RDP problems (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies


DamianHill -> RDP problems (11.Aug.2009 12:02:29 PM)

I've setup ISA as a back-to-back firewall to our BT Secure Services firewall.

I am able to see the RDP traffic hitting the ISA firewall but is denied access. I have configured the ISA itself so that I can RDP from an external source over VPN and this works fine, so I tried following a similar setup to the system policy but it still denies the connection.

The rule I've created is...
Action: Allow
Protocol: RDP(Terminal Services)
From: External
To: Internal
Users: All Users

I'm pulling my hair out over this so would be very grateful for any help.

DEVLAVI -> RE: RDP problems (11.Aug.2009 12:23:21 PM)

Access rule doesn't work here.
You need to publish RDP (Terminal Services) Server on a default  port or an alternative port (Non-Web Server Protocol Publishing rule) to the Internal IP of the ISA, Network listener Should be External.


DamianHill -> RE: RDP problems (11.Aug.2009 12:52:53 PM)


Thats for the information, is there a doc or tutorial showing what I need to do - I'm pretty new to ISA server.



DEVLAVI -> RE: RDP problems (11.Aug.2009 1:29:52 PM)

Check out this article by Mr.Shinder


DamianHill -> RE: RDP problems (11.Aug.2009 6:30:39 PM)

I followed the article to the letter but it still fails. When I used a different port I a denied connection with 'Unidentifed IP Traffic(TCP:8888)' - yet I can still RDP from home into the ISA without a problem, I just don't get it.

The article is for ISA2004, I'm using ISA2006 would that make a difference?


DamianHill -> RE: RDP problems (12.Aug.2009 8:27:51 AM)

Any ideas guys?

SteveMoffat -> RE: RDP problems (12.Aug.2009 8:39:47 AM)

You need a server publishing rule as said above, from your source network to the internal IP address of the server you are trying to rdp to.

DamianHill -> RE: RDP problems (12.Aug.2009 9:10:41 AM)


If I run through the steps I've been through to make this work...

1. Set RDP on ISA to listen on internal network only.
2. Followed http://www.isaserver.org/articles/2004pubts.html (publishing the RDP Server on the ISA Firewall) - which is for 2004, but seems as though it should be pretty much the same for 2006 - only difference being that I chose to publish Non-web server protocols. When following the article I create the port 9999, buit when attempting to connect from external I get access denied...
Client IP:
Destination IP:
Protocol: Unidentified IP Traffic (TCP:9999)

There is no longer any mention of RDP being denied.

Grateful for any nuggets!


SteveMoffat -> RE: RDP problems (12.Aug.2009 9:31:42 AM)

& your forwarding 9999 to 3389?

DamianHill -> RE: RDP problems (12.Aug.2009 9:38:28 AM)

I'm following exactly the article, there isn't a mention of port forwarding in there - can you explain what I should setup please?

DamianHill -> RE: RDP problems (12.Aug.2009 9:51:10 AM)


I understand whats needed now, and looking at the article again and my port 9999 is set to pass it through on the default port 3389 so I guess it is forwarded.

Is there anything else I can do to allow the connection?

SteveMoffat -> RE: RDP problems (12.Aug.2009 9:51:59 AM)

So you've changed the port that rdp listens on to 9999?

DamianHill -> RE: RDP problems (12.Aug.2009 9:58:03 AM)


On publishing I clicked 'ports' then set the following...

Firewall Ports - Publish on this port instead of the default port:8888.

Published Server Ports - Send requests to the default port on the published server.

I think that this will provide the port forwarding?


SteveMoffat -> RE: RDP problems (12.Aug.2009 10:00:56 AM)

How are you testing this? Over the internet?

DamianHill -> RE: RDP problems (12.Aug.2009 10:07:53 AM)

Yes. We initiate a VPN connection to the hardware firewall. We then attempt RDP into the network. I have sucessfully used RDP to access the ISA, but have since only allowed it to listen on the internal network.

Hope that makes sense!

SteveMoffat -> RE: RDP problems (12.Aug.2009 10:15:30 AM)

you're rule should allow from the vpn network then. not external.

DamianHill -> RE: RDP problems (12.Aug.2009 10:21:56 AM)


It is my understanding that the VPN connection terminates at the Hardware firewall which all traffic hits, then all traffic is handed off to the ISA.

Are you saying I should use the VPN object, or IPSec???

DamianHill -> RE: RDP problems (12.Aug.2009 10:27:46 AM)


I've gone back to square one and removed all rules. Now an attempt to RDP give the following denied message.

Destination IP: (Internal Terminal Server)
Port: 3389
Protocol: RDP (Terminal Services)
Action: Denied Connection
Source: External(
Destination: Internal (

Looking at the above output do you still think it needs anything further for the VPN connection?


DamianHill -> RE: RDP problems (12.Aug.2009 11:11:25 AM)

Don't know whether this helps narrow down my problem, but I'm also unable to access external to interal using - everything we do appears to be denied.

frank_hoof -> RE: RDP problems (18.Aug.2009 8:45:47 AM)

Is the server that is using RDP client in the internal network zone?
This bothered me quit some time since the network dept decided to change the ip plan...

Page: [1] 2   next >   >>