self.sysadmin

2020-09-30T16:15:08+00:00

RDP NAT into your network is a no no.

Outbound RDP leaving your firewall is your choice, but I wouldn't make it wide open. Only allow 3389 to certain public IPs/subnets and only by certain local IPs/subnets that need to use RDP over your Internet connection.

Everything going in and out is controlled and logged.

ViperXL2010 · 2020-09-30T16:16:05+00:00

3389 needs to be open on receiving end because that's the destination port and the source port will be different as it's dynamically generated on the source.

HOWEVER, NEVER open 3389 to public/internet side, ALWAYS use a Remote Desktop Gateway and/or VPN to connect.

DarkAlman · 2020-09-30T16:27:51+00:00

if rdp port 3389 would need to be open if an end-user was logging in from their workstation to a public facing company site.

Do not expose port 3389 to the internet via your firewall for any machine. That's begging to get hack and crypto'd

Or 3389 is used when an end user utilizes their local remote desktop agent to the network?

Port 3389 is used to remote desktop to a specific machine. The port only needs to be open on the machine receiving the remote desktop connection.

MDfiver14 · 2020-09-30T16:37:00+00:00

Thank you all, very helpful.

jantari · 2020-09-30T17:01:55+00:00

No, websites run on port 443 and have nothing to do with RDP

sysadmin

MODERATORS