Usg40 and remote desktop

damianodec
damianodec Posts: 42  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Scenario,

I have 3 pc and a server in my lan, and usg40 firewall.

All Pc are in domain on server

I done step by step this guide using 3399 for secondary port and using pc MYPC with 192.168.1.100 ip

Pc MYPC has remote desktop enabled and windows firewall disabled

But nothing, I try inside lan from another pc using 192.168.1.100:3399, but nothing.

Any help?

Thank you

All Replies


  • Hello,

    if you want to connect from the internet, you have to put your public ip.

    nico

  • damianodec
    damianodec Posts: 42  Freshman Member
    First Anniversary Friend Collector First Comment

    hi Nico,

    yes, I have !

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    @damianodec

    If you have 3 pc in lan and you'd like to access RDP of 3 pc from Internet, just follow the guide to configure NAT rules with port mapping and security policy rules.

    Ex: The default RDP port of 3 pc is 3389.

    pc1: 192.168.1.99

    pc2: 192.168.1.100

    pc3: 192.168.1.101

    Suppose the WAN IP of USG40 is 59.1.1.100 and configure NAT port mapping for pc2 and pc3. Pc1 still uses port 3389 without port mapping.

    pc1: 3389 -> 3389

    pc2: 3390 -> 3389

    pc3: 3391 -> 3389

    Security policy rule:

    From WAN to LAN, destination: pc1, pc2 and pc3, service: 3389, allow.

    To access 3 pc by RDP from Internet.

    pc1: 59.1.1.100:3389

    pc2: 59.1.1.100:3390

    pc3: 59.1.1.100:3391

    To access 3 pc by RDP inside LAN:

    pc1: 192.168.1.99:3389

    pc2: 192.168.1.100:3389

    pc3: 192.168.1.101:3389

  • damianodec
    damianodec Posts: 42  Freshman Member
    First Anniversary Friend Collector First Comment

    thank you, i'll try it.

  • RickyC
    RickyC Posts: 7
    First Anniversary Friend Collector First Comment
    Why expose 3389 to the internet?  I would think you could create a rule to allow traffic from 3390 and 3391, and let translation take care of it, but it does not work without exposing 3389 to internet.
  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    A more safe way to allow 3389 is from source FQDN like remoteRDP.no-ip.org the connecting client  runs DDNS the USG updates the IP for remoteRDP.no-ip.org and allows RDP.

    Or you can NAT external port like 3000 to internal 3389 then the client uses IP:3000 for RDP  


Security Highlight