RDP problems (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


DamianHill -> RDP problems (11.Aug.2009 12:02:29 PM)

I've setup ISA as a back-to-back firewall to our BT Secure Services firewall.

I am able to see the RDP traffic hitting the ISA firewall but is denied access. I have configured the ISA itself so that I can RDP from an external source over VPN and this works fine, so I tried following a similar setup to the system policy but it still denies the connection.

The rule I've created is...
Action: Allow
Protocol: RDP(Terminal Services)
From: External
To: Internal
Users: All Users

I'm pulling my hair out over this so would be very grateful for any help.




DEVLAVI -> RE: RDP problems (11.Aug.2009 12:23:21 PM)

Access rule doesn't work here.
You need to publish RDP (Terminal Services) Server on a default  port or an alternative port (Non-Web Server Protocol Publishing rule) to the Internal IP of the ISA, Network listener Should be External.

HTH,
DEV




DamianHill -> RE: RDP problems (11.Aug.2009 12:52:53 PM)

Dev,

Thats for the information, is there a doc or tutorial showing what I need to do - I'm pretty new to ISA server.

Thanks

Damian




DEVLAVI -> RE: RDP problems (11.Aug.2009 1:29:52 PM)

Check out this article by Mr.Shinder
http://www.isaserver.org/articles/2004pubts.html

DEV




DamianHill -> RE: RDP problems (11.Aug.2009 6:30:39 PM)

I followed the article to the letter but it still fails. When I used a different port I a denied connection with 'Unidentifed IP Traffic(TCP:8888)' - yet I can still RDP from home into the ISA without a problem, I just don't get it.

The article is for ISA2004, I'm using ISA2006 would that make a difference?

[:(]




DamianHill -> RE: RDP problems (12.Aug.2009 8:27:51 AM)

Any ideas guys?




SteveMoffat -> RE: RDP problems (12.Aug.2009 8:39:47 AM)

You need a server publishing rule as said above, from your source network to the internal IP address of the server you are trying to rdp to.




DamianHill -> RE: RDP problems (12.Aug.2009 9:10:41 AM)

Steve,

If I run through the steps I've been through to make this work...

1. Set RDP on ISA to listen on internal network only.
2. Followed http://www.isaserver.org/articles/2004pubts.html (publishing the RDP Server on the ISA Firewall) - which is for 2004, but seems as though it should be pretty much the same for 2006 - only difference being that I chose to publish Non-web server protocols. When following the article I create the port 9999, buit when attempting to connect from external I get access denied...
Client IP: 172.17.0.2
Destination IP: 10.0.0.11
Protocol: Unidentified IP Traffic (TCP:9999)

There is no longer any mention of RDP being denied.

Grateful for any nuggets!

Damian[:(]




SteveMoffat -> RE: RDP problems (12.Aug.2009 9:31:42 AM)

& your forwarding 9999 to 3389?




DamianHill -> RE: RDP problems (12.Aug.2009 9:38:28 AM)

I'm following exactly the article, there isn't a mention of port forwarding in there - can you explain what I should setup please?




DamianHill -> RE: RDP problems (12.Aug.2009 9:51:10 AM)

Steve,

I understand whats needed now, and looking at the article again and my port 9999 is set to pass it through on the default port 3389 so I guess it is forwarded.

Is there anything else I can do to allow the connection?




SteveMoffat -> RE: RDP problems (12.Aug.2009 9:51:59 AM)

So you've changed the port that rdp listens on to 9999?




DamianHill -> RE: RDP problems (12.Aug.2009 9:58:03 AM)

Steve,

On publishing I clicked 'ports' then set the following...

Firewall Ports - Publish on this port instead of the default port:8888.

Published Server Ports - Send requests to the default port on the published server.

I think that this will provide the port forwarding?

Damian




SteveMoffat -> RE: RDP problems (12.Aug.2009 10:00:56 AM)

How are you testing this? Over the internet?




DamianHill -> RE: RDP problems (12.Aug.2009 10:07:53 AM)

Yes. We initiate a VPN connection to the hardware firewall. We then attempt RDP into the network. I have sucessfully used RDP to access the ISA, but have since only allowed it to listen on the internal network.

Hope that makes sense!




SteveMoffat -> RE: RDP problems (12.Aug.2009 10:15:30 AM)

you're rule should allow from the vpn network then. not external.




DamianHill -> RE: RDP problems (12.Aug.2009 10:21:56 AM)

Steve,

It is my understanding that the VPN connection terminates at the Hardware firewall which all traffic hits, then all traffic is handed off to the ISA.

Are you saying I should use the VPN object, or IPSec???




DamianHill -> RE: RDP problems (12.Aug.2009 10:27:46 AM)

Steve,

I've gone back to square one and removed all rules. Now an attempt to RDP give the following denied message.

Destination IP:10.0.0.11 (Internal Terminal Server)
Port: 3389
Protocol: RDP (Terminal Services)
Action: Denied Connection
Client: 172.17.0.2
Source: External(172.17.0.2:49277)
Destination: Internal (10.0.0.11:3389)

Looking at the above output do you still think it needs anything further for the VPN connection?

Damian[:(]




DamianHill -> RE: RDP problems (12.Aug.2009 11:11:25 AM)

Don't know whether this helps narrow down my problem, but I'm also unable to access external to interal using 172.17.0.2 - everything we do appears to be denied.




frank_hoof -> RE: RDP problems (18.Aug.2009 8:45:47 AM)

Is the server that is using RDP client in the internal network zone?
This bothered me quit some time since the network dept decided to change the ip plan...




Page: [1] 2   next >   >>