Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Iron

rdp slow access between vlans

problem with rdp access

hangs on this window for a minute or two and then connects

any ideas what to look for?

happens from every computer on a given vlan to another vlan on the checkpoint gaia appliance

0 Kudos
12 Replies
Highlighted
Admin
Admin

What do you see on a tcpdump between the relevant hosts?

Anything in the logs that might suggest what's going on?

This sounds like a DNS issue of some sort that is unrelated to the firewall.

0 Kudos
Highlighted

This Sounds like a

DNS issue or

RDP encryption issue or

RDP authentication (ntlm vs. kerberos) issue.

Anything in in the Windows event logs?

0 Kudos
Highlighted

Or old RDP client and new Windows 2012/2016/2019 Server.

0 Kudos
Highlighted

0 Kudos
Highlighted
Iron

i've narrowed down the issue :

when you try to connect using mstsc, the application tries to contact microsoft's servers. the hang is caused by the firewall trying to process it (i think)

0 Kudos
Highlighted
Admin
Admin

It looks like it is hitting a UserCheck rule of some sort (e.g. the redirect log entries).

You might want to explicitly allow that traffic or create a REJECT (as opposed to drop) rule for it.

0 Kudos
Highlighted
Iron

thank you

1. the problem is that this ip is a part of a very large pool. cp recognizes it as windows update in the application layer.

2. why reject vs drop? what's the advantage ?

0 Kudos
Highlighted
Admin
Admin

With a drop, the application will receive no response and may wait for the attempted TCP connection to timeout.

With a reject, the firewall sends a TCP Reset, which will hopefully cause the application to quit trying to reconnect.

0 Kudos
Highlighted
Iron

so, in general (very interesting information), in what cases should i use drop and what cases should i use reject?

0 Kudos
Highlighted
Admin
Admin

In the vast majority of cases, I would use Drop.

Reject is useful in situations similar to what you describe.

Highlighted
Iron

thank you

for the moment, i've created a policy letting me access windows update at the application level, and it looks fine. i'll keep track of it 

0 Kudos
Highlighted
Iron

Hi

the problem seems to be persistent. every few days, some new address pops up

 

i've came across addresses like : map2.hwcdn.net, and like 3.a.download.windowsupdate.com and so on and so forth

how can i make the proper exclution for all those url's in a wildcard form? i don't mind handling each domain, but dealing with each ip is crazy

 

thank you

0 Kudos