Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion on Publishing RDP Servers with the ISA Firewall
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Discussion on Publishing RDP Servers with the ISA Firewall - 5.Aug.2004 4:48:00 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This thread is for discussing the article on publishing Terminal Services using the ISA firewall over at http://isaserver.org/articles/2004pubts.html.
Thanks!
Tom
[ August 05, 2004, 05:08 AM: Message edited by: tshinder ]
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 5.Aug.2004 6:45:00 AM
|
|
|
Guest
|
Tom,
Your article was very timely - well the rant certainly was. A co-worker today printed off a how-to article on HTTPS tunneling to subvert firewalls and proxy's. So i support your call for improved functionality. Cheers.
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 5.Aug.2004 9:06:00 AM
|
|
|
George_Ou
Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline
|
Hi Tom,
What an awesome article! IÆve been looking for a good way to wrap RDP in HTTPS for a long time. YouÆre even making an old PIX dog like me really yearn for an ISA2004 server .
I've been saying for years that blocking non-standard outbound ports was only going to make things worse since it will push everything to port 80 and 443. Once it hits port 80, content analysis and tracking can no longer be performed at layer 3 and you can forget Quality of Service and Class of Service. Once it hits 443, then you can even forget about content analysis unless you flat out banned encrypted content between the internal client and external server without the type of bridging that youÆre asking Microsoft for. Of course that automatically kills privacy, but employee privacy as ruled by the US government isnÆt a privilege on a business network.
On an additional note, IÆve started a regular blogging gig on http://blogs.zdnet.com and my first blog is on a similar topic with a new twist. ItÆs the newest hack shown at blackhat this year in Vegas called DomainCasting. This is very similar to http encapsulation, but this is where they take IP traffic and wrap it in DNS queries. Immediate application means you can get free hotspot access! Anyways, it will impact later on today or tomorrow.
George Ou
www.LANArchitect.net
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 5.Aug.2004 10:20:00 AM
|
|
|
FrancWest
Posts: 70
Joined: 22.Jul.2004
Status: offline
|
Hi Tom,
in the article you state:
As a firewall administrator, I open outbound HTTPS to selected users so that they can go to secure Web sites. I do not open outbound access to HTTPS (SSL) so that they can use remote access technologies that enable them to connect to their home computer and then transfer virus infected files from their home computer (which isnÆt under our administrative control).
How did you do this, because HTTPS (SSL) is not listed as a protocol in ISA 2004.
Franc.
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 18.Aug.2004 12:28:00 PM
|
|
|
Guest
|
Can publishing rdp like this be integrated with other authentication methods, in paticular 2 factor ones like SecureID?
Windows auth is good, but in many situations, especially where you are accessing rdp from outside of a firewall, people will probably be asking about and for 2 factor auth of some sort.
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 23.Aug.2004 3:47:00 PM
|
|
|
ITOpMan
Posts: 12
Joined: 23.Aug.2004
From: Huntingdon
Status: offline
|
Termainal services connection out side our network to remote server.
I am trying to set teh above up but been unable to connect so far, we have had a rule setup for T/S but thie does not seem to resolve the issue please can you help.
Rule: Action-Allow, Protocol-RDP T/S, From-Isa server;Ext network and (Local Hosts);Internal, To-Anywhere Internal;Local Host;Perimiter, Content type-All content types.
This seems to me to be allowing more then what is needed, but we do access all internal servers by T/S for maintenance etc..
Please can you guild us on this
ISA2004 on a win2003 server most other servers are win2000, with OWA exchange 2003 on DMZ (this is a win2003)
Regards
brian
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 23.Aug.2004 9:09:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by <Andrew>:
Can publishing rdp like this be integrated with other authentication methods, in paticular 2 factor ones like SecureID?
Windows auth is good, but in many situations, especially where you are accessing rdp from outside of a firewall, people will probably be asking about and for 2 factor auth of some sort.
Hi Andrew,
The Windows 2003 Terminal Server does support SecurID, so you could use this solution for that as well. I haven't worked out the details, but there's no reason why it should not work.
HTH,
Tom
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 23.Aug.2004 9:13:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by ITOpMan:
Termainal services connection out side our network to remote server.
I am trying to set teh above up but been unable to connect so far, we have had a rule setup for T/S but thie does not seem to resolve the issue please can you help.
Rule: Action-Allow, Protocol-RDP T/S, From-Isa server;Ext network and (Local Hosts);Internal, To-Anywhere Internal;Local Host;Perimiter, Content type-All content types.
This seems to me to be allowing more then what is needed, but we do access all internal servers by T/S for maintenance etc..
Please can you guild us on this
ISA2004 on a win2003 server most other servers are win2000, with OWA exchange 2003 on DMZ (this is a win2003)
Regards
brian
Hi Brian,
Are you trying to publish the Terminal server? If so, those rules are way to liberal! You should lock them down so that only the source hosts that require access are allowed to the destination hosts that are to be accessed.
HTH,
Tom
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 21.Oct.2004 6:30:00 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi AQ,
You're right about the error. Its fixed now.
You can't browse because that's a NetBIOS function, and NetBIOS is a big no no when it comes to firewalls.
As long as your using different ports on the external interface it will work. There's nothing preventing it from working.
Check the log file and the Event Viewer to see what the problem might be.
Thanks!
Tom
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 22.Oct.2004 3:31:00 AM
|
|
|
AMQureshi
Posts: 3
Joined: 21.Oct.2004
From: Princeton, NJ
Status: offline
|
I still cannot get the internal RDP server working.
BTW, I am running the ISA RDP on the default port and trying this other internal server on alternate port (9999). Would it make a difference if default RDP port is used on ISA RDP?
I will look into log as well (good advise - I did not think about it)
AQ
[ October 22, 2004, 03:48 AM: Message edited by: AQ ]
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 25.Oct.2004 12:45:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi AQ,
Remember, the internal RDP server isn't listening on the at port. The ISA firewall is listening on that port and redirecting to the default RDP port on the internal RDP server.
HTH,
Tom
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 28.Oct.2004 6:56:00 PM
|
|
|
bmccall
Posts: 13
Joined: 9.Aug.2004
Status: offline
|
Hi Tom,
I have tried this setup and I am unable to connect. I noticed on the isa I ran netstat -a and the ports I used (8010 & 8020) are not listed as listening. Should they be? Also, I have 6 NICs in this server and the TS is on one of the other networks created besides the default internal. Would that make a difference?
Thanks
P.S. When is the ISA 2004 book due to ship? I have be on waiting list for months....
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 3.Nov.2004 11:07:00 PM
|
|
|
AMQureshi
Posts: 3
Joined: 21.Oct.2004
From: Princeton, NJ
Status: offline
|
Never mind! I figured it out. The problem I had was not on the ISA or RDP server that I was trying to get to.
Actually, it was the external netwrok from where I was trying to access the RDP Server blocing outbound traffic on non-standard ports. I tried it from elsewhere and it worked like a charm.
Looking into the ISA log was a good advice as when I looked into the log I did not see any connection attempt at all.
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 17.Jan.2005 3:24:00 PM
|
|
|
Puck
Posts: 25
Joined: 22.Jan.2003
From: Columbus, OH
Status: offline
|
I have attempted to follow the instructions listed in the article but cannot get it to work. Attempts to terminal to either the ISA server or a Server on the Internal network are being denied by the default rule. I have my ISA server routing instead of natting if that matters. Any suggestions would be helpful. Here is my general setup. I have my nat forwarding 8888 and 9999 tcp to the 192.168.2.2.
code:
1.2.3.4
-----------
| |
| NAT |
| |
-----------
192.168.2.1
|
|
|
192.168.2.2
-----------
| |
| ISA2004 |
| |
-----------
192.168.100.254
|
|
|
192.168.100.1
-----------
| |
| Term Srv |
| |
-----------
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 28.Jan.2005 1:54:00 PM
|
|
|
Guest
|
Hi,
I have a similar configuration as drawn by Puck.
A pix is doing NAT to the internet. ISA server is only routing and has 5 NICs (routing relationhship between all networks).
Server publishing is just not going to work.
I would like to publish several RDP servers on different ports on the external interface of ISA - connections would come in from the PIX.
Example:
publish RDP server on listener 192.168.110.1:33899, forward to 192.168.113.2:3389
ISA isn't even listening on the port.
I can't see the port in netstat -an
I see packets coming in in Netmon for this port but the connection attempts are reset.
Currently all access to all networks is allowed.
I also tried restricting the from addresses, listener addresses.
I also tried 'requests appear to come from ISA Server'.
No way.
A similar rule works on another ISA server where the network relationship is NAT.
As the help files and relevant KB articles and ISAserver org articles never restrict server publishing to NAT relationships, it would conclude: this is a bug.
Any help appreciated,
Klaus
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 10.Feb.2005 2:52:00 PM
|
|
|
ferrp
Posts: 45
Joined: 5.Oct.2002
Status: offline
|
how secure is publishing RDP if one were to span a port and sniff the packets?
|
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 21.Feb.2005 5:42:00 PM
|
|
|
ppardal
Posts: 1
Joined: 21.Feb.2005
Status: offline
|
Hi Tom
Can I publish a RDP Server with a ISA server 2004 server with only 1 nic?
Another question: Do you now an application filter for RDP?
Thanks
[ February 21, 2005, 05:44 PM: Message edited by: ppardal ]
|
|
|
|
RE: Discussion on Publishing RDP Servers with the ISA F... - 12.Mar.2005 4:22:00 AM
|
|
|
sjfoster@nhmichigan.com
Posts: 3
Joined: 3.Mar.2005
From: Detroit
Status: offline
|
I have been unsuccessful in getting this going. (I have your new book and love it by the way).
I followed the task list eplicitly (except for the specific port numbers) and it seems that it may connect and then gives the standard 'may be busy' message. From the inside of the LAN there are no issues connecting.
I am wondering if there needs to be a reverse rule to let the traffic out from the inside?
I did check my router to make sure I didn't have any ports blocked, and I was using ports 9998, 8820, 8821, and 8823 (I have 4 servers I would like to publish)
Any thoughts for my next step in troubleshooting?
Thanks!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
![[Smile]](/image/smiles/smile.gif)
