TCP 0 vs 1-65535

Hi, i am trying to configure a connection to remote desktop from vpn clients using windows connection security rules. What i want to do is only allow the very specific ports required, even if that requires a few ports and a range opening up.

Usually i would just look at the Traffic Monitor, try the process and make a note of the ports/protocols i'm after. However in this instance, the only way i can make the connection work is by setting my rule to TCP 0 (i.e. all ports). However if I set it to a range of 1-65535, it doesn't work. For example, one of the ports attempted on one connection was 49667. That's within the range, but just lists it as unhandled external. If i change that same rule to TCP 0 instead it works fine.

Is there a difference between TCP 0 and TCP 1-65535 in a rule?

Comments

  • For the record, what firewall model do you have and what XTM version is it running?

    I would not expect a difference.
    What tool are you using for this access which requires all ports open?

  • @Bruce_Briggs said:
    For the record, what firewall model do you have and what XTM version is it running?

    I would not expect a difference.
    What tool are you using for this access which requires all ports open?

    Hi Bruce,
    M370, v12.5.1.
    RDP over SSLVPN, with the server set to require computer/user authentication with Kerberos (set using connection security rules). So the ports required are to the DCs from the ssl client to do the authentication.

  • You can always change Windows server to not use dynamic RPC ports, which would make setting up the firewall policy easier.

    Restricting Active Directory RPC traffic to a specific port
    https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port

    As to why the TCP ports range of 1-65535 does not work for you, you would need to open a support incident

Sign In to comment.