https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18341#M13373 <HTML><HEAD></HEAD><BODY><P><EM>Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a networked computer. Clients exist for most versions of Windows (including handheld versions), Linux/Unix, Mac OS X and other modern operating systems. The server listens by default on TCP port 3389. Microsoft refers to the official RDP server software as Terminal Services or Remote Desktop Services. The official client software is referred to as either Remote Desktop Connection (RDC) or Terminal Services Client (TSC). Mac OS X's client is called Apple Remote Desktop (ARD).</EM></P><P></P><P>I found this for the description for MS-RDP but I can't figure out if thats what I use to classify ARD or not. The ports don't look correct and currently I don't have a way to test the traffic. Any ideas?</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 29 Dec 2011 23:17:42 GMT rob.burgoyne 2011-12-29T23:17:42Z https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18341#M13373 <HTML><HEAD></HEAD><BODY><P><EM>Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a networked computer. Clients exist for most versions of Windows (including handheld versions), Linux/Unix, Mac OS X and other modern operating systems. The server listens by default on TCP port 3389. Microsoft refers to the official RDP server software as Terminal Services or Remote Desktop Services. The official client software is referred to as either Remote Desktop Connection (RDC) or Terminal Services Client (TSC). Mac OS X's client is called Apple Remote Desktop (ARD).</EM></P><P></P><P>I found this for the description for MS-RDP but I can't figure out if thats what I use to classify ARD or not. The ports don't look correct and currently I don't have a way to test the traffic. Any ideas?</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 29 Dec 2011 23:17:42 GMT https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18341#M13373 rob.burgoyne 2011-12-29T23:17:42Z https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18342#M13374 <HTML><HEAD></HEAD><BODY><P>Can you perform a packet capture using Wireshark on this data?</P><P></P><P>Have you contacted technical support at Apple for more information about ARD?</P><P></P><P>Best Regards,</P><P>Jared</P></BODY></HTML> Fri, 30 Dec 2011 01:31:18 GMT https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18342#M13374 jdavis 2011-12-30T01:31:18Z https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18343#M13375 <HTML><HEAD></HEAD><BODY><P>Apple remote desktop seems like a pretty widely used application. I really hope palo alto has this in their app-id database... </P></BODY></HTML> Fri, 30 Dec 2011 01:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18343#M13375 rob.burgoyne 2011-12-30T01:49:03Z https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18344#M13376 <HTML><HEAD></HEAD><BODY><P>You can check whether there is an Application ID signature for a particular application in the Palo Alto Networks Applipedia (<A href="http://apps.paloaltonetworks.com/applipedia//">http://apps.paloaltonetworks.com/applipedia//</A>).</P><P></P><P>You can submit a request to have an Application ID signature developed at this URL:&nbsp; <A class="active_link" href="http://www.paloaltonetworks.com/researchcenter/submit-an-application/">http://www.paloaltonetworks.com/researchcenter/submit-an-application/</A></P><P></P><P>It appears that ARD falls under the "ms-rdp" application according to Applipedia.&nbsp; If ARD is not being identified by a security policy that has the "ms-rdp" application I recommend the following:</P><OL><LI>Perform a packet capture to obtain the Layer-4 port(s) used by ARD.</LI><LI>Contact Apple technical support to obtain further information about the protocol.</LI><LI>Open a technical support case with Palo Alto Networks.&nbsp; Provide the information gathered in steps 1 and 2.&nbsp; They can help you determine whether ARD is being identified as "ms-rdp" or not.&nbsp; A bug can be opened requesting that application signature that includes ARD be updated for inclusion in an upcoming "Apps &amp; Threats" content release.</LI></OL><P></P><P>Best Regards,</P><P>Jared</P></BODY></HTML> Fri, 30 Dec 2011 02:29:13 GMT https://live.paloaltonetworks.com/t5/general-topics/classify-ard/m-p/18344#M13376 jdavis 2011-12-30T02:29:13Z