We have our main site and 2 remote sites. Last week we had an ISA to ISA site-to-site VPN between our main site and one of the remote sites. This Remote Site VPN is L2TP. It is working fine and I can RDP to the three servers at the remote site from my desktop at the main site with no problem. At the end of last week we installed an ISA server at our other remote site, and set up another L2TP site-to-site VPN. We got this working, and traffic now flows between the two sites as it should. On this new Remote Site VPN connection, though, I have discovered an odd and annoying problem. We only have one server at this remote site, and it is a DC. For some reason, I can no longer RDP from my desktop at the main site to the DC at the remote site. I can RDP from my desktop to the ISA server at the remote site just fine, and I can browse the remote DC via it's UNC address. Oddly enough, I CAN RDP to the remote DC from a DC at the main site. SO, I have to RDP to a local DC at the main site, and then RDP from there to the DC at the remote site. What a pain!
Obviously, something isn't right here, but I am going nuts trying to track the problem down. When watching the Logging traffic on our main site's ISA server, I can see the traffic from my Desktop trying to go to remote DC. The Initiation request is picked up by the correct rule (main site to remote site rule) on port 3389, as it should be, but then several entries like this are logged:
Denied Connection MainSiteISAServer 11/4/2009 9:19:23 AM
Log type: Firewall service
Status:
Rule:
Source: Internal (MyDesktopIP:4927)
Destination: Local Host (MainSiteISAInternalIP:9413)
Protocol: Unidentified IP Traffic (TCP:9413)
User:
The TCP port on these entries is random every time I try to connect to the remote DC via RDP. What confuses me about these entries even more is the fact that the Destination is the main site's ISA Internal IP, rather than the remote DC. The RDP window at this time never brings me to a login screen; it just eventually gives me an error saying that it couldn't connect to the remote server on time.
In comparison, when connecting to the ISA server at our other remote site, the one that has a completely functioning Remote Site VPN, I see the Initiation request in the Logging, and then I am presented with the server's login screen right away. Success!
So, if you could help at all, please throw any and all ideas out there! I really would like to get this issue worked out. Thank you so much for any help!
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I can't really follow your description that well,...but the Log entry you showed has nothing to do with any of this.
Your Access Rule for the RDP needs to look like this below. These Rules are only for traffic from the Main Site to the remote site direction,...not for traffic moving any other direction. Add other protocols besides RDP if needed. Fill in the true Network Names in place of my placeholders.
ISA at the Main Site From: Internal To: <Remote Network1>, <Remote Network2> Protocol: RDP Users: <whatever>
ISA at Remote Site1 From: <Main Site Network> To: Internal Protocol: RDP Users: "All Users" (anonymous due to probable lack of ability to authenticate here)
ISA at Remote Site2 From: <Main Site Network> To: Internal Protocol: RDP Users: "All Users" (anonymous due to probable lack of ability to authenticate here)
Thank you very much for the reply, pwindell! The rules you suggested, from what I can tell, have exactly the same settings as the Access Rules that are put into place when the Remote Site VPN rule is created. It allows ALL outbound protocols, from both the main site and remote site, for all users. Essentially, all traffic should flow smoothly and uninhibited between the two sites. And the funny thing is, it DOES work just fine for the one site that is set up this way, but not for this new site connection.
At any rate, I figured what the heck and created the rules that you suggested exactly as you described, and put them at the top of the rule stack. Unfortunately, the exact same result occurs: in the logs, I see the Initiated Connection with the RDP protocol, and it is being caught by the new rule I created, but then after a few seconds I simply start seeing more of the logs for the Unidentified IP Traffic, which gets denied. The connection never happens. What is really strange to me is that when I watch the traffic for RDP connections to the other remote site, I see the Intiated Connection, and then it connects...I never see any of that Unidentified IP Traffic in the logs. So I guess what might really help me figure out what is going on is if I knew what is generating this Unidentified IP Traffic...Any more thoughts or help are greatly welcomed and appreciated!
Right, yeah, I saw that the rules are one on each ISA, and I fully understand the logic behind each one and the setup you described as a whole. Still no dice, though.
Sorry about my first post being hard to follow, but if you would like to continue and try to understand the environment, I can provide you with whatever info you need. You mention LANs...
Just so you know, they are as follows:
MAIN SITE: 10.10.8.0 - 10.10.11.255; 255.255.252.0
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Those look fine. I re-read the original post a couple more times.
On the Man LAN,..find another workstation (not a server, not a DC, not a "special" machine in anyway,... just a plain workstation or laptop) and try it from that. Try first using the IP# of the target server,...then try it by name. What happens?
Ok, I have a laptop that normally just sits next to me and is used to connect the public WiFi so that I can test certain connections to our network from the external world. When it is external, it's IP is part of the Remote Management Computers group that is built into ISA, on the remote site. Then, on the laptop, I connected it to to our Internal WiFi, so that it was now on our internal network at the main site, and now had an internal IP. So at this point, traffic coming from it would not be from an IP that is part of the Remote Management Computers group on the remote ISA. That machine is in no part of any of our IT or admins groups/OUs/etc.
So, I initiated an RDP connection to the remote DC and BAM!! It went through! At this point I though maybe it had something to do with that Remote Management Computers group (for whatever crazy reason), and I removed my normal computer's IP from it. Still no dice though.
So there are the results of your test. I had connectivity from a normal, non-special machine. Thoughts on where I might go from here...Still drawing a blank on it...
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I would consider that a "special" machine,..I wanted a normal workstation that was already normally on the LAN and a Domain Member. But anyway it still made my point.
Remote Management Groups have nothing to do with this at all,...completely irrelevant. Try it one more time (just to be sure) from a "normal" machine on the LAN,...a regular user's machine,...no special rights, privileges, permissions, etc.
If that works,..ISA is fine, the VPN is fine, the LANs are fine, routing is fine. The problem is entirely local to that one machine you are having problems with. I'd probably reload it from scratch and forget it.
Ok, I tried once more from a completely, non-special machine. Nothing at all special about their machine. It did not connect. It just sat there for a long time trying to connect, but never actually going through.
Upon looking at the logs on the remote site's ISA server, it showed an RDP Initiated Connection log from that non-special machine, and then nothing until I eventually cancelled the attempt. At that point, a Closed Connection log came through, as would be expected. The difference between the logs from that machine and from my normal machine is that those weird Unidentified IP Traffic logs that show up for mine did NOT show up for the non-special machine...This is WEIRD!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> After L2TP Site-to-Site VPN, cannot RDP to Remote DC 
After L2TP Site-to-Site VPN, cannot RDP to Remote DC - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread