Welcome to ISAserver.org

SecureNAT and Remote Desktop

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SecureNAT and Remote Desktop

Page: [1]

Message

<< Older Topic Newer Topic >>

SecureNAT and Remote Desktop - 8.Dec.2005 9:54:53 PM

apolloth

Posts: 14
Joined: 31.Aug.2004
Status: offline

Since upgrading to ISA 2004 I have had a nagging little issue with Remote Desktop. Our network has many subnets, some at remote sites, some on the same logical segment as the ISA. When I create a server for web publishing and I make it a SNAT client, I am no longer able to remotely access that server from anywhere except machines on the same logical segment. After changing the gateway address back, I can access it no problem. I didn't have this issue with ISA 2000, so I am wondering if there is a rule required to allow traffic since all the SNAT clients packets are routed to the ISA 2004 box. All subnets are correctly included in the Internal Networks listing. It is currently causing headaches becasue once I publish sites on that box as an SNAT client, remote administration becomes a headache. What am I missing?

Any help is appreciated
Apolloth

Post #: 1

Featured Links*

RE: SecureNAT and Remote Desktop - 8.Dec.2005 10:08:29 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Apolloth,

The network within a Network scenario is when you have multiple network IDs located behind the same ISA firewall network interface. It�s a simple concept, but it deviates quite a bit from how the ISA 2000 firewall worked. Check out these two articles:
- http://isaserver.org/articles/2004netinnet.html
- http://isaserver.org/articles/2004isafirewallnetworks.html

HTH,
Stefaan

(in reply to apolloth)

Post #: 2

RE: SecureNAT and Remote Desktop - 8.Dec.2005 11:59:36 PM

apolloth

Posts: 14
Joined: 31.Aug.2004
Status: offline

Thanks spouseele for responding so quickly.

After installing ISA, I had the common "ISA server detected routes through adapter Local Area Connection..." and I did read the above articles and found that my routing table had been updated while the Networks address list had not. I no longer have that problem, but I still do have the issue aforementioned. ISA sits on a segment spanning 172.16.112.1 to 172.16.119.255. This is the logical segment most of our servers sit on, including the box needing to be published. Most of our web developers work from a site on the LAN at 172.16.4.1-172.16.7.255. The addresses are not as important as the fact that no other subnet can remote the machine once it becomes an SNAT client. If the Internal Network list on ISA04 has the subnets properly listed for my internal network, what am I missing? Since both segments are considered internal, I wouldn't expect to need anything like a network rule to govern the connection, correct?

Thanks for any help
Apolloth

(in reply to spouseele)

Post #: 3

RE: SecureNAT and Remote Desktop - 10.Dec.2005 4:00:19 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Apolloth,

you really need to fix your internal routing infrastructure!

The key point is that any communication between any internal hosts should never pass through the ISA server internal interface. In other words, do NOT use the ISA server as a router between internal segments. Therefore make sure that all the hosts sitting on the same segment as the ISA server internal interface also know how to route their traffic directly to other internal segments.

BTW --- my favorite design is described in http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html . Take note that that article was written for ISA 2000 but if you only have one 'internal' interface it still applies.

HTH,
Stefaan

(in reply to apolloth)

Post #: 4