• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

I am probably not in the right place

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> I am probably not in the right place Page: [1]
Login
Message << Older Topic   Newer Topic >>
I am probably not in the right place - 11.Aug.2008 9:49:41 AM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
...but I just read Thomas Shinder's article on Remote Desktop Web Connections and the article linked to these forums. If you could please point me in the right direction or forum I would be very grateful!

Now on to the issue:

I have a Windows Server 2003 box and a bunch of XP machines behind a firewall with NAT forwarding setup. I can hit the server via the domain_name/tsweb from the internet, but would like to learn how to let my users access their desktops remotely from home as well.

According to the article I would need a separate public IP forwarded through my firewall to the appropriate machine for each box.

What is the correct way to do this without adding extra public IP's for each machine?


Thanks,
Bob
Post #: 1
RE: I am probably not in the right place - 11.Aug.2008 3:41:58 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

the best way is configuring ISA remote client VPN.

Regards,
Paulo Oliveira.

(in reply to bbenninger)
Post #: 2
RE: I am probably not in the right place - 11.Aug.2008 3:46:43 PM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
What is this? Where do I start? Does ISA come with Win Server 2003?

(in reply to paulo.oliveira)
Post #: 3
RE: I am probably not in the right place - 11.Aug.2008 4:55:40 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Wasn't this asked in another forum?
Didn't I give a detailed answer to it?


_____________________________

Phillip Windell

(in reply to bbenninger)
Post #: 4
RE: I am probably not in the right place - 11.Aug.2008 8:09:27 PM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
quote:

ORIGINAL: pwindell

Wasn't this asked in another forum?
Didn't I give a detailed answer to it?



I asked this in Server Publishing as well but have not received a response.

Do you remember the title of the thread? I would love to read it.

(in reply to pwindell)
Post #: 5
RE: I am probably not in the right place - 12.Aug.2008 9:43:00 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I think I backed out after writing because I wasn't totally sure what all the Remote Desktop Web Connections actually did,...which is exactly why Tom's first article one it is written the way it is,...because so many people don't understand how the process really works.  So I had to find it and actually read it myself,..."Part 1" anyway.

Anyway, if you have multiple RDP "targets" on the LAN that you want to connect to,..you will need a Public IP# on the outside of the ISA to correspond to each "target" and then create a separate RDP Publishing Rule for each one which is pretty much the same thing you would be doing if you did not use Remote Desktop Web Connections and just used straight RDP with the Remote Desktop Client.

So if you don't think that is worth all the hassle (it isn't to me), or don't have the Public IP#s from the ISP (sounds like you don't), or your Line Technology from the ISP does lend itself to doing this properly,....then just forget it and use Remote Access VPN and then run the RDP to whatever "target" you want over the top of the VPN connection.  ISA can be very detailed and "controlling" with who is allowed to VPN in and what they can connect to after they establish the VPN (which is very good).

So I throw my hat in with Paulo on this one.  Remote Access VPN is the way to go.


_____________________________

Phillip Windell

(in reply to bbenninger)
Post #: 6
RE: I am probably not in the right place - 12.Aug.2008 10:17:23 AM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
Thanks so much for getting back to me. You are correct in that I don't want to go buy 50 public IP's to use for Remote Desktop. I don't think that would be a sound decision on my part :)

It does sound like Remote Access VPN is the way to go - so I will do some searches for that, but if you have a good post or doc handy please let me know.

One thing I would like to note though - as I was testing Remote Desktop Web Connection - once I created a VPN connection to my network I could get into any machine I wanted via the /tsweb link. Without the VPN connection I could only hit the server that was forwarded through the firewall. Does that lend itself to a simpler solution?


Thanks,
Bob

(in reply to pwindell)
Post #: 7
RE: I am probably not in the right place - 12.Aug.2008 10:54:36 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
One thing I would like to note though - as I was testing Remote Desktop Web Connection - once I created a VPN connection to my network I could get into any machine I wanted via the /tsweb link. Without the VPN connection I could only hit the server that was forwarded through the firewall. Does that lend itself to a simpler solution?

I don't see the problem you're asking to solve.

Establishing a VPN Connection gives you access to absolutely nothing if it is not accompanied by a proper Access Rule for what you want to do

From: VPN Clients Network (that's the actual name)
To: <whatever>
Protocol: <whatever>
Users: <whoever>


_____________________________

Phillip Windell

(in reply to bbenninger)
Post #: 8
RE: I am probably not in the right place - 12.Aug.2008 11:34:27 AM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
What is the process for setting up Remote Access VPN? Where do I start? Is this specific to my firewall?


thanks,
Bob

(in reply to pwindell)
Post #: 9
RE: I am probably not in the right place - 12.Aug.2008 11:56:52 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It is just a few mouse clicks in the ISA MMC.

Look in the ISA Help for details, but there isn't that much to it.

Now if the VPN Clients receive their IP Config via DHCP (choosen in the ISA MMC as part of the VPN Setup) and they get an IP# that is normal part of the Internal Network you may get brief "Spoofing Alerts" because the IP# is suddenly comming from the VPN Clients Network when it was expected to be in the Internal Network.  Personally, I don't worry about the alerts,..I run mine this way,..it works fine.

In the ISA Help go to Contents--->Virtual Private Networking--->VPN: How To--->Configure Remote VPN Client Access (and also) Configure Common VPN Settings.

Keep it simple,..there are a lot of options and possiblities that you will not need to touch.  Just get it working in a normal straight forward way.  You can get "creative" with it later on after you are more familiar with it.


_____________________________

Phillip Windell

(in reply to bbenninger)
Post #: 10
RE: I am probably not in the right place - 12.Aug.2008 12:07:10 PM   
bbenninger

 

Posts: 11
Joined: 11.Aug.2008
Status: offline
Ok great! Thanks so much.

Do I need to worry about upgrading to an advanced firewall (I currently use a WG Firebox 1000) or is all of this connectivity handled in ISA?

(in reply to pwindell)
Post #: 11
RE: I am probably not in the right place - 12.Aug.2008 4:50:17 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You already have an advanced Firewall. It is called ISA,...it is the most advanced firewall that is out there until MS TMG comes out.


_____________________________

Phillip Windell

(in reply to bbenninger)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> I am probably not in the right place Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts