I have tried a all sort s of combinations without success.
I have:
20 groups - users in each group should only be able to access their own RDP server (Most in 1 subnet, some in others) 3389
1 group users can access all 20 individual RDP servers (mix of subnets) 3389
1 group can access everything all ports etc
I'm missing something as it doesn't seem to do any limiting, based on groups (have tried log in/out of VPN session etc)
I have seen other sites where we need to check for an existing session firs
Access Control
-
allaboutthebase
- Posts: 19
- Joined: Thu Apr 09, 2020 3:53 pm
Re: Access Control
I have something similar to you but not as many groups.
in access list I have a PASS rule for each RDP session from a user to their PC (10 in total) and then the last rule is to DISCARD RDP for a group that all the users the are in the individual rules are members of.
So the DISCARD rule blocks RDP for them all to all devices and then the PASS rule for each person allows them access their own RDP session to their PC.
You'd need to give some details to the Access List Items you have configured to see where you are going wrong.
in access list I have a PASS rule for each RDP session from a user to their PC (10 in total) and then the last rule is to DISCARD RDP for a group that all the users the are in the individual rules are members of.
So the DISCARD rule blocks RDP for them all to all devices and then the PASS rule for each person allows them access their own RDP session to their PC.
You'd need to give some details to the Access List Items you have configured to see where you are going wrong.
-
timboau
- Posts: 12
- Joined: Wed Aug 31, 2016 12:30 am
Re: Access Control
Hey thanks, I think you might have dropped a few characters in the reply but it made me really study what you were trying to say :)
From what I can see its sort of an ass about firewall - that makes sense in a strange way!
Allow the group access to the IP / PORT of the server
add the DNS, DHCP, domain controller etc without a group as allow
then block all subnets /everything as last rule (no group) - ie catch all
I just need to setup all the groups and add the catch all before it comes into force..
From what I can see its sort of an ass about firewall - that makes sense in a strange way!
Allow the group access to the IP / PORT of the server
add the DNS, DHCP, domain controller etc without a group as allow
then block all subnets /everything as last rule (no group) - ie catch all
I just need to setup all the groups and add the catch all before it comes into force..
-
timboau
- Posts: 12
- Joined: Wed Aug 31, 2016 12:30 am
Re: Access Control
Hi again and thanks for your previous assistance - its going great now!
I have a bit of a weird issue though - any ideas?
Essentially "Network identification" doesn't happen successfully when the VPN connects to the network anymore. Causing some delays until it times out 'identifying'
This causes a few issues for instance when I'm trying to connect to a Synology SMB file-share its asking for re-authentication and takes 30 seconds or so to establish a connection. Once connected its fine. (but sometime if not used it does time out and then pause again, only to be fine after the initial delay)
I do have Ports 88 Kerberos 123 NTP, 53 DNS , 139, 445 SMB open between the IP of the SoftEther Server and the NAS
Could it be the Kerberos having issues traversing the NAT to the Softether clients - any suggestions if so? It must have something to do with the ACL as both network identification and instant logon to the SMB share was OK before.
I have a bit of a weird issue though - any ideas?
Essentially "Network identification" doesn't happen successfully when the VPN connects to the network anymore. Causing some delays until it times out 'identifying'
This causes a few issues for instance when I'm trying to connect to a Synology SMB file-share its asking for re-authentication and takes 30 seconds or so to establish a connection. Once connected its fine. (but sometime if not used it does time out and then pause again, only to be fine after the initial delay)
I do have Ports 88 Kerberos 123 NTP, 53 DNS , 139, 445 SMB open between the IP of the SoftEther Server and the NAS
Could it be the Kerberos having issues traversing the NAT to the Softether clients - any suggestions if so? It must have something to do with the ACL as both network identification and instant logon to the SMB share was OK before.
-
timboau
- Posts: 12
- Joined: Wed Aug 31, 2016 12:30 am
Re: Access Control
Ive created two new rules
Allow everything to the DNS server
Allow everything to the Internal Router IP
I connected with both of these enabled and boom - away it went instantly identified.
Turning either one off seems to be ok - so its identifying from either from what I can see.
Any idea exactly whats its looking for to do this and best practice around best enabling this feature?
Allow everything to the DNS server
Allow everything to the Internal Router IP
I connected with both of these enabled and boom - away it went instantly identified.
Turning either one off seems to be ok - so its identifying from either from what I can see.
Any idea exactly whats its looking for to do this and best practice around best enabling this feature?
-
timboau
- Posts: 12
- Joined: Wed Aug 31, 2016 12:30 am
Re: Access Control
Yes that's correct - RDP is working as expected.
If I allow all ports to both Router and DNS server the network is identified immediately.
What I'm looking for is the ports that Windows 10 Uses to 'identify' the network and to which devices its trying that on?
If I allow all ports to both Router and DNS server the network is identified immediately.
What I'm looking for is the ports that Windows 10 Uses to 'identify' the network and to which devices its trying that on?