How to Port Forward Service Ports (Webservers, RDP, OWA, FTP etc..) Product Version: Astaro Security Gateway Version 7 |

How to Port Forward Service Ports (Webservers, RDP, OWA, FTP etc..) Product Version: Astaro Security Gateway Version 7

June 15th, 2009

Task:

Require servers or systems behind the ASG to be accessible to internet connections. This requires specific services to be forwarded through by opening service ports.Common implementations used are Webservers (HTTP, HTTPS) FTP servers, Remote Desktop Protocol (RDP), Outlook Web Access (OWA)4 common scenarios to setup:Scenario 1 – Common port on public interface
Scenario 2 – New service port creation needed to forward
Scenario 3 – Additional public address
Scenario 4 – Additional public address and new service port

Steps:

For all scenarios it is recommended to first spend some time creating host definitions for webservers, email servers, ftp servers etc.
Example: Webserver host definition
Goto Definitions>>Networks
New Network Definition
Name: Webserver
Type: Host
Address: 10.200.200.10
Comment: My internal webserver IPFor all Scenarios it is also possible to simply select the option for auto packet filter rules to be applied if you do not wish to create the rule separately.

Scenario 1 – Common port on public interface
Example: Webserver on HTTP TCP port 801) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: Webserver
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver
Destination Service: left blank
Click Save
Once created click traffic light from Red to Green2) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTP
Destination: Webserver
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to webserver
Click Save
Once created click traffic light from Red to Green

Scenario 2 – New service port creation needed to forward
Example: Remote Desktop Protocol (RDP) on TCP port 10040 public to Exchange Server on TCP port 3389
Normally Microsoft RDP uses predefined service of TCP 3389 however it can be changed to a different port for access to multiple servers behind the ASG

1) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light from Red to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light from Red to Green

Scenario 3 – Additional public address
Example: Outlook Web Access TCP port 443 (HTTPS) on second address translated to Exchange server

1) Create Additional public address
Goto Network>>Interfaces
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address
Click Save

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: OWA Access
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: left blank
Click Save
Once created click traffic light to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow OWA HTTPS traffic to Exchange Server
Click Save
Once created click traffic light to Green

Scenario 4 – Additional public address and new service port
Example: Remote Desktop Protocol (RDP) on TCP port 10040 on second public address to Exchange server on Microsoft Remote Desktop Protocol (RDP) TCP port 3389

2) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

3) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light from Red to Green

4) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light from Red to Green

Yigal Behar

How to Port Forward RDP/OWA/TCP/UDP Identity Theft

maiseisonga
January 4th, 2010 at 22:51

Reply | Quote | #1

This topic is simply matchless , thank you!
eixaldaSnowxie
February 7th, 2010 at 15:17

Reply | Quote | #2

well hey there guys, i’ve been looking all over the internet for a GOOD black hat SEO forum.. I was looking for some suggestions
from you guys to point me in the right direction.

Thanks a bunch, this place is great btw.
loans fast
February 11th, 2010 at 15:36

Reply | Quote | #3

I am bare impressed with the article I have just read. I wish the writer of 2secure.biz can continue to provide so much worthwhile information and unforgettable experience to 2secure.biz readers. There is not much to say except the following universal truth: If it looks easy, its mind bogglingly complex. I will be back.

09/03/2010 Profense Web Application Firewall version 2.8 new features Improved support for web 2.0...read more

09/03/2010 Profense Web Application Firewall version 2.8 new features: A dashboard providing a much better overview of what is going on ...read more

09/03/2010 Profense Web Application Firewall version 2.8 new features: Automated blocking at the network level...read more

09/03/2010 Profense Web Application Firewall version 2.8 new features: Improved health checking of backend servers...read more

09/03/2010 2Secure Corp has signed a business partner contract with Sentrigo and we are certified to sell, install and maintain Sentrigo products....read more

09/03/2010 2Secure Corp our IT security consultants have always been able to solve all our computer miseries and mysteries. They are available and punctual when we truly need the...read more

09/03/2010 In today’s security it’s not enough to have a perimeter firewall and IDS/IPS solutions as they won’t prevent breaches within a web application. We were searching fo...read more

09/03/2010 The efficiency of our business is run almost solely on computers. Our travel consultants use it most of the day and are totally dependent on its efficiency. We always say...read more

09/03/2010 We bought 2 units of Astaro ASG220 to protect our network and we are very happy with this choice. The merchant was extremely helpful and delivered everything as promised....read more

09/03/2010 We bought Astaro ASG 120 unit to protect our network and we are happy with this choice. Rating: Excellent Price Rating: Good Shipping Options Rating: Good Delivery ...read more

09/03/2010 When I realized that my computer network was controlled by an unauthorized user, I though that this was the end of my business! 2Secure Corp our computer consultants c...read more

09/03/2010 We wanted to connect our sales office and our warehouse locations to one Network in a secure and efficient way as possible....read more

09/03/2010 2Secure Corp is now member at the Manhattan Chamber of Commerce. The Manhattan Chamber of Commerce (MCC) is a membership organization comprised of a cross section of memb...read more

09/03/2010 2Secure Corp is now member of the ISSA, The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security prof...read more

09/03/2010 2Secure is now memeber of OWSAP, The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the se...read more

How to Port Forward Service Ports (Webservers, RDP, OWA, FTP etc..) Product Version: Astaro Security Gateway Version 7

Site

LIVE HELP

Last Posts