This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Classify ARD?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Classify ARD?

rob.burgoyne
L3 Networker

‎12-29-2011 03:17 PM

Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a networked computer. Clients exist for most versions of Windows (including handheld versions), Linux/Unix, Mac OS X and other modern operating systems. The server listens by default on TCP port 3389. Microsoft refers to the official RDP server software as Terminal Services or Remote Desktop Services. The official client software is referred to as either Remote Desktop Connection (RDC) or Terminal Services Client (TSC). Mac OS X's client is called Apple Remote Desktop (ARD).

I found this for the description for MS-RDP but I can't figure out if thats what I use to classify ARD or not. The ports don't look correct and currently I don't have a way to test the traffic. Any ideas?

Thanks,

0 Likes Likes
3 REPLIES 3

jdavis
Not applicable

‎12-29-2011 05:31 PM

Can you perform a packet capture using Wireshark on this data?

Have you contacted technical support at Apple for more information about ARD?

Best Regards,

Jared

0 Likes Likes

rob.burgoyne
L3 Networker
In response to jdavis

‎12-29-2011 05:49 PM

Apple remote desktop seems like a pretty widely used application. I really hope palo alto has this in their app-id database...

0 Likes Likes

jdavis
Not applicable
In response to rob.burgoyne

‎12-29-2011 06:29 PM

You can check whether there is an Application ID signature for a particular application in the Palo Alto Networks Applipedia (http://apps.paloaltonetworks.com/applipedia//).

You can submit a request to have an Application ID signature developed at this URL:  http://www.paloaltonetworks.com/researchcenter/submit-an-application/

It appears that ARD falls under the "ms-rdp" application according to Applipedia.  If ARD is not being identified by a security policy that has the "ms-rdp" application I recommend the following:

  1. Perform a packet capture to obtain the Layer-4 port(s) used by ARD.
  2. Contact Apple technical support to obtain further information about the protocol.
  3. Open a technical support case with Palo Alto Networks.  Provide the information gathered in steps 1 and 2.  They can help you determine whether ARD is being identified as "ms-rdp" or not.  A bug can be opened requesting that application signature that includes ARD be updated for inclusion in an upcoming "Apps & Threats" content release.

Best Regards,

Jared

  • 2567 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks