Welcome to ISAserver.org

Unable to Remote Access (RDP) to ISA 2006 - ROUTING?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> Installation and Planning >> Unable to Remote Access (RDP) to ISA 2006 - ROUTING?

Page: [1]

Message

<< Older Topic Newer Topic >>

Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 21.Feb.2008 6:57:02 AM

Justify

Posts: 5
Joined: 20.Feb.2008
Status: offline

Hi guys

I come to this forum as a last ditch attempt to resolve a very frustrating problem. I have scoured the internet for solutions and attempted painstaking trial and error problem solving with no luck.

Here is my situation, first a brief summary, then the details.

SUMMARY:

In my current network setup, before ISA is installed, I have to set a static route before I can communicate with the rest of my network, and successfully use RDP.

Then I installed ISA 2006. I then noticed that ISA deleted my static routing rules and disabled 'Routing and Remote Access'. I re-enabled the routes and everything worked fine. Then, after a while, the service was stopped (by ISA I presume) and access to RDP was denied. I am presuming that ISA overrides the 'Routing and Remote Access' service and replaced itself as the new default?

I presume what it boils down to is, how do I re-create these static routes in ISA?
Any help would be appreciated. Your Million Zimbabwean dollars are in the post ;-)

SERVER: Windows 2003 Enterprise SP2 on DELL PowerEdge 2650 (4GB Ram). 2x 1GB NIC.

TECHNICAL DETAILS:
(actual IP addresses are replaced for security reasons)

The ISA Server has two network cards with static IP settings (as below):

Card 1 (facing the internal network)
167.121.20.4 (subnt: 255.255.255.0 / NO GATEWAY)

Card 2 (facing the open internet gateway)
167.121.64.2 (subnt: 255.255.254.0 / Gate: 167.121.65.2)

Remote PC
167.121.72.31 (subnt: 255.255.252.0 / gate: 167.121.72.1)

The static route that I enable that allows access is as follows:

Interface:     Card1 (Internal)
Destination: 167.121.0.0
Mask:         255.255.0.0
Gateway:    167.121.20.1

SOLUTION ATTEMPS: (failed variations not listed)

-1-
Configure 'Static Route' in ' Routing & Remote Access ' on the Windows system.
Effect: RDP connection accepted. After timeout, routing service disabled. Then failure.

-2-
Created two Networks in ISA, '20 segment' range (167.121.0.1 - 167.121.0.255), and '72 segment' range (167.121.72.1 - 167.121.72.255).

Create Network Rule: Allow traffic from 73 segment to 20 segment, NAT

Effect: Monitor log displays attempt to connect via RDP, denied ( 0Xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED). NAT changed to ROUTE, same effect.

                                                   -----------

< Message edited by Justify -- 21.Feb.2008 8:08:50 AM >

Post #: 1

Featured Links*

RE: Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 21.Feb.2008 9:25:21 AM

gbarnas

Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline

Try this:

In the Internal network, define EACH range you have internally, including the one directly connected. Do NOT create individual networks, as you only have one internal interface.

Create routes (plural!) for each internal range. Don't use a full subnet route to aggregate multiple subnets, especially when not all are on the inside.

Glenn

(in reply to Justify)

Post #: 2

RE: Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 21.Feb.2008 10:04:20 AM

Justify

Posts: 5
Joined: 20.Feb.2008
Status: offline

Thanks for the reply Glenn.

Before I make changes, I'd just like to confirm that I understand you correctly (still very green in the ISA territory).

1) I should define my internal ranges under the INTERNAL network field under the Network options. Eg> Add following ranges to INTERNAL : 167.121.20.4 - 167.121.20.255 //// 167.121.72.1 - 167.121.72.255 ?

Part 2 I'm not quite sure. Do you mean I should re-enable "Routing and Remote Access" and change my routing rule to multiple rules, or are you stating that all routing changes are handled by ISA? If so, could you please give an example (or URL if easier) of where such routing rules are made?

Thanks again.

(in reply to gbarnas)

Post #: 3

RE: Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 21.Feb.2008 12:32:43 PM

gbarnas

Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline

1. Yes - under your internal network definition, you must list each network subnet or range that is accessible through that interface, even if it is not directly connected.

2. No - just go to a command prompt and run Route Add... add the first one and verify you can ping/reach the remote host, then continue to add any additional routes needed.

Don't mess with other routing, RAS, or firewall components outside of ISA. ISA will manage most once it's installed. The exception, to a small degree, is managing the RRAS/VPN components.

Glenn

(in reply to Justify)

Post #: 4

RE: Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 22.Feb.2008 6:11:41 AM

Justify

Posts: 5
Joined: 20.Feb.2008
Status: offline

Thanks Glenn, the solution worked.

For those out there with the same problem, in summary, you need to run the ROUTE ADD command from the command prompt with appropriate fields.

Just a final question:

What is the difference between the "Routing and Remote Access" static rule that I used initially, and the ROUTE ADD command? The end result seems to be the same, but the ROUTE ADD rules doesnt seem to be shut down, thus remaining persistent.

(in reply to gbarnas)

Post #: 5

RE: Unable to Remote Access (RDP) to ISA 2006 - ROUTING? - 22.Feb.2008 10:01:11 AM

gbarnas

Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline

Glad to hear it worked.

Don't forget to use the -P option in your route statements so they persist across reboots!

I don't recall the specific difference any more (sux getting old), but might think that ROUTE -P ARGS... at the command prompt is configured at the network layer and not at the RRAS service layer.

Glenn

(in reply to Justify)

Post #: 6