• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about part 2 of article on publishing TSAC sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Discussion about part 2 of article on publishing TSAC sites Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about part 2 of article on publishing TSAC s... - 24.Jan.2006 8:55:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 2 of the article series on publishing TSAC/RDP Web sites at http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part2.html

Thanks!
Tom

< Message edited by tshinder -- 24.Jan.2006 9:00:45 PM >


_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about part 2 of article on publishing TS... - 26.Jan.2006 1:46:07 PM   
thewspot

 

Posts: 16
Joined: 19.Jul.2004
From: Australia
Status: offline
You might cover this in the next section (or not), but I figured I'd ask anyway. Essentially the questions boil down to "How can this co-exist with an existing published OWA?"

Part 1: Multiple certificates
When trying to create a certificate, it already has one assigned to that website for published OWA and doesn't give the option to create another. I realise this isn't an IIS how-to web site, but what happens if you want to publish the tsweb using a different external url to what the OWA certificate has already defined? Do I need to create a seperate web and move tsweb under it?

Part 2: Existing OWA published on port 443.
What happens if you already have OWA published on the ISA server? I just tried on my setup and it gives me a message saying:

"A web listener that listens on similar IP and port is already in use by the rule "Publish OWA Web Site". Web Listener IP addresses and ports used by different rules cannot overlap"

Given I only have one external IP address, is there a way to make this work?
1. Use the existing OWA listener (which is using FBA)
2. Or need to assign a different port for the SSL incoming connections?

Once again, this article has opened my eyes to something I was aware existed, but had as yet not felt sure/brave enough to try doing it myself. I can't say how much this site has helped the learning curve for ISA2004.

(in reply to tshinder)
Post #: 2
RE: Discussion about part 2 of article on publishing TS... - 27.Jan.2006 1:47:37 PM   
zob

 

Posts: 5
Joined: 27.Jan.2006
Status: offline
Another great pair of articles that have helped me to understand ISA/RDP enormously. I've managed to get OWA and
Remote Desktop Web Connections to co-exist peacefully after an initial punch-up. However having got RDWC working I'm faced with a question I can't answer...

If I need unique public DNS names, IP addresses and RDP listeners per RDP server why do I need Remote Desktop Web Services at all when, armed with a TS client, I can access the self same RDP servers directly?

What I was expecting was a situation similar to SBS 2003 where all PC's and servers on the network would be available for connection from a single login, certainly a single IP & port.  As I say SBS achieves this so it must be possible.

Excuse me if I've completely missed the point but I've only been messing with ISA for a few days and my mind may well be addled with all the convolutions involved! 

(in reply to tshinder)
Post #: 3
RE: Discussion about part 2 of article on publishing TS... - 28.Jan.2006 5:50:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: thewspot

You might cover this in the next section (or not), but I figured I'd ask anyway. Essentially the questions boil down to "How can this co-exist with an existing published OWA?"

Part 1: Multiple certificates
When trying to create a certificate, it already has one assigned to that website for published OWA and doesn't give the option to create another. I realise this isn't an IIS how-to web site, but what happens if you want to publish the tsweb using a different external url to what the OWA certificate has already defined? Do I need to create a seperate web and move tsweb under it?

Part 2: Existing OWA published on port 443.
What happens if you already have OWA published on the ISA server? I just tried on my setup and it gives me a message saying:

"A web listener that listens on similar IP and port is already in use by the rule "Publish OWA Web Site". Web Listener IP addresses and ports used by different rules cannot overlap"

Given I only have one external IP address, is there a way to make this work?
1. Use the existing OWA listener (which is using FBA)
2. Or need to assign a different port for the SSL incoming connections?

Once again, this article has opened my eyes to something I was aware existed, but had as yet not felt sure/brave enough to try doing it myself. I can't say how much this site has helped the learning curve for ISA2004.


Part 1: Multiple certificates
When trying to create a certificate, it already has one assigned to that website for published OWA and doesn't give the option to create another. I realise this isn't an IIS how-to web site, but what happens if you want to publish the tsweb using a different external url to what the OWA certificate has already defined? Do I need to create a seperate web and move tsweb under it?
TOM: You don't need a second certificate on the TSweb site, you can use the same one that the OWA site uses. However, you do need to request a second certificate for the Web listener that the TSWeb site will use, if you want to create two Web Publishing Rules using differnet FQDNs (which you'll need to do).


Part 2: Existing OWA published on port 443.
What happens if you already have OWA published on the ISA server? I just tried on my setup and it gives me a message saying:

"A web listener that listens on similar IP and port is already in use by the rule "Publish OWA Web Site". Web Listener IP addresses and ports used by different rules cannot overlap"

Given I only have one external IP address, is there a way to make this work?
1. Use the existing OWA listener (which is using FBA)
2. Or need to assign a different port for the SSL incoming connections?
TOM: You need to create a second Web listener, binding a certificate with a different common/subject name, and use that for the TSWeb publishing rule.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thewspot)
Post #: 4
RE: Discussion about part 2 of article on publishing TS... - 28.Jan.2006 5:51:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: zob

Another great pair of articles that have helped me to understand ISA/RDP enormously. I've managed to get OWA and
Remote Desktop Web Connections to co-exist peacefully after an initial punch-up. However having got RDWC working I'm faced with a question I can't answer...

If I need unique public DNS names, IP addresses and RDP listeners per RDP server why do I need Remote Desktop Web Services at all when, armed with a TS client, I can access the self same RDP servers directly?

What I was expecting was a situation similar to SBS 2003 where all PC's and servers on the network would be available for connection from a single login, certainly a single IP & port.  As I say SBS achieves this so it must be possible.

Excuse me if I've completely missed the point but I've only been messing with ISA for a few days and my mind may well be addled with all the convolutions involved! 


Hi Zob,
SBS has an RDP proxy that isn't available on any other version of Windows. Without it, you need to multiple IP address, or use alternate ports, to publish multiple RDP servers.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to zob)
Post #: 5
RE: Discussion about part 2 of article on publishing TS... - 23.Nov.2006 8:20:57 AM   
bendji

 

Posts: 56
Joined: 18.Sep.2005
From: Denmark
Status: offline
Hi Tom,

Thanks for some great info about publishing, listeners and RDP.

My questions is how would you configure it to work with VPN? Where you use an Internal DNS server?

In article 3 you write something about host files to get the right server.
Is it posible to use the same name on the internal LAN and on VPN, where the connection is picked up by the listener?
Or do I have to make other names in the internal DNS which use the ISA's VPN IP-address(External interface).

Yours Sincerely,
Benjamin

< Message edited by bendji -- 27.Nov.2006 2:02:08 AM >

(in reply to tshinder)
Post #: 6
RE: Discussion about part 2 of article on publishing TS... - 24.Nov.2006 12:10:44 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

Not sure what the problem is.

Are you trying to connect to RDP servers using FQDNs over a VPN connection?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bendji)
Post #: 7
RE: Discussion about part 2 of article on publishing TS... - 27.Nov.2006 2:20:34 AM   
bendji

 

Posts: 56
Joined: 18.Sep.2005
From: Denmark
Status: offline
Hi Tom,

Let me see if I can explain it a bit better

I just read you little RDP series and desided I would like to try and publish a "Remote Desktop Web Service Server" over VPN and then set the rule up to use SecurID.

The problem is I end up in a little DNS problem  (As alwayes....).
Since the VPN clients and the ISA 2006 server uses the Internal DNS server, I can't use a FQDN for this RDP server. (I've also tried to create a new zone in the DNS with a public name and make it point to the servers internal IP-address).

Here is a picture of the scenario:
VPN client -- Internet -- ISA 2006 VPN -- Remote Desktop server

If I use a network monitor on the VPN client and I open a browser and write "rdp.domain.local" the client makes a dns request, gets the internal IP-address and then try to connect directly, and since there aint a rule allowing this it is denied. It seems like the web listener misses the connection.
If I set the publishing rule up, and uses the ISA servers VPN address, I can get it to work, by writing the ISA servers VPN address (the first in the range) in the browser. But as most people, I like to use names and not number when I connect to services

This is proberly more a VPN problem, when I think about it. So If you can or want me to Tom I can move it over to the VPN section intead.

Yours Sincerely,
Benjamin



(in reply to tshinder)
Post #: 8
RE: Discussion about part 2 of article on publishing TS... - 3.Dec.2006 11:30:51 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Benjamin,

If the VPN clients are correctly resolving the Internal name, and you're allow HTTP and RDP from the VPN clients Network to the destination server, it should work fine.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bendji)
Post #: 9
RE: Discussion about part 2 of article on publishing TS... - 13.Mar.2007 4:15:43 AM   
rihas_1996

 

Posts: 4
Joined: 15.Mar.2006
Status: offline
I think there is a missing point on part 2, that is about RDP Listener configuration.
Please can you explain it on details.
Thanks,
Hashim

(in reply to tshinder)
Post #: 10
RE: Discussion about part 2 of article on publishing TS... - 18.Mar.2007 2:24:49 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
What's missing?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rihas_1996)
Post #: 11
RE: Discussion about part 2 of article on publishing TS... - 4.May2007 7:22:01 AM   
freesman

 

Posts: 5
Joined: 9.Jan.2006
Status: offline
Hi,

In the post RDP publishing rule allow connect directly any computer outside or I something missed ? How to configure that only remote desktop Web client can connect ?

(in reply to tshinder)
Post #: 12
RE: Discussion about part 2 of article on publishing TS... - 5.May2007 2:44:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
There is NO Remote Desktop Web client.

Read part of of the article that shows there is no such thing as RDP/SSL in this scenario.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to freesman)
Post #: 13
RE: Discussion about part 2 of article on publishing TS... - 14.May2007 6:10:42 AM   
freesman

 

Posts: 5
Joined: 9.Jan.2006
Status: offline
If I need unique public DNS names, IP addresses and RDP listeners per RDP server than enybody can access the same RDP servers directly?

RDP Publising Rule:
Action: Allow
Traffic: RDP Server
From: Anywhere
To: 192.168.1.x
Networks: x.x.x.x (External)
Schedule: Always

(in reply to tshinder)
Post #: 14
RE: Discussion about part 2 of article on publishing TS... - 14.May2007 8:55:11 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes. No one ever said that the TSAC was a security solution!

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to freesman)
Post #: 15
RE: Discussion about part 2 of article on publishing TS... - 14.Sep.2009 12:11:51 PM   
meggert

 

Posts: 6
Joined: 22.Mar.2004
From: Milwaukee, WI
Status: offline
I have 2 questions.

Is there an article that describes the setup when using ISA 2006? We are using ISA 2006 and I'm trying to use this article but some of the steps are different.

My other question concerns the creation and use of the SSL Listener. We are also using "http over rpc" so I've been getting the message box about the duplicate use of the port and IP address. In some of the above discussion it sounds like I can use the listener for "http over rpc" but then there is a statement to create a second listener but I'm not sure what should be different.

I have to say I have minimal experience with ISA 2006.

Thanks,
Mark Eggert

(in reply to tshinder)
Post #: 16
RE: Discussion about part 2 of article on publishing TS... - 17.Sep.2009 8:03:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are you trying to publish TSAC or TSG included with Windows Server 2008?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to meggert)
Post #: 17
RE: Discussion about part 2 of article on publishing TS... - 18.Sep.2009 9:39:47 AM   
meggert

 

Posts: 6
Joined: 22.Mar.2004
From: Milwaukee, WI
Status: offline
Hello Tom,
Thanks for getting back to me. I am not sure of the terminology but I believe it is TSAC as we don't have any Windows Server 2008 servers.

We are trying to publish the Remote Desktop Web Connection Site and we are using "HTTP over RPC" and we have another site published on port 80 of our external IP address. We have setup an A Record for the Remote Desktop Web Conntection Site at our external DNS. We have also setup a second web listener but are told that the IP address and port are being used my another listener.

So any help with this would be greatly appreciated. I am willing to give you my email address if you would like to take this offline.

Regards,
Mark Eggert

(in reply to tshinder)
Post #: 18
RE: Discussion about part 2 of article on publishing TS... - 27.Sep.2009 10:02:30 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

If you're trying to connect to an "HTTP over RPC" type of tunneled connection, that would be more consistent with the Windows Server 2008 Terminal Services Gateway (TSG).

If you're just trying to connect to the TS Web site and then connect over RDP over that (how it used to be done before TSG), then that's just a regular RDP connection after they enter the computer name or IP address in the text box on the log on page.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to meggert)
Post #: 19
RE: Discussion about part 2 of article on publishing TS... - 28.Sep.2009 4:27:36 PM   
meggert

 

Posts: 6
Joined: 22.Mar.2004
From: Milwaukee, WI
Status: offline
Hello Tom,
We are trying to do the second description. And I'm have a problem trying to create the firewall rules and the SSL listener as I explained earlier. I can create the second listener but when I try to use it in a rule I'm told that another listener is already using the IP Address and Port. How do I get around this problem?

Thanks,
Mark Eggert

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Discussion about part 2 of article on publishing TSAC sites Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts