2:29:13 PM 3/21/2018 2:29:22 PM Block all other IP traffic and log
     
    As seen there, the default "Block All other IP Traffic" rule takes priority. The only way I can get RDP to be successful is by disabling that rule, or disabling the Sym Firewall. Both are not acceptable solutions.


  • 2.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 04:51 PM

    It should be straightforward. I wrote about a somewhat similar situationa few years back:

    https://www.symantec.com/connect/articles/sep-121-firewall-how-block-rdp-while-allowing-only-specific-connections

    In your rule, under Host, you should only need to put the IP that you want to RDP to.



  • 3.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 05:19 PM

    Hi Brian, I really appreciate the reply. I followed your guide exactly, except at "Select Hosts" I chose "Only Computers Listed Below" and added our entire IP Range.
    It seems I am still not able to RDP after updating the Firewall policy on both machines. Traffic logs are same as above, RDP was blocked by the default Block All Other IP Traffic rule.

    Any ideas?



  • 4.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 05:23 PM

    And the newly created rule is at the top of the firewall stack?



  • 5.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 05:30 PM

    Oddly enough, yes. Its at the very top. I even ensured the "Last Connected" time was changing to make sure it's downloading the new policy. I know it's updating just fine, because if I disable that "Block All Other IP Traffic" rule, I can rdp just fine. 

    Under "Host", I added the Remote IP of the comptuer which I am trying to RDP to. 

    Network Service policy component is TCP and UDP, Local and Remote 3389. Direction is "Both".



  • 6.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 05:33 PM

    Out of curiosity, take out the mstsc executable and see what that yields.



  • 7.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 05:44 PM

    Unfortunately still being blocked by the same rule



  • 8.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 06:00 PM

    In fact if I remove the Hosts and make it "Any", it still won't connect. Yet my other rules function just fine. 

    Edit: I was slightly incorrect. If I disable the "Block All other IP Traffic and Log" rule, I still cannot RDP. However 3389 is no longer blocked in the logs, the only traffic blocked that may be causing the RDP connection to fail is Remote Port 50800 and Local Port 1900 Incomming. Blocked by the default rule "Block UPnP Discovery"



  • 9.  RE: Allow RDP Firewall Rule

    Posted Mar 21, 2018 07:02 PM

    The issue must be with specifying Service. If I remove 3389 from the rule, and simply allow all traffic between the two endpoints, I can RDP fine. As soon as I specify TCP Remote Port 3389, the rule no longer permits RDP. Yet the logs show Remote Port 3389 was blocked. Even if I specify Local and Remote TCP 3389 in the Service, still will not connect unless it specifies "Any".