WinGate Forums

[WGuser]

I'm using version 5.2.3 (build 901). All ports on the firewall are closed except 3389 for an inbound terminal server connection. Both PCs are Windows XP Professional.

I'm concerned about someone breaking in by guessing the XP password. The log shows that port scanners have found this port open.

Is there a way to restrict inbound access to an IP address range? Are there any other ways to secure this port? I saw an option for SYN Cookies, but I couldn't find any info on them. Is a VPN a better way to connect than terminal server? We have 2 users that need an inbound connection, and we use a modem dial-up.

Thanks for any help!!!

[erwin]

Hi there

You can configure WinGate when handling traffic on port 3389 incoming from the Internet to allow(open) or disallow(close) this port in the port security tab in the ENS configuration in GateKeeper.

If your clients behind the WinGate machine are attempting to connect via RDP to a remote server or terminal server setup or such, then there is no adjustment neccessary (apart from allowing this port to be open on the WinGate firewall)

Terminal server(TS) and Vpn actually serve two different functions. TS lets you joining clients use the Tserver as though its their own PC, where as VPN extends your Local network by passing traffic backwards and forwards along and encryted secure tunnel across the Internet, so that you can have access to the remote LAN s shares,drives,resources etc.

Hope this helps

Erwin

[WGuser]

Thanks for the info. We've had Terminal server setup and working fine. A user on the Internet connects through a port opened up in WinGate to access a PC behind the firewall.

I want to know how to secure an open port in Wingate.

The firewall log shows that port scanners have found the open port 3389. A hacker just has to guess the Windows password to get into our system.

If Wingate could only allow inbound connections by IP address, we'd feel more secure. Are there any ways to restrict the users that access port 3389?

[sunpower]

There is no way to secure your senario as i belive with the config you are using right now .
But if you succed to allow the inbound trafic coming from the internet (dialup users) to pass through to the Terminal server through seting up A VPN and using the security roles of the VPN then you can use the Assumed Users by name ( There PC's name) from the Users Tab , this will be 100% secured.

One more way but less secure that to use the Assumed Users by name with out implementing the VPN but as i have just said it wont be secured enough hence the hacker he may know the name of the dialup users PC's name and spoff the name ;).

Good luck my dear and tell me what is your decision i may help you.

[trebor]

Hi

I also use Terminal Server from remote locations. I find a very easy and most secure way is to install Wingate on your remote location(s), point the TS client to the WG port, and TCP map via Wingate, using an Authenticated connection to your head office.

This is how I do it, and its fully stealthed, invisible and very secure (i think) to the outside world!

PS. A fantastic site to safely test your own firewall security is the free 'shields up' service on www.GRC.com

[erwin]

Hi Folks

Sorry for not replying for a while.

Unfortunately through straight ENS there is no way of securing a port with a restriction policy, however as Trebor explained using a TCP mapping will allow you to apply a restriction policy on its usage.

Good suggestion

Erwin