https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278218#M75572 <P>Hello,</P><P>RDP is unsecure and I do not recommend you use it over the internet. Please use a secure channel like one Bpry suggeted.</P><P>&nbsp;</P><P>Regards,</P> Mon, 22 Jul 2019 21:40:32 GMT OtakarKlier 2019-07-22T21:40:32Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278056#M75549 <P>Hi,</P><P>We need to configure an input rule to authorize an public IP address to access at one of our virtual machine on our subnet.</P><P>Concretely, I need to authorize public IP address 195.193.194.195 access directly to our virtual machine with the private IP 192.168.1.1 on the port 3389 (Remote Desktop) only via our public IP address (82.83.84.85).</P><P>I configured a NAT rule but it didn't work. May be I doing something wrong ?</P><P>Can you help us about this topic ?</P><P>Thank you for your help.</P> Mon, 22 Jul 2019 11:09:30 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278056#M75549 feelgood 2019-07-22T11:09:30Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278063#M75550 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79471">@feelgood</a>&nbsp;,</P><P>&nbsp;</P><P>Hope you have configured the NAT and security rule properly. refer below doc for help.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping</A></P> Mon, 22 Jul 2019 11:30:06 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278063#M75550 Abdul_Razaq 2019-07-22T11:30:06Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278064#M75551 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>,</P><P>&nbsp;</P><P>Thank you for your answer, I go test that.</P> Mon, 22 Jul 2019 11:48:55 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278064#M75551 feelgood 2019-07-22T11:48:55Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278085#M75554 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79471">@feelgood</a>,</P><P>While this certainly works I would question why you wouldn't simply give whoever's needs access to this device access through the built in GlobalProtect VPN solution.&nbsp;</P><P>You are still exposing this desktop to the outside world. You might be limiting it via a security policy but the NAT statement is still there. To avoid issues due to a misconfiguration I would recommend against your current approach.&nbsp;</P> Mon, 22 Jul 2019 12:25:54 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278085#M75554 BPry 2019-07-22T12:25:54Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278100#M75557 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>We have already GlobalProtect configured on our PanOS but it's for our users. This NAT configuration is for a partner who needs to access an environnement via our public IP address.</P><P>&nbsp;</P><P>We don't want grant access at this partner on our VPN access because it's not partitionned correctly at this time.</P><P>&nbsp;</P><P>So, the only solution I founded it's this NAT rules restricted on the IP address of this partner.</P> Mon, 22 Jul 2019 12:41:18 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278100#M75557 feelgood 2019-07-22T12:41:18Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278101#M75558 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79471">@feelgood</a>,</P><P>This is a "quick" solution to the problem, but I would seriously look at getting GlobalProtect in a good working state to allow Vendor solutions access to select machines rather than a NAT solution. You already have GlobalProtect exposed to the outside and this solution is just adding another entry point into your network. It might be secure by a source address, but one small configuration mistake would open it up to anyone.&nbsp;</P><P>Just my two cents, clearly either is a viable solution.&nbsp;</P> Mon, 22 Jul 2019 12:51:33 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278101#M75558 BPry 2019-07-22T12:51:33Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278111#M75560 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Thanks for your advices. We need to grant access to partner this week so I need a quick solution. But we are aware that is a dirty solution and we need to more secure our GlobalProtect access in the future.</P> Mon, 22 Jul 2019 13:06:44 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278111#M75560 feelgood 2019-07-22T13:06:44Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278218#M75572 <P>Hello,</P><P>RDP is unsecure and I do not recommend you use it over the internet. Please use a secure channel like one Bpry suggeted.</P><P>&nbsp;</P><P>Regards,</P> Mon, 22 Jul 2019 21:40:32 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278218#M75572 OtakarKlier 2019-07-22T21:40:32Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278301#M75589 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>I reconsider my position and you're wright, it's so dangerous to expose RDP on Internet.</P><P>&nbsp;</P><P>So, I search other solution without VPN (for the moment). May be a VNC solution.</P> Tue, 23 Jul 2019 08:09:09 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278301#M75589 feelgood 2019-07-23T08:09:09Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278353#M75592 <P>Finally, I think to segregate subnets ont my GlobalProtect configuration but I have a question : Can I apply different segregation by users or users group ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="capture.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20738i967C4D02527D8DD9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="capture.png" alt="capture.png" /></span></P> Tue, 23 Jul 2019 13:28:14 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278353#M75592 feelgood 2019-07-23T13:28:14Z https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278453#M75627 <P>Exposing RDP = BAD BAD BAD!</P><P>&nbsp;</P><P>Use a product designed to do this that can open via a proxy service.&nbsp; Something like teamview or a similar solution that includes some kind of authentication/authorization.&nbsp; This avoids all the NAT goofyness and security implications you are getting yourself into as well.</P> Tue, 23 Jul 2019 17:46:08 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-configuration-to-access-remote-desktop/m-p/278453#M75627 jeremy.larsen 2019-07-23T17:46:08Z