Classify ARD?

cancel
Showing results for 
Search instead for 
Did you mean: 

Classify ARD?

L3 Networker

Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a networked computer. Clients exist for most versions of Windows (including handheld versions), Linux/Unix, Mac OS X and other modern operating systems. The server listens by default on TCP port 3389. Microsoft refers to the official RDP server software as Terminal Services or Remote Desktop Services. The official client software is referred to as either Remote Desktop Connection (RDC) or Terminal Services Client (TSC). Mac OS X's client is called Apple Remote Desktop (ARD).

I found this for the description for MS-RDP but I can't figure out if thats what I use to classify ARD or not. The ports don't look correct and currently I don't have a way to test the traffic. Any ideas?

Thanks,

3 REPLIES 3

Not applicable

Can you perform a packet capture using Wireshark on this data?

Have you contacted technical support at Apple for more information about ARD?

Best Regards,

Jared

Apple remote desktop seems like a pretty widely used application. I really hope palo alto has this in their app-id database...

You can check whether there is an Application ID signature for a particular application in the Palo Alto Networks Applipedia (http://apps.paloaltonetworks.com/applipedia//).

You can submit a request to have an Application ID signature developed at this URL:  http://www.paloaltonetworks.com/researchcenter/submit-an-application/

It appears that ARD falls under the "ms-rdp" application according to Applipedia.  If ARD is not being identified by a security policy that has the "ms-rdp" application I recommend the following:

  1. Perform a packet capture to obtain the Layer-4 port(s) used by ARD.
  2. Contact Apple technical support to obtain further information about the protocol.
  3. Open a technical support case with Palo Alto Networks.  Provide the information gathered in steps 1 and 2.  They can help you determine whether ARD is being identified as "ms-rdp" or not.  A bug can be opened requesting that application signature that includes ARD be updated for inclusion in an upcoming "Apps & Threats" content release.

Best Regards,

Jared

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!