I am probably not in the right place (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message


bbenninger -> I am probably not in the right place (11.Aug.2008 9:49:41 AM)

...but I just read Thomas Shinder's article on Remote Desktop Web Connections and the article linked to these forums. If you could please point me in the right direction or forum I would be very grateful!

Now on to the issue:

I have a Windows Server 2003 box and a bunch of XP machines behind a firewall with NAT forwarding setup. I can hit the server via the domain_name/tsweb from the internet, but would like to learn how to let my users access their desktops remotely from home as well.

According to the article I would need a separate public IP forwarded through my firewall to the appropriate machine for each box.

What is the correct way to do this without adding extra public IP's for each machine?


Thanks,
Bob




paulo.oliveira -> RE: I am probably not in the right place (11.Aug.2008 3:41:58 PM)

Hi,

the best way is configuring ISA remote client VPN.

Regards,
Paulo Oliveira.




bbenninger -> RE: I am probably not in the right place (11.Aug.2008 3:46:43 PM)

What is this? Where do I start? Does ISA come with Win Server 2003?




pwindell -> RE: I am probably not in the right place (11.Aug.2008 4:55:40 PM)

Wasn't this asked in another forum?
Didn't I give a detailed answer to it?




bbenninger -> RE: I am probably not in the right place (11.Aug.2008 8:09:27 PM)

quote:

ORIGINAL: pwindell

Wasn't this asked in another forum?
Didn't I give a detailed answer to it?



I asked this in Server Publishing as well but have not received a response.

Do you remember the title of the thread? I would love to read it.




pwindell -> RE: I am probably not in the right place (12.Aug.2008 9:43:00 AM)

I think I backed out after writing because I wasn't totally sure what all the Remote Desktop Web Connections actually did,...which is exactly why Tom's first article one it is written the way it is,...because so many people don't understand how the process really works.  So I had to find it and actually read it myself,..."Part 1" anyway.

Anyway, if you have multiple RDP "targets" on the LAN that you want to connect to,..you will need a Public IP# on the outside of the ISA to correspond to each "target" and then create a separate RDP Publishing Rule for each one which is pretty much the same thing you would be doing if you did not use Remote Desktop Web Connections and just used straight RDP with the Remote Desktop Client.

So if you don't think that is worth all the hassle (it isn't to me), or don't have the Public IP#s from the ISP (sounds like you don't), or your Line Technology from the ISP does lend itself to doing this properly,....then just forget it and use Remote Access VPN and then run the RDP to whatever "target" you want over the top of the VPN connection.  ISA can be very detailed and "controlling" with who is allowed to VPN in and what they can connect to after they establish the VPN (which is very good).

So I throw my hat in with Paulo on this one.  Remote Access VPN is the way to go.




bbenninger -> RE: I am probably not in the right place (12.Aug.2008 10:17:23 AM)

Thanks so much for getting back to me. You are correct in that I don't want to go buy 50 public IP's to use for Remote Desktop. I don't think that would be a sound decision on my part :)

It does sound like Remote Access VPN is the way to go - so I will do some searches for that, but if you have a good post or doc handy please let me know.

One thing I would like to note though - as I was testing Remote Desktop Web Connection - once I created a VPN connection to my network I could get into any machine I wanted via the /tsweb link. Without the VPN connection I could only hit the server that was forwarded through the firewall. Does that lend itself to a simpler solution?


Thanks,
Bob




pwindell -> RE: I am probably not in the right place (12.Aug.2008 10:54:36 AM)

One thing I would like to note though - as I was testing Remote Desktop Web Connection - once I created a VPN connection to my network I could get into any machine I wanted via the /tsweb link. Without the VPN connection I could only hit the server that was forwarded through the firewall. Does that lend itself to a simpler solution?

I don't see the problem you're asking to solve.

Establishing a VPN Connection gives you access to absolutely nothing if it is not accompanied by a proper Access Rule for what you want to do

From: VPN Clients Network (that's the actual name)
To: <whatever>
Protocol: <whatever>
Users: <whoever>




bbenninger -> RE: I am probably not in the right place (12.Aug.2008 11:34:27 AM)

What is the process for setting up Remote Access VPN? Where do I start? Is this specific to my firewall?


thanks,
Bob




pwindell -> RE: I am probably not in the right place (12.Aug.2008 11:56:52 AM)

It is just a few mouse clicks in the ISA MMC.

Look in the ISA Help for details, but there isn't that much to it.

Now if the VPN Clients receive their IP Config via DHCP (choosen in the ISA MMC as part of the VPN Setup) and they get an IP# that is normal part of the Internal Network you may get brief "Spoofing Alerts" because the IP# is suddenly comming from the VPN Clients Network when it was expected to be in the Internal Network.  Personally, I don't worry about the alerts,..I run mine this way,..it works fine.

In the ISA Help go to Contents--->Virtual Private Networking--->VPN: How To--->Configure Remote VPN Client Access (and also) Configure Common VPN Settings.

Keep it simple,..there are a lot of options and possiblities that you will not need to touch.  Just get it working in a normal straight forward way.  You can get "creative" with it later on after you are more familiar with it.




bbenninger -> RE: I am probably not in the right place (12.Aug.2008 12:07:10 PM)

Ok great! Thanks so much.

Do I need to worry about upgrading to an advanced firewall (I currently use a WG Firebox 1000) or is all of this connectivity handled in ISA?




pwindell -> RE: I am probably not in the right place (12.Aug.2008 4:50:17 PM)

You already have an advanced Firewall. It is called ISA,...it is the most advanced firewall that is out there until MS TMG comes out.




Page: [1]