• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RDP Strikes Back

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> RDP Strikes Back Page: [1]
Login
Message << Older Topic   Newer Topic >>
RDP Strikes Back - 29.Dec.2008 11:49:47 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Greetings --

I find myself unable to publish RDP servers in my DMZ so that they can be accessed by External clients.

My DMZ network rules are separate routes to the DMZ from the External and Internal networks.  This design seems to be working for everything besides RDP -- for example, with the appropriate access and web-server publishing rules, my SharePoint and SQL Server Reporting Services servers in the DMZ are communicating to clients on the External and Internal networks with no drama.

Back to the issue at hand: I have a Server Publishing Rule which allows RDP (Terminal Services) Server traffic between the External network and the DMZ.  I'm using the default protocol definition with a port-publishing override to preserve external IPs; the RDP hosts themselves are still listening on 3389 inside the DMZ.  The listener is configured to the External network only.

The MMC live log shows traffic from the Client IP hitting the Destination IP, aka the external interface of the ISA Server, on the desired destination port...but everything else is wrong!  The protocol column shows "Undefined IP Traffic (3394)," the action is "Denied," the rule is "Default Rule," and the destination network is "Local Host."  All wrong!

Thanks for reading this far - does anyone have any suggestions on what I need to do next?

Best regards,

Tim ==
Post #: 1
RE: RDP Strikes Back - 31.Dec.2008 8:51:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is this a trihomed DMZ on the firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to TimTrace)
Post #: 2
RE: RDP Strikes Back - 31.Dec.2008 9:04:20 AM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Yessir, with three physical NICs: Internal (10.0.12.x), Perimeter (10.0.13.x) and External (172.17.91.x).  I used the default 3-leg template.

I have been unsuccessful at publishing perimeter RDP hosts for access by Internal or External clients.

(in reply to tshinder)
Post #: 3
RE: RDP Strikes Back - 25.Feb.2009 6:10:36 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Months later, I've resolved the problem. There was a one-way, outbound NAT in place from the perimeter to the external network. Everything began to work fine when I built up the corresponding inbound NAT.

(in reply to TimTrace)
Post #: 4
RE: RDP Strikes Back - 5.Mar.2009 11:59:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

NAT is unidirectional. So the Network Rule higher up in the list is the one that will be used.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to TimTrace)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> RDP Strikes Back Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts