Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

connect to outside terminal server from client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> connect to outside terminal server from client Page: [1]
Login
Message << Older Topic   Newer Topic >>
connect to outside terminal server from client - 17.May2004 2:59:00 PM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hello,

I have a SBS2000 server with ISA. I would like to connect from one of my workstations to a terminal server at another company through the internet.

It seems that it isn't possible to connect to a host on port 3389 from my workstation. Because when I do telnet host 3389 it doesn't work.
When I try this on my SBS server it works fine.

I think the ISA server blocks the workstation to connect to an outside computer on port 3389.

Does anybody know what's wrong?

regards,

jeroen
Post #: 1
RE: connect to outside terminal server from client - 17.May2004 9:21:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi jeroen,

make sure you allow the RDP protocol (TCP port 3389 outbound) in a protocol rule.

HTH,
Stefaan

(in reply to configulan)
Post #: 2
RE: connect to outside terminal server from client - 18.May2004 8:57:00 AM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hi Stefaan,

I looked at:
Policy Elements => Protocol definitions and there is 3389 allready defined as outbound. Is this the one you mean?

regards, jeroen

(in reply to configulan)
Post #: 3
RE: connect to outside terminal server from client - 18.May2004 12:55:00 PM   
azfar

 

Posts: 486
Joined: 27.Oct.2002
From: Karachi
Status: offline 		It is just a pre-defined definition you have to make a protocol rule to allow this port in Access Policy.

(in reply to configulan)
Post #: 4
RE: connect to outside terminal server from client - 18.May2004 1:59:00 PM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hi Azfar,

I allready checked this:

Yeap! Create a IP packet filter to allow TCP port 3389 outbound to all remote destinations on the default ISA external NIC. I am assuming you do not have any other third party firewalls preventing access..
TX
Heath

But that's allready done at the ISA server. Still not working.

(in reply to configulan)
Post #: 5
RE: connect to outside terminal server from client - 18.May2004 6:32:00 PM   
oli3

 

Posts: 1
Joined: 18.May2004
From: Clinton, SC
Status: offline 		I have this same problem, and have followed the same procedures. Not sure what we're missing, but...

(in reply to configulan)
Post #: 6
RE: connect to outside terminal server from client - 18.May2004 8:13:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi jeroen,

you seems to be somewhat confused when to use protocol rules and IP packet filters! [Wink]

For all communications originating from internal hosts - that are hosts behind the ISA internal interface - you have to use protocol and site&content rules for your outbound access policy. However, for applications running on ISA server itself you have to use IP packet filters.

So, in your case allow the predefined RDP protocol definition in a protocol rule and all should start to work.

HTH,
Stefaan

(in reply to configulan)
Post #: 7
RE: connect to outside terminal server from client - 19.May2004 8:43:00 AM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hi Stefaan,

thanks for your reply, but...

I looked at Access Policy => Protocol rules and there is one item which has the properties:
- Action: Allow
- All IP traffic
- Schedule always
- Applies to Users and groups specified below: Backoffice internet users.

I tried to make a protocol rule only for RDP (3389) but no result.
I tried to change the All IP traffic rule to applies to any request, but also no result.

One other thing. I don't know when changes in ISA management are applied and working. My guess is that I have to stop and start the service 'Microsoft ISA server control' which also stops and starts the following services:
Microsoft Scheduled Cache download
Microsoft Web Proxy
Microsoft Firewall

regards,

jeroen

(in reply to configulan)
Post #: 8
RE: connect to outside terminal server from client - 19.May2004 9:48:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi jeroen,

can you post an excerpt of the ISA Firewall and IP packet filter log unmodified? Just make sure you have enabled the logging of all fields in the ISA MMC, node Monitoring Configuration -> Logs and that the log format is set to ISA format.

HTH,
Stefaan

(in reply to configulan)
Post #: 9
RE: connect to outside terminal server from client - 24.May2004 10:50:00 AM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hi Stefaan,

I changed some settings in the logging so I will let him Log for a day with these settings and post the logs.

regards, jeroen

(in reply to configulan)
Post #: 10
RE: connect to outside terminal server from client - 25.May2004 9:53:00 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Jeroen,

You didn't say how you have your internal clients configured. I hope you are aware that RDP can be accessed only by NAT and Firewall clients.

Since you have implemented a user level access control, NAT won't work for you. NAT clients can't pass user credentials.

Install firewall client on your internal hosts and check again. I hope this helps.

(in reply to configulan)
Post #: 11
RE: connect to outside terminal server from client - 27.May2004 2:06:00 PM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hello,

RedBull, thanks for your reply. I'll check it out.

For Stefaan
I've the following record in the LOG after I try to telnet to 3389 of a server on the internet:

192.168.1.110, -, -, N, 5/27/2004, 14:04:50, fwsrv, SBS2000, -, -, 63.177.197.267, 3389, -, 0, 0, 3389, TCP, Connect, -, -, -, 13301, 0, -, Allow rule, 29, 237

Hope you can help me out...

regards,

jeroen

(in reply to configulan)
Post #: 12
RE: connect to outside terminal server from client - 27.May2004 2:26:00 PM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		PROBLEM SOLVED!

RedBull was right!
The Firewall Client wasn't installed on the workstation. Stupid of me not to notice that [Smile]

Thank you all for your help

regards, jeroen

(in reply to configulan)
Post #: 13
RE: connect to outside terminal server from client - 27.May2004 4:56:00 PM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Jeroen,

We all forget the first thing to check once a while.. but that's okay! [Smile] Glad to know your problem's solved.

(in reply to configulan)
Post #: 14
RE: connect to outside terminal server from client - 30.May2004 5:10:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jeroen,

good to hear you have it working! [Smile]

Take note that in the log excerpt you posted the result-code of the Connect command was 13301 and that means "Request denied by the firewall policy". For more info, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;284818 .

HTH,
Stefaan

(in reply to configulan)
Post #: 15
RE: connect to outside terminal server from client - 5.Jun.2004 10:49:00 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Jeroen and Stefaan,

That's correct. The request was denied by the firewall policy but still this wasn't a misconfiguration of the policy, I guess. Jeroen is using user level access control and firewall client is needed to successfully authenticate with ISA for RDP protocol. Plain NAT clients can't authenticate and are hence logged as denied requests.

(in reply to configulan)
Post #: 16
RE: connect to outside terminal server from client - 5.Jun.2004 5:56:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi RedBull,

I know that! [Wink]

I just tried to educate Jeroen to analyze the ISA logs. They are telling you a lot. In his case, that the ISA denied (sc-status) the request because the user was not authenticated (cs-username and sc-authenticated) and that the request was not coming from a Firewall client (c-agent). [Cool]

Thanks,
Stefaan

[ June 05, 2004, 05:58 PM: Message edited by: spouseele ]

(in reply to configulan)
Post #: 17
RE: connect to outside terminal server from client - 8.Jun.2004 8:44:00 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Stefaan,

I'm sure you do know that [Smile] . You know way much more about ISA than most of us do.. including me. [Big Grin]

I kinda misinterpreted what you were thinking. Nevermind. [Wink]

(in reply to configulan)
Post #: 18
RE: connect to outside terminal server from client - 15.Jun.2004 11:58:00 AM   
configulan

 

Posts: 8
Joined: 17.May2004
Status: offline 		Hi all!

Thanks for your explanations about the ISA log! I'll keep it in mind!

regards,

jeroen

(in reply to configulan)
Post #: 19
RE: connect to outside terminal server from client - 15.Jun.2004 8:29:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jeroen,

excellent! [Cool]

Thanks,
Stefaan

(in reply to configulan)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> connect to outside terminal server from client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts