ms-rdp and cotp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ms-rdp and cotp

L0 Member

Hello there,

 

I have googled and searched the community but I am still at a loss: why is the "rdp" communication identified as "cotp" sometimes? Does anyone have an answer or a a link?

 

Have a great no-unplanned-downtime-day everyone!

 

Jan

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@janhoppe,

Generally you see this more when someone has log-start enabled on RDP policies (which is a good practice in my eye since you likely want fast indication that someone has an RDP window open when looking at logs without having to go into the session table). 

When you see this in the logs when that isn't the case it simply means that the firewall hasn't properly identified it under the ms-rdp application. That shouldn't be that much of an issue since ms-rdp implicitly utilizes cotp and t.120 as the underlying technology that drives ms-rdp, however I know a lot of people simply include ms-rdp and cotp in the same entries since that false-negative on the ms-rdp signature can cause connection issues for folks if it doesn't switch over properly.

 

As to why that happens, it's just because the firewall didn't see the proper traffic to match the ms-rdp signature properly. That could be because some packets dropped along the way that prevent it from being identified properly, it could be because the service on the endpoint wasn't operating properly and therefore didn't return traffic as expected, or a number of other issues.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@janhoppe,

Generally you see this more when someone has log-start enabled on RDP policies (which is a good practice in my eye since you likely want fast indication that someone has an RDP window open when looking at logs without having to go into the session table). 

When you see this in the logs when that isn't the case it simply means that the firewall hasn't properly identified it under the ms-rdp application. That shouldn't be that much of an issue since ms-rdp implicitly utilizes cotp and t.120 as the underlying technology that drives ms-rdp, however I know a lot of people simply include ms-rdp and cotp in the same entries since that false-negative on the ms-rdp signature can cause connection issues for folks if it doesn't switch over properly.

 

As to why that happens, it's just because the firewall didn't see the proper traffic to match the ms-rdp signature properly. That could be because some packets dropped along the way that prevent it from being identified properly, it could be because the service on the endpoint wasn't operating properly and therefore didn't return traffic as expected, or a number of other issues.

L0 Member

Thank you for your reply. That explains what we are seeing here. In one of our old networks we're seeing just rdp and it still works, altoogh now I am tempted to find out, if we have any rdp issues that couldn't be explained.

In our newest integration we're just bulding our policies and saw cotp alongside rdp and it was not something I expected.

 

Thanks for your help!

  • 1 accepted solution
  • 4707 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!