cancel
Showing results for 
Search instead for 
Did you mean: 
c8822131
Level 7

HIPS blocking access to RDP to Machines with statically assigned IP addresses

Jump to solution

Hi all,

My journey of discovery continues with Firewall configuration in HIPS 8.

I have a HIPS Firewall policy set up to a basic level (still in it's infancy after years of relying on windows firewall) with 2 CAGs to manage Internal Corporate IP and Approved VPN traffic

Internal CAG - Allows traffic to pass where the DNS Suffix matches our Corporate DNS Suffix on Wired and Wireless Adapters

VPN CAG - Allows traffic to pass if connecting to one of four assigned VPN concentrator IP addresses On Virtual Adapters

This was all working well until last week, when a ticket was passed to me to advise a group of users were unavle to RDP into machines with statically assigned IP addresses.

If the internal CAG is enabled (Location Status and Connection Isolation active, Connection Specific DNS Suffix specified)  RDP Traffic doesn't pass (RDP connection attempts time out).

If I remove the DNS Suffix and DNS Server entries and refesh the policy on the client, I can RDP into clients on the subnet fine.

I had a look in the event logs of one of the machines and could see an entrywhich looks like the blocking event :

7 1382524484 10.25.88.1  b052daa4-ff7c-48b8-8ca9-7e69cb6a44c7 2048 6 10.119.223.52 139 10.25.88.1 3111 1 0 4 SYSTEM Block NetBIOS TCP Incoming

7 1382524487 10.25.88.1  b052daa4-ff7c-48b8-8ca9-7e69cb6a44c7 2048 6 10.119.223.52 139 10.25.88.1 3111 1 0 4 SYSTEM Block NetBIOS TCP Incoming

7 1382524493 10.25.88.1  b052daa4-ff7c-48b8-8ca9-7e69cb6a44c7 2048 6 10.119.223.52 139 10.25.88.1 3111 1 0 4 SYSTEM Block NetBIOS TCP Incoming

Any Ideas ?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS blocking access to RDP to Machines with statically assigned IP addresses

Jump to solution

If I remove the DNS Suffix and DNS Server entries and refesh the policy on the client, I can RDP into clients on the subnet fine.

Verify the system is setup with the correct DNS Suffix and DNS Server values to match the CAG.  Most likely the systems do not have the correct Connection-specific DNS Suffix, since typically DHCP servers are configured to hand out the DNS Suffix to DHCP clients.  If they have the IP statically configured, you will have to manually configure the Connection-specific DNS Suffix.  Verify with 'ipconfig /all".  This entry must match one of the DNS Suffixes listed in the CAG criteria.

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media connected

  Connection-specific DNS Suffix  . : <subdomain.domain.com>

   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection

   Physical Address. . . . . . . . . : 00-00-00-00-00-00

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : No

0 Kudos
2 Replies
McAfee Employee

Re: HIPS blocking access to RDP to Machines with statically assigned IP addresses

Jump to solution

If I remove the DNS Suffix and DNS Server entries and refesh the policy on the client, I can RDP into clients on the subnet fine.

Verify the system is setup with the correct DNS Suffix and DNS Server values to match the CAG.  Most likely the systems do not have the correct Connection-specific DNS Suffix, since typically DHCP servers are configured to hand out the DNS Suffix to DHCP clients.  If they have the IP statically configured, you will have to manually configure the Connection-specific DNS Suffix.  Verify with 'ipconfig /all".  This entry must match one of the DNS Suffixes listed in the CAG criteria.

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media connected

  Connection-specific DNS Suffix  . : <subdomain.domain.com>

   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection

   Physical Address. . . . . . . . . : 00-00-00-00-00-00

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : No

0 Kudos
c8822131
Level 7

Re: HIPS blocking access to RDP to Machines with statically assigned IP addresses

Jump to solution

Spot on Kary!

As suspected when the Connection Specific DNS Suffix was set correctly an applied the Firewall CAG now passes the traffic and my customers can RDP into the Desktops with static IP addresses.

Thanks for confirming this

Mike

0 Kudos