2012R2 TLS/SSL not working

Feb 8 at 1:41 AM
I've only just discovered CyberArms and I'm running it to try out on my Windows 10 workstation.

I have one issue on Windows 10 that Windows 10 does seem to log IP addresses for failed TLS/SSL Logins so now CyberArms is blocking and failed attempts twice. It still works but the problem comes when you try to unlock an IP it struggles to remove both Firewall entries and doesn't work - I had to go in and unlock in the Windows firewall manually. This in itself is not a big issue for a network person and anyone that doesn't understand that process isn't likely to try a product like this or even be aware of its need.

The more pressing issue I have is I've tried it on two Windows Server 2012R2 servers and the TLS/SSL agent won't work for me - It doesn't end up detecting any failed attempts even when I try in testing with 20 sequential bad credentials.

Is there any additional configuration needed for Server 2012R2 that I'm missing??? I've got Auditing turned on for Failed login attempts and they are logging (without the IP address) but I didn't think the TLS/SSL agent used the Event logs anyway?
Coordinator
Feb 16 at 7:55 PM
Please make sure (using Group Policy) that the server only uses TCP for Remote Desktop, and no UDP. The reason is that UDP addresses can be spoofed very easily, TCP not.
Feb 22 at 12:52 AM
It wasn't a UDP issue as UDP wasn't forwarded through the firewall.

In the end I opened a session and watched the Security Log tab while I attempted to make another connection with bad credentials and the # of incidents increased but from a LAN IP address.

For some reason I was doing an RDP from my workstation at my office to the WAN ip of my home server but the IP address reported was the LAN ip of my workstation - There is a VPN between the sites but its only SERVER -> SERVER so not quite sure how things were translating but it was a NAT/Firewall odity causing this - As soon as I attempted to make an RDP with failed credentials from a clients site to my home server it quickly blocked it as expected so I apologise.

I'll do some more testing on another clients server I tried it on but failed with.

Regards,

Matt
Feb 22 at 9:57 PM
Nope - Sorry to come back again. What happened there was the Client machine I tested from was using an old RDP client so didn't use TLS. I've confirmed again - I have a 2012R2 server with Cyberarms installed - The TLS/SSL Agent is running monitoring 3389.

I have made 10 failed login attempts - All are logged in the Eventlog in security as failed login attempts but obviously with no source IP, only a source PC Name which is where the SSL/TLS is supposed to kick in but its not doing it - Its not registering the failures in the Security Log tab in cyberarms at all.

What am I missing??
Jul 31 at 5:24 AM
2 mobiusnz
I faced with the same problem and had to analyse source code. There I discovered that TLS/SSL agent starts listening on IP adresses it gets from DNS -> IPHostEntry hostEntry = Dns.GetHostEntry((Dns.GetHostName())); My server got two network interfaces but there was only one IP in DNS and TSL/SSL was working only on local network interface, which IP was in DNS. So I just updated hosts file (c:\windows\system32\drivers\etc\hosts) with all IPs server has and now everything working fine.