RD Gateway deployment in a perimeter network & Firewall rules

 


Remote Desktop Gateway (RD Gateway) is a role service available in Windows Server 2008 and higher versions. It allows authenticated and authorized remote users to securely connect to resources on an internal corporate or private network over the Internet. RD Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. RD Gateway server is exposed to the Internet (an untrusted network) and because of the reasons discussed in the Perimeter network section, either RD Gateway server is deployed in the perimeter network or RD Gateway server is deployed in the internal network with an ISA server in the perimeter network.


1. Perimeter network:


A perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) is a small network that is set up separately from an organization’s private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway, RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. Hosts in the perimeter network should not be able to establish communication directly with any other host in the internal network, though communication with other hosts in the perimeter network and to the external network is allowed. This allows hosts in the perimeter network to provide services to both the internal and external network, while an intervening firewall controls the traffic between the perimeter network servers and the internal network clients.


2. Perimeter network designs:


Typically, a perimeter network can be designed and deployed in one of the following ways:



  • Single firewall (three-homed perimeter network)

  • Dual firewall

2.1 Single-firewall perimeter network:


In a single firewall perimeter network the firewall has 3 network adapters:



  • The first network adapter connects to the internal corporate network.

  • The second network adapter connects to the perimeter network.

  • The third network adapter connects to the external network (Internet).

clip_image002


Figure 1: Single firewall perimeter network with RD Gateway server in the perimeter network


2.2 Dual firewall perimeter network:


In a dual firewall perimeter network, a firewall is located on either side of the perimeter network. One firewall is connected to the external network, one firewall is connected to the internal network, and the perimeter network resides between the two firewalls. This is a more secure approach because an attacker has to break both firewalls in order to get to the internal network.


clip_image004


Figure 2: Dual firewall perimeter network with RD Gateway server in the perimeter network


3. AD DS models in perimeter network


Following are the possible AD DS models that are suitable for RD Gateway:



  • No AD DS in perimeter network: There is no AD in the perimeter network and RD Gateway (in the perimeter network) is joined to the internal network domain.

  • Forest trust model: One-way trust between the perimeter network AD DS and the internal network AD DS. RD Gateway is joined to perimeter AD DS.

  • Extended corporate forest model: A read-only domain controller for the internal network forest is in the perimeter network, and RD Gateway is joined to the internal network domain.

3.1. RD Gateway without AD DS in perimeter network deployment:


When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources.


The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.


clip_image006


Figure 3: Traffic flow from Internet to perimeter network and from perimeter to Internal network



3.1.1. Internal firewall ports:


In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:



3.2. RD Gateway with forest trust model deployment:


In this deployment, there is AD DS in the perimeter network which trusts the internal network forest to authenticate the internal network forest users in the perimeter forest domain. RD Gateway is joined to the perimeter network domain. The trust between the perimeter network forest and the internal network forest is one-way, so configuring RD Gateway to use a central NPS server which is in the internal network is required in this deployment.


The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.


clip_image008


Figure 4: Traffic flow from Internet to perimeter network and from perimeter to internal network


3.2.1. Internal firewall ports:


In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:



3.3. RD Gateway with extended corporate forest model:


In this deployment, there is a read-only domain controller (RODC) in the perimeter network for the internal network forest. RD Gateway is joined to the internal network domain and talks to RODC for authentication and authorization purposes.


The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.


clip_image010


Figure 5: Traffic flow from Internet to perimeter network and from perimeter to internal network


3.3.1. Internal firewall ports:


In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:



4. Firewall rule configurations required when RD Gateway is in the perimeter network:


4.1. Firewall rules for the path between the external network and the perimeter network (Ports that need to be opened on the external firewall):



  • Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.

4.2. Firewall rules for the path between the perimeter network and the internal network (Ports that need to be opened on the internal firewall):


The internal firewall should allow all communication from the RD Gateway server to internal network resources. Here are the ports that need to be opened on the internal firewall when the corresponding traffic (DNS, RADIUDS, RD Gateway Authentication, etc.) destination point is in the internal network.


RD Gateway authentication traffic:


Firewall rules between the perimeter network (RD Gateway) and the internal network (Domain Controller) to authenticate the user:



  • Server Protocol = Kerberos

  • Port = TCP: 88

The RD Gateway server talks to the NT Directory Service (NTDS) RPC service on AD. The NTDS RPC service listens on an unused high end port. RD Gateway does not know the port number on which NTDS RPC service is listening. So RD Gateway talks to RPC Endpoint Mapper which listens on a constant port and gets the NTDS RPC service port number. Finally it makes a connection to the NTDS RPC service. Fortunately, the Admin can make the NTDS RPC service on AD listen on a constant port by using a registry key. To learn how to configure the registry values on AD for NTDS RPC service ports, see this article .



  • Server Protocol = RPC Endpoint Mapper

  • Port = TCP: 135, TCP: <Port on which NTDS RPC service listens on AD>

Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authentication methods through a custom authentication plug-in. If RD Gateway is configured with a custom authentication plug-in, contact the vendor of the authentication plug-in to find out which firewall rules are required for RD Gateway authentication.


RD Gateway authorization traffic:


Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:



  • Server Protocol = LDAP

  • For LDAP: Port = TCP: 389, UDP: 389

Note: In Windows Server 2008 R2, RD Gateway can be configured to use non-native authorization methods through a custom authorization plug-in. If RD Gateway is configured with a custom authorization plug-in, contact the vendor of the authorization plug-in to find out which firewall rules are required for the RD Gateway authorization.


DNS traffic:


Firewall rules between the perimeter network and the internal network to resolve the internal network resources:



  • Server Protocol = DNS

  • Port = TCP: 53, UDP: 53

RDP traffic:


Firewall rules between the perimeter network and the internal network to forward RDP packets from client:



  • Server Protocol = RDP

  • Port = TCP: 3389

Certificate Revocation List traffic:


Firewall rules between the perimeter network and the internal network to contact CRL distribution point to get the certificate revocation list:



  • Server Protocol = LDAP or HTTP or FTP

  • For LDAP: port = TCP: 389, UDP: 389. For HTTP: port = 80. For FTP: Port = 21

Note: The Certificate Revocation List is needed either to validate the client certificate during smart card authentication or when the certificate deployed on RD Gateway is an enterprise/standalone CA certificate. To know which protocol is needed to contact the CRL distribution point for a certificate, open the certificate and go to the Details tab and look at the CRL Distribution Points field.


RADIUS traffic:


If RD Gateway is configured to use a central server running NPS and if the NPS server is not in the perimeter network, then the following additional firewall rules are needed between the perimeter network (RD Gateway) and the internal network (NPS Server).



  • Server Protocol: RADIUS

  • Port = UDP: 1812

  • Server Protocol: RADIUS Accounting

  • Port = UDP: 1813

5. RD Web Access and RD Gateway on the same server:


If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).


RD Web Access points to single RD Server or Single RD Server farm:


This scenario is possible in Windows Server 2008 or higher versions. The WMI service on RD Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.



  • Server Protocol: WMI

  • Port = TCP: <WMI Fixed Port>

RD Web Access points to multiple RD Servers/farms:


This scenario is possible in Windows Server 2008 R2. The WMI service on RD Web Access Server listens on an available high end port. The port on which WMI service listens can be fixed by executing the commands specified in this MSDN article. This fixed WMI port needs to be opened on the firewall.



  • Server Protocol: WMI

  • Port = TCP: <WMI Fixed Port>

RD Web Access points to a centralized publishing server (Connection Broker):


This scenario is possible in Windows Server 2008 R2.



  • Server Protocol = RPC

  • Port = TCP: 5504

Note: If there is an ISA server already deployed in the perimeter network of your organization, then RD Gateway server can be put in the internal network which reduces the number of ports that need to be opened on the internal firewall (path from perimeter network to internal network) to one. Also, in order to ensure that un-authenticated traffic does not reach the RD Gateway server (i.e. the internal network), you can pre-authenticate the HTTPS traffic reaching the ISA using One-time-Password (OTP) – a form of RSA SecureID. More information on how to configure ISA can be found in the RD Gateway step-by-step guide.


If authentication is not enabled on ISA, the following is the firewall configuration requirement in RD Gateway (internal network)-ISA (perimeter network) scenario.



  • If ISA is used as HTTPS-HTTPS bridging device:


    • Ports to be opened in the external firewall : TCP:443

    • Ports to be opened in the internal firewall: TCP: 443

  • If ISA is used as HTTPS-HTTP bridging device:


    • Ports to be opened in the external firewall: TCP:443

    • Ports to be opened in the internal firewall: TCP:80

If authentication is enabled on ISA, then depending on the ISA authentication method some additional firewall rules may be needed.


Useful Links