[stunnel-users] More questions on RDP and port forwarding

richard.woodman at cox.net richard.woodman at cox.net
Mon Nov 26 17:25:00 CET 2007

Thanks.  With the exception of the client's loopback address in the hosts file, I have a very similar configuration.  I have created an inbound rule (Custom service with an inbound rule declaration but no outbound rule) that looks just like my inbound RDP rules - I even reviewed the configuration file and the stunnel rule had the same commands as the RDP rule.  However, RDP works through the firewall but stunnel does not.  My Windows firewall has an exception for stunnel with a scope of "Internet" and the stunnel server works from within the corporate network.  Meaning, I think, that the Windows firewall is not denying the connection (at least from within the same subnet).

I am not a Windows AD guy, but is there a way to prevent network connections without using the Windows firewall?  I mean, can a GPO be created that prevents connections from IP addresses not on the same subnet but that does not use the OS's firewall?  If so, this could be the issue because from what I can see, neither the Watchguard nor the Windows firewalls are blocking the connection; yet I still cannot connect.


Carter Browne wrote:
I use stunnel to protect RDP for a couple of sites using a mix of
Watchguard Edge and V series firewalls.  For computer ABC that I want to
connect to, I create an entry in the hosts file:
127.0.0.n   ABCs      (where n is greater than 1)

On the client side I have an entry:

accept = ADCs:12345
connect = ABC:54321
client = yes

On the server sid I have an entry:

accept = 54321
connect = 3389
client = no

Port 54321 is enabled in both the Watchguard and the Windows firewalls.

Using the 127.n.n.n ports are not processed by the firewalls.  You can
use for everything, but I needed to connect to more that one
host and wanted a standard setup.  I have had a number of users confused
by this setup whereby the program references a local port to connect to
a remote computer.  For stunnel, it is the connect string that
determines the destination, so any local port works fine for the accept


More information about the stunnel-users mailing list