Remote Desktop and IPSec in the DMZ.

mharding — Wed, 17 Feb 2010 16:12:38 GMT

This is something we had enabled when we were using a Symantec SGS firewall, but had to disable it when we went to the PA-2050. I haven't had much time to play with it, but I need to get it working again. Under the local Group Policy of each server, we have a Secure Terminal Services IPSec policy that requires security when attempted a connection over TCP port 3389.

When we moved to the PA-2050, I had to disable this IPSec Policy on the DMZ Servers. No matter what I did, I wasn't able to see the IPSec traffic in the PAN logs. Even adding the IPSec applications made no difference in the connection, nor did creating a completely open rule from my desktop to one of the servers.

Is there anything that I am missing here, or is this not feasible anymore?

Re: Remote Desktop and IPSec in the DMZ.

kbrazil — Wed, 17 Feb 2010 18:10:09 GMT

This should work with no problem, so you might want to work with Support so they can help troubleshoot.

I have seen instances in the past where I had included an incorrect IPSEC application (it turned out to be Cisco VPN instead of generic IPSEC) and that caused the traffic to fail even when switching to an open policy. The reason is because the firewall cached the IKE session initiation but it was later determined to be the incorrect IKE type. All I had to do was to clear the session from the session table and the next IPSEC connection was correctly identified and allowed through. You can clear all sessions or selectively clear sessions from the CLI.

Cheers,

Kelly

topic Re: Remote Desktop and IPSec in the DMZ. in General Topics

Remote Desktop and IPSec in the DMZ.

Re: Remote Desktop and IPSec in the DMZ.