Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN Doesn't allow RDP - Why?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN Doesn't allow RDP - Why? - 23.Mar.2007 12:46:55 PM
|
|
|
duffbrowne
Posts: 9
Joined: 14.Mar.2007
Status: offline
|
I guess I really don't understand much about this beast. I've set up a site-to-site VPN between our ISA 2006 and a DLink box. We're 10.100.100.* on our side, and the other end is 192.168.6.*. I can ping the IPs on the other end, and see them. From the other side, a scan of the 10.100.100 class C net yields 5 IPs out of the 70 or so that are here. Remote Desktop into one of the servers starts out connecting, but we get a black screen. I get piles of result codes of
FWX_E_TCP_NOT_SYN_PACKET_DROPPED.
I'm wondering why when there's rules that say allow all outbound traffic from the 192.168.6.* network to the internal, and allow all outbound traffic from internal to the 192.168.6.* network, we can't do RDP, and why things are so slow when the other end wants to browse shares on our 2003 server DC? Do I have something critical left out? Help!
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 6.Apr.2007 9:57:53 AM
|
|
|
duffbrowne
Posts: 9
Joined: 14.Mar.2007
Status: offline
|
No. It wasn't. I think we tried that at one point, though, (not when we were trying to get a remote desktop session started) and the tunnel became even more useless. I think too that because the web proxy kicks in, then my colleague at the other end lost his internet connectivity, becuase it wasn't coming through us to him.
I could see that there were a pile of packets being rejected, like netbios things, but when I have a rule that says pass all protocols in each direction, why do I get packets that are rejected, and yet don't list a rule at all as a reason for rejection when I look at the log? There's a bunch that I just don't understand (obviously)...
A friend just told me that they merely publish an RDP desktop to a particular port, so it doesn't have to be encrypted as it goes through the tunnel too. That's nice, but maybe I don't want to open up any additional ports on our public IP...
Duff
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 6.Apr.2007 11:33:25 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Duff,
I thought this was a connection over a site to site VPN, is that right?
If so, the Firewall client could cause problems, as it would see the remote site network as "external" and forward the connection to the Internet, which is what you don't want.
However, if you don't have the Firewall client installed, and the client is a SecureNAT client of the ISA Firewall terminating the site to site VPN connection, then it should work. If name resolution is an issue, try to connect via IP address.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 9.Apr.2007 11:03:46 AM
|
|
|
duffbrowne
Posts: 9
Joined: 14.Mar.2007
Status: offline
|
Actually, most of the time we tried to get this working was before the time when we installed the firewall client. We are using the IP for the RDP session, and when it "connects," all we get is a black screen, and a pile of errors in the log. As I said, a lot of packets rejected, listing no rule that caused the rejection - it was blank. The result code is FWX_E_TCP_NOT_SYN_PACKET_DROPPED. Don't know what this really means, either.
Duff
I forget if I mentioned - the "far end" is a DLink router, so we have the tunel established that way...
< Message edited by duffbrowne -- 9.Apr.2007 11:07:38 AM >
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 11.Apr.2007 8:22:06 AM
|
|
|
duffbrowne
Posts: 9
Joined: 14.Mar.2007
Status: offline
|
Oh - it's a site to site, for sure.
Duff
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 11.Apr.2007 12:48:39 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, if this is a site to site VPN connection, make sure you can ping the remote access and that the ISA Firewall is configured to allow the ping. Then, try to connect via the IP address of the RDP server (not the name), it should work.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 1.May2007 4:02:57 PM
|
|
|
kn00p
Posts: 8
Joined: 6.Feb.2007
Status: offline
|
I solved such a problem at one of my customers. They tried to set up a site2site trough a NAT router with a Cisco Concentrator without configuring NAT-T on the Concentrator.
The IPSEC tunnel started and they where able to ping and telnet to port 25 on the SMTP server but RDP failed.
I was really suprised the IPSEC tunnel came up over a NAT Router but after i configured NAT-T on the concentrator the RDP problems where gone.
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 1.May2007 5:05:30 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dennis,
this doesn't make sense! Either an IPSec tunnel succeeds or not. If not, no traffic can pass whatsoever.
As you probably now, the setup of an IPSec tunnel happens in two phases. First you have the Main mode negotiation (Phase 1) and than the Quick mode negotiation (Phase 2). Once Phase 2 is completed, the traffic can pass through the tunnel.
If NAT is involved, check out my article How to pass IPSec traffic through ISA Server for the details how that works.
HTH,
Stefaan
|
|
|
|
|
RE: Site to Site VPN Doesn't allow RDP - Why? - 2.May2007 12:21:23 AM
|
|
|
kn00p
Posts: 8
Joined: 6.Feb.2007
Status: offline
|
In this particular situation the tunnel succeeded but RDP traffic wasn't possible. Their setup was like this.
Cisco Concentrator----------***Internet***-----------Cisco 2600 (NAT)-------ISA 2004
They created a tunnel between the Concentrator and the ISA Server without enabling NAT Traversel on the Cisco Concentrator.
I was really suprised the tunnel came up with this configuration. Because of the problems i told them that IPSEC should not work over NAT and helped them configure NAT-T on the concentrator. This solved the problem.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
