[stunnel-users] More questions on RDP and port forwarding

Mon Nov 26 17:12:46 CET 2007

Craig,
Thanks.  Are you advising that I put "client = yes" in the service declaration rather than the main configuration?  I already have "client = yes" on the client side (in the main configuration) and that line commented out of the server's configuration (I assume the default is client = no).  

When I review the log on the client computer, I can see where it times out waiting on a response from the work firewall's outside IP address.  I do not see any connection attempts on the server side and both stunnel instances (client and server) have debug = 7 and logging to stunnel.log.

Richard

> -----Original Message-----
> From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-
> bounces at mirt.net] On Behalf Of Richard Woodman
> Sent: 26 November 2007 07:44 AM
> To: stunnel-users at mirt.net
> Subject: [stunnel-users] More questions on RDP and port forwarding
> 
> I did read through the archives but I cannot determine how to get
> Stunnel
> working through the firewall.  Here is what I wish to do:
> 
> 1.  Tunnel Windows Remote Desktop through stunnel.
> 2.  I wish to connect from home to work; I have access to the firewall
> at
> work.
> 
> Here's what I've done:
> 
> 1.  Installed stunnel on Windows XP at home and at work.  I have self-
> signed
> certificates and am using verify = 3 (on both computers).  Cacert.pem
> has
> the CA cert, the work cert, and the home cert in a single file.  The
> server-cert.pem has the work computer's key and cert while the
> client-1-cert.pem (home computer) has it's own key and cert.
> 2.  Stunnel at home has client = yes, stunnel at work has this
> commented
> out.  Stunnel at work will become a "server" where multiple clients
> connect
> via stunnel and that single computer makes multiple RDP connections.
> 
> Client (home) computer has
> 

Try changing the client config to the following:

[rdp1]
client = yes
accept  = 4391
connect = <work outside interface IP>:44391

> 
> Server (work) computer has
> 
> [rdp2]
> accept  = 44391
> connect = <work computer name>:3392
> 
> If I try this at work from within the corporate network (change the
> client
> connect string to the stunnel server's IP or hostname), then everything
> works fine.  However, once I try from outside the work network, nothing
> works.  Firewall is a Watchguard SOHO 6tc and I have a inbound rule
> permitting 44391 and directing it to X.X.X.52 (the stunnel server).  I
> also
> have other rules allowing RDP (on port 3392 for instance) directly to
> the
> computer I wish to control and those rules work.  Essentially, RDP
> directly
> through the firewall works but stunnel through the firewall does not.
> I
> assume there is no traffic destined for .52 on 44391 because the log
> file on
> the server (with debug = 7) only shows the startup sequence and port
> binding
> (netstat -a shows I am listening on 44391).  I also tried this at home
> on my
> Juniper 5XT and was unsuccessful.  Please help.
> 
> Richard
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

Cheers,

Craig