UTM: How to Open Remote Desktop, Citrix ICA or RDP traffic to a Terminal Server behind the SonicWALL (SonicOS Enhanced) (SW7501)

Return
  • Title

    UTM: How to Open Remote Desktop, Citrix ICA or RDP traffic to a Terminal Server behind the SonicWALL (SonicOS Enhanced)
  • Resolution

    Article Applies To:
     

    Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
    Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200
    Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600

    Gen5 NSA Series: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
    Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
    Gen4 PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260.
    Gen4 TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.

    Firmware/Software Version: All SonicOS Enhanced Versions.
    Services: Port forwarding (NAT policies, Address objects, firewall access rules).


    Video Tutorial: Click here for the video tutorial of this topic.

    Feature/Application:

    Manually opening Ports to allow Terminal Service traffic (Citrix ICA, RDP or Remote Desktop) from Internet to a server behind the SonicWALL in SonicOS Enhanced involves the following steps:

    Step 1: Creating the necessary Address Objects
    Step 2: Create a Service Group
    Step 2: Defining the appropriate
    NAT Policies (Inbound, Outbound and Loopback)
    Step 3: Creating the necessary
    WAN > Zone Access Rules for public access

    Recommendation: The Public Server Wizard quickly configure your SonicWALL to provide public access to an internal server. The Public Server Wizard is the most ambitious and functional wizard developed to date. It simplifies the complex process of creating a publicly and internally accessible server resource by automating above mentioned steps. Please refer KBID 7027 and KBID 4178 for complete instructions.

    Scenario:

    The following example covers allowing Terminal Service traffic (Citrix ICA, RDP or Remote Desktop) from the Internet to a server on the LAN with private IP address as 192.168.1.100.  Once the configuration is complete, Internet users can access the Terminal Server behind the SonicWALL UTM appliance through the WAN (Public) IP address 1.1.1.1

      


    Procedure: 

    In this example we have chosen to demonstrate using Terminal Service, however the following steps apply to any service you wish to use (like HTTPS, SMTP, FTP, Terminal Services, SSH, etc).

    Step 1: Creating the necessary Address Objects 

    TIP: For complete information on creating Address Objects refer: KBID 7486

    1. Select Network > Address Objects.
    2. Click the Add a new address object button and create two address objects one for Server IP on LAN and another for Public IP of the server: 

    Address Object for Server on LAN

    Name: Terminal Server Private 
    Zone Assignment: LAN  
    Type: Host   
    IP Address: 192.168.1.100

     

     

     

     

     

     

     

     

     

     


     

     

    Address Object for Server's Public IP

    Name: Terminal Server Public
    Zone AssignmentWAN  
    Type: Host   
    IP Address: 1.1.1.1

     

    3. Click the OK button to complete creation of the new address objects.

    Step 2: Create a Service Group

    1. The Services page can be accessed either from Firewall > Services or Network > Services
    2. Click Add Group.

    3. Select individual services from the list in the left column. Click - > to add the services to the group.
    4. To remove services from the group, select individual services from the list in right column. Click < - to remove the services.

    5. When you are finished, click OK to add the group to Custom Services Groups.

    Step 3: Defining the appropriate NAT Policies

    1. Select Network > NAT Policies.
    2. Click the Add a new NAT Policy button and chose the following settings from the drop-down menu:

    Understanding how to use NAT policies starts with the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the destination’s IP address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

    Note: To Add custom port in SonicOS Enhanced refer KBID 7133

     

    Adding appropriate NAT Policies

    Original Source: Any
    Translated
    Source:
    Original
    Original
    Destination: Terminal Server Public
    Translated
    Destination:
    Terminal Server Private
    Original
    Service:
    Terminal Server Services
    Translated
    Service:
    Original
    Inbound
    Interface: Any
    Outbound Interface:
    Any
    Comment
    : Terminal Server behind SonicWALL.
    Enable NAT Policy:
    Checked
    Create
    a reflexive policyChecked

     

    Note: Create a reflective policy: When you check this box, a mirror outbound or inbound NAT policy for the NAT policy you defined in the Add NAT Policy window is automatically created.

    3. Click the Add button.

    Loopback Policy:

    If you wish to access this server from other internal zones using the Public IP address 1.1.1.1 consider creating a Loopback NAT Policy else go to next step:

    • Original Source: Firewalled Subnets 
    • Translated Source: Terminal Server Public
    • Original Destination: Terminal Server Public
    • Translated Destination: Terminal Server Private
    • Original Service: Terminal Server Services
    • Translated Service: Original
    • Inbound Interface: Any
    • Outbound Interface: Any
    • Comment: Loopback policy
    • Enable NAT Policy: Checked
    • Create a reflexive policy: unchecked

     

    4.  Upon completion under Network > Nat Policies tab the above Inbound and Outbond NAT policies will be created.

    Step 3: Creating Firewall Access Rules

    1. Click Firewall > Access Rules tab.
    2. Select the type of view in the View Style section and go to WAN to LAN access rules.
    3. Click Add a new entry and create the rule by entering the following into the fields:

    Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

     

    Action: Allow 
    From Zone: WAN
    To Zone: LAN

    Service: Terminal Server Services 
    Source: Any 
    Destination: Terminal Server Public 
    Users Allowed: All
    Schedule: Always on
    Enable Logging: checked

    Allow Fragmented Packets: checked

     

    5: Click OK.



    How to Test:

    • Testing from within the private network: Ensure that the Terminal Server is working from within the private network itself.
    • Testing from the Internet: From a remote computer try to access the Terminal Server with Public IP address i.e 1.1.1.1.
    Troubleshooting:
    • Ensure that the Terminal Server's Default Gateway IP address is SonicWALL's LAN IP address.
    • Ensure that the Terminal Server is able to access the Internet.
    • On the Security Services > Intrusion Prevention if you have enabled Prevent ALL for Low Priority attacks, then check the SonicWALL logs to see if an IPS signature is blocking Terminal Service traffic. 

    • Displaying Access Rule Traffic Statistics:

    1. Click Firewall > Access Rules tab.
    2. Select the type of view in the View Style section and go to WAN to LAN access rules.
    3. Move your mouse pointer over the Graph icon to display the following access rule receive (Rx) and transmit (Tx) traffic statistics: 

    • Rx Bytes 
    • Rx Packets 
    • Tx Bytes 
    • Tx Packets

    • Ensure you do not have duplicate NAT Policies and Firewall Access Rules for your Terminal Server.
    • For further troubleshooting go to SonicWALL Logs under Log > View page and check for Alerts, Denied IP's, Dropped messages, etc.

     



Product(s):
SonicWALL NSA Series
4500, 3500, 250MW, 250M, 2400, 220W
SonicWALL E-Class NSA Series
E8510, E8500, E7500, E6500, E5500
SonicWALL TZ Series
215W, 215, 210W, 210, 205, 200W, 200, 105, 100W, 100
SonicWALL PRO Series
5060, 4100, 4060, 3060, 2040, 1260
TZ Series
190W, 190, 180W, 180, 170

Topic(s):
Technical Solutions

Article History:
Created on: 12/18/2009
Last Update on: 9/3/2014

Feedback submitted.

Did this article help?

[Select Rating]

Thank you for your rating!

Close

Request or Create a KB Article »