I use stunnel to protect RDP for a couple of sites using a mix of Watchguard Edge and V series firewalls. For computer ABC that I want to connect to, I create an entry in the hosts file: 127.0.0.n ABCs (where n is greater than 1)
On the client side I have an entry:
[ABC-RDP] accept = ADCs:12345 connect = ABC:54321 client = yes
On the server sid I have an entry:
[RDP-IN] accept = 54321 connect = 3389 client = no
Port 54321 is enabled in both the Watchguard and the Windows firewalls.
Using the 127.n.n.n ports are not processed by the firewalls. You can use 127.0.0.1 for everything, but I needed to connect to more that one host and wanted a standard setup. I have had a number of users confused by this setup whereby the program references a local port to connect to a remote computer. For stunnel, it is the connect string that determines the destination, so any local port works fine for the accept string.
Carter
Richard Woodman wrote:
I did read through the archives but I cannot determine how to get Stunnel working through the firewall. Here is what I wish to do:
- Tunnel Windows Remote Desktop through stunnel.
- I wish to connect from home to work; I have access to the firewall at
work.
Here's what I've done:
- Installed stunnel on Windows XP at home and at work. I have self-signed
certificates and am using verify = 3 (on both computers). Cacert.pem has the CA cert, the work cert, and the home cert in a single file. The server-cert.pem has the work computer's key and cert while the client-1-cert.pem (home computer) has it's own key and cert. 2. Stunnel at home has client = yes, stunnel at work has this commented out. Stunnel at work will become a "server" where multiple clients connect via stunnel and that single computer makes multiple RDP connections.
Client (home) computer has
[rdp1] accept = 4391 connect = <work outside interface IP>:44391
Server (work) computer has
[rdp2] accept = 44391 connect = <work computer name>:3392
If I try this at work from within the corporate network (change the client connect string to the stunnel server's IP or hostname), then everything works fine. However, once I try from outside the work network, nothing works. Firewall is a Watchguard SOHO 6tc and I have a inbound rule permitting 44391 and directing it to X.X.X.52 (the stunnel server). I also have other rules allowing RDP (on port 3392 for instance) directly to the computer I wish to control and those rules work. Essentially, RDP directly through the firewall works but stunnel through the firewall does not. I assume there is no traffic destined for .52 on 44391 because the log file on the server (with debug = 7) only shows the startup sequence and port binding (netstat -a shows I am listening on 44391). I also tried this at home on my Juniper 5XT and was unsuccessful. Please help.
Richard
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users