Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't access Terminal Server behind ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> Can't access Terminal Server behind ISA Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Can't access Terminal Server behind ISA - 16.Dec.2003 3:55:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		Hi

I can access the server via terminal services internally but not across the internet, I'm sure i used to be able to do this in the past, is there a port i need to open??

regards
Post #: 1
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 4:36:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		How are you trying to access your terminal services server? VPN or Server Publishing rule?

(in reply to tolvar)
Post #: 2
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 5:40:00 PM   
Guest
 I just had this problem happen to me yesterday (Dec 16).

I use terminal services to access computers outside of my network, almost daily. It was working yesterday morning, but not in the afternoon.

This issue also affects IRC and FTP, all of which was working prior to yesterday. (Although, FTP still works using a web browser.)

I have administrative access to all of the computers in question. I'm not sure that this problem is specifically related to ISA Server, but I noticed this topic posted a few times on these forums and thought I'd add to them.

Any help is appreciated. Thanks.

(in reply to tolvar)
  Post #: 3
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 5:42:00 PM   
Guest
 Forgot to add that no updates or patches or changes of any type were made.

Thanks.

(in reply to tolvar)
  Post #: 4
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 6:12:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Things don't just stop working...there's always a reason.

Have you modified any of the access rules, etc.

Also, incoming and outgoing could be quite different issues.

Regarding outgoing to external computers -look at the firewall client on top of what ports are open and what packet filters are in use, etc.

The only issue I ever had running TS through ISA was my firewall client was pointing to a decommissioned ISA server (a test server that had gone off-line).

Paul.

(in reply to tolvar)
Post #: 5
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 8:28:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		setup is very simple, win2k server running isa2000, it's this server I want to access from an another computer via the internet. I thought i could do this just by using the remote desktop connection and entering the public ip. RDC works perfectly internally.

(in reply to tolvar)
Post #: 6
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 8:33:00 PM   
Guest
 All is working perfect once again!

First, thanks Paul for your responses. I know ISA Server has not been touched since it's original installation. What led me to believe it was related was that I had reinstalled the firewall client on my workstation (can't recall why I did). Prior to all this, I ran without the client and there were no connection issues.

How I fixed it... A lot of this is probably not necessary, but it solved my problem.

1. On the workstation (Win2k Pro)
- uninstalled all firewall related software
- uninstalled .NET framework 1.1
- ran RegCleaner to make sure nothing was missed
- removed workstation from domain
- made sure these services were set to auto, DHCP Client, DNS Client, Remote Registry

2. On the server (Win2k SBS)
- set ISA to send out the IP instead of name
- added a new workstation to the domain
- created a new client setup disk (includes firewall client, etc.)

3. Ran the setup disk on the workstation. Reboot.

Another issue, which I've also had in the past, where the firewall client would disconnect/timeout. The solution that helped was to uncheck the auto detect option and click Update Now.

GV

(in reply to tolvar)
  Post #: 7
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 8:39:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		You've a couple of choices. The way I do it is to VPN in and then RDP. Opening the RDP/TS ports is another way -there's an example of this in Tom's book.

Let me know if you require more specifics.

Paul.

(in reply to tolvar)
Post #: 8
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 8:42:00 PM   
Guest
 For tolvar,

The default port is 3389. In my case, I believe the settings were auto-configured when ISA and TS were installed. That is, to allow all incoming and outgoing TCP connections on that port.

You might also want to check user settings. I know on my domain, terminal access defaults to deny.

GV

(in reply to tolvar)
  Post #: 9
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 11:30:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		I've setup a definition to allow tcp inbound on 3389 but still no access??

(in reply to tolvar)
Post #: 10
RE: Can't access Terminal Server behind ISA - 17.Dec.2003 11:54:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi tolvar,

make sure you have a proper server publishing rule with RDP Server (TCP port 3389 inbound) as mapped server protocol and that the internal host is configured as a SecureNAT client. The latter means that the default gateway on the internal TS should point to the ISA internal interface, at least for a non-routed internal network.

HTH,
Stefaan

(in reply to tolvar)
Post #: 11
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 12:46:00 AM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		your dealing with a complete idiot here i'm afraid.

Do I have to "configure a server publishing rule" using a protocol Terminal Services and internal/external ip's?

regards.

(in reply to tolvar)
Post #: 12
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 10:14:00 AM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline
quote:
Another issue, which I've also had in the past, where the firewall client would disconnect/timeout. The solution that helped was to uncheck the auto detect option and click Update Now.
I've seen this. Even when Auto is selected manually clicking refresh get sthings going again. Some people advise just using an IP, but I'd rather get to the route of the problem.

I'm wondering if installing from one ISA and then pointing to another ISA causes this. I vaguely remember Tom's book mentioning Auto update and actual server being different -1 grabs the latest LAT, etc. while the other chucks the winsock stuff to the correct firewall.

I've also noticed this recently becuase I published the firewall through ADS/ GPO but from a share on a file server...

Paul.

(in reply to tolvar)
Post #: 13
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 10:17:00 AM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline
quote:
Do I have to "configure a server publishing rule" using a protocol Terminal Services and internal/external ip's?
If you want to access the TS from the web, and you're not using VPN's then yes. A server publishing rule is a good way of doing this. I believe this isn't the only way though -you can create packet filters for specific IP addresses.

Post if you need any more info.

Paul.

(in reply to tolvar)
Post #: 14
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 9:10:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		Problem is getting worse after I created a server publishing rule. I could not access the server from an internal computer, as well as not being able to access it from the internet. After I removed the rule I could access the server internally again but still not from the internet. This is now driving me mad.

please help someone, an idiots guide would be nice [Smile]

(in reply to tolvar)
Post #: 15
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 11:13:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Paul,

creating IP packet filters want help you to allow inbound/outbound access to/from internal hosts.

HTH,
Stefaan

(in reply to tolvar)
Post #: 16
RE: Can't access Terminal Server behind ISA - 18.Dec.2003 11:30:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi tolvar,

I would like to help, but I'm afraid we need some more info about your configuration. Please, post the results of the following commands unmodified:
- ipconfig /all on ISA
- route print on ISA
- content of the LAT on ISA
- ipconfig /all on the Terminal Server
- ipconfig /all on an internal workstation

We can then first check out your basic ISA server configuration settings and give you some guidance.

HTH,
Stefaan

(in reply to tolvar)
Post #: 17
RE: Can't access Terminal Server behind ISA - 19.Dec.2003 10:15:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		hi

Here's the info u requested, hope it makes sense to you, it doesn't to me [Smile]

There was no info from the terminal server as it's running on the same server as ISA.

[ December 21, 2003, 11:38 PM: Message edited by: tolvar ]

(in reply to tolvar)
Post #: 18
RE: Can't access Terminal Server behind ISA - 19.Dec.2003 10:54:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi tolvar,

aha... the title of this topic says "Can't access Terminal Server behind ISA". Now, it seems that you want to access the TS running on ISA itself. That's something different! [Big Grin]

You can either create an inbound IP packet filter or use a regular server publishing rule. The latter is my preferred configuration. This are the configuration steps:

1) create a RDP Server Protocol Definition: TCP port 3389 Inbound.

2) make sure that the Terminal Service is only bound to the ISA internal interface. In Terminal Service Configuration, under the node connections select RDP-Tcp Properties and the tab Network Adapter. There you can choose to which adapter the service must bind.

3) create the RDP Server Publishing Rule. You might want to limit access to the rule to a limited set of addresses based on a client address set.

BTW --- it is highly recommended you enable high encryption in the RDP-Tcp properties.

HTH,
Stefaan

(in reply to tolvar)
Post #: 19
RE: Can't access Terminal Server behind ISA - 20.Dec.2003 2:59:00 PM   
tolvar

 

Posts: 29
Joined: 10.Feb.2003
Status: offline 		tried that already but i couldn't then access TS even from a local machine. Is there anything wrong with the data i supplied?

(in reply to tolvar)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> Can't access Terminal Server behind ISA Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts