4

I've created a VM (non-classic, using Resource Manager) in new Azure portal but I need to connect from behind a firewall.

I've found a bunch of articles explaining how to solve it by editing an Endpoint settings for RDP, but in the new portal there is nothing like this!

Inbound and Outbound rules are just firewall rules as I understand and it gives nothing.

I've connected to it from home and tried to change RDP listening port to something not blocked by firewall with following power shell script:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 443

Rebooted VM, changed default-allow-rdp inbound rule on the portal but still unable to connect.

juvchan
  • 6,113
  • 2
  • 22
  • 35
amarax
  • 508
  • 5
  • 14
  • Are you saying that you can no longer connect at all? even from home. Did you create an inbound Security Group Rule for 443? – Michael B Mar 16 '16 at 09:59
  • 1
    I don't understand the question. What, exactly, are you trying (and failing) to do? Inbound/outbound security rules are external to the VM. Not the same as the VM's firewall. – David Makogon Mar 16 '16 at 10:43
  • I'm trying to connect from behind a corporate firewall. And it doesn't work because default rdp port 3389 is blocked. – amarax Mar 16 '16 at 10:49
  • I'm not able to connect at all now (after RDP listener port is changed). Yes, inbound rule for RDP is updated. – amarax Mar 17 '16 at 16:00
  • @DavidMakogon, I was so enthusiastic about Azure, but it ended so trivial. No possibility to connect from corporate network with firewall and tons of outdated documentation with non existent End Point feature - that's all I discovered – amarax Mar 18 '16 at 14:29

4 Answers4

1

  1. If you created VM using Resource Manager (non-classic), you don't have Endpoints configuration and you can't configure ports as described in answer by Matias (to get to your azure VM via allowed ports in firewall). Unfortunately not all VM templates are available for VM Classic interface. I'd really like to know what is the limitation here in azure.

  2. In fact even with classic VM solution from Matias didn't work - I deployed another VM with classic interface, configured Endpoints as described and still can't connect from behind a firewall. But it works fine from anywhere else, I don't even need to change rdp listener port, it's changed automatically when I changed it in Endpoint.

  3. The only working solution I found was using putty and SSH tunneling from my computer behind corporate firewall to 443 port on my azure non-classic VM. Here are the steps:

    • In putty you create connection to your_azurevm_ip:443 then go to Connection -> SSH -> Tunnels, map ports for instance as L49999 -> localhost:3389

    • You need to install any free SSH server to azure VM (I used freeSSHd), and add authorized account for tunneling

    • After you establish connection from putty and enter SSH credentials you connect using rdp to localhost:49999 and it's being forwarded through SSH tunnel to 3389 local VM port It's quite ugly but at least it works.

amarax
  • 508
  • 5
  • 14
0

It looks like your corporate network doesn't allow outbound connections for RDP to originate from within the corporate firewall. This itself doesn't have anything to do with the Azure VM. However, changing the RDP listening port on the Azure VM should work fine to get around this. Perhaps, instead of changing it to use port 443, which is normally for SSL/TLS connections, you could try changing the RDP port to something non-standard.

Chris Pietschmann
  • 29,502
  • 35
  • 121
  • 166
  • Why not 443? I don't have anything configured on this port on target VM. – amarax Mar 17 '16 at 15:39
  • There may be something in the corporate firewall preventing this from working. Normally it should work. Have you configured anything in regards to Azure Traffic Manager for the VM? – Chris Pietschmann Mar 17 '16 at 21:18
0

You can always configure the EndPoint to make an external port XXXX map to an internal 3389.

In the new Portal, open the Cloud Service / VM, go to Settings and pick Endpoints. You can Add one and set the Public and Private ports (the Public being the one you want to connect to from your computer and the private the one that is exposed by the VM).

Creating Endpoint

In case you created the VM using the Resource Manager model, the way to access it is, use the Search box with your VM name. You should find a group of items, one of them has a small blue shield (Network Security Group). Once you select it, in the Settings pane, select Inbound Security Rules:

Using Resource Model

You should be able to customize it there.

Matias Quaranta
  • 13,907
  • 1
  • 22
  • 47
  • It's empty in my Cloud Services section. Even if I create one there is nothing like on your screenshot – amarax Mar 17 '16 at 15:44
  • I took the screenshot from the New Portal, do you not have the Endpoints section or the Add button? – Matias Quaranta Mar 17 '16 at 15:47
  • When I created a cloud service I had to add a resource group to it. So when I select Cloud Services I only see my resource group, when I select resource group there are no endpoints and only resource group settings. Is there a way to attach screenshot? – amarax Mar 17 '16 at 15:53
  • And this could services say "Nothing is deployed to the current environment". I really wonder how did you get this endpoints. Probably it's something left in your azure because you created it in old portal. – amarax Mar 17 '16 at 15:57
  • You cannot define Endpoints on a Resource Group, there must be at least one Cloud Service/VM created (and listed in the Resource Group) and the Endpoints should be defined inside. The screen capture I took was after I created the VM in the New Portal. I went to Browse > Cloud Services and I had it there, but mine was deployed and running. – Matias Quaranta Mar 17 '16 at 19:21
  • I've created a cloud service but it says "Nothing is deployed to the current environment" (although it's lined to my resource group with problematic VM). How to deploy there anything? Probably then Endpoints will be available? – amarax Mar 18 '16 at 05:58
  • Try picking a Virtual Machine from the [Marketplace](https://azure.microsoft.com/en-us/marketplace/virtual-machines/), that way, you'll get a deployment already working with the OS/features you need. – Matias Quaranta Mar 18 '16 at 11:58
  • I did. It was Data Science Virtual Machine. And it works without firewall in between. But there is still no End Points - I belive this feature is solely from old classic model (although I created classic VM and couldn't find it there too) – amarax Mar 18 '16 at 14:27
  • Edited the answer for VMs created using Resource Manager model – Matias Quaranta Mar 18 '16 at 16:50
  • if we create vm in RM we don't get the option shown in screenshot – Aatif Akhter Jul 20 '16 at 20:13
-1

Had same problem and resolved it as follows:

  1. On azure dashbord, VM related security interface, add security inbound rule which opens 443 port.
  2. On the VM change RDP port to 443 via registry editor: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
  3. On the VM firewall, add inbound rule which opens 443 port
  4. Restart the VM and connect to IP:443
  5. In order not to loose connection to the VM, I recommend to install Ultra VNC, that way you have alternative control point to your VM.
Hanan Tomer
  • 21
  • 5