Welcome to ISAserver.org

pcanywhere and terminal services - in but not out?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Server Publishing >> pcanywhere and terminal services - in but not out?

Page: [1] 2 3 next > >>

Message

<< Older Topic Newer Topic >>

pcanywhere and terminal services - in but not out? - 22.Oct.2003 7:10:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

We have setup PCAnywhere and Terminal Services for the network for remote users to log in and for local users to go out.

After the setup, the remote users are easily able to log into the hosts of PCA and TS. However, trying to use PCA to connect to the remote host generates a connection error. TS Server has the same trouble with the error:

"The client could not establish a connection to the remote computer."

I have been through the PCAnywhere article called Publishing a host using PCAnywhere behind ISA as well as following the similar instructions for Terminal Services.

Any suggestions?

Post #: 1

Featured Links*

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 7:17:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi A,

Just configure the four pcA Protocol Def's and create a Protocol Rule using those defs.

Outbound RDP is just TCP 3389. Create a Protocol Rule that let's that out.

HTH,
Tom

(in reply to asuh)

Post #: 2

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 7:24:00 AM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

Thanks for the reply, Tom. In this ISA setup, we still have the allow all rule enabled for the protocol rules. Would this make a difference or should I add additional protocol rules?

(in reply to asuh)

Post #: 3

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 6:01:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

Here is an entry from the firewall log in case it helps. I keep trying to connect with Terminal Services to a remote machine but something is preventing me from connecting.

192.168.100.196, -, -, N, 10/23/2003, 11:07:52, fwsrv, ISA, -, -, 66.136.21.244, 3389, 1078, 0, 0, 3389, TCP, Connect, -, -, -, 10061, 0, allow all, Allow rule, 280, 1835
192.168.100.196, -, -, N, 10/23/2003, 11:07:55, fwsrv, ISA, -, -, 66.136.21.244, 3389, 1094, 0, 0, 3389, TCP, Connect, -, -, -, 10061, 0, allow all, Allow rule, 280, 1836

[ October 23, 2003, 06:02 PM: Message edited by: asuh ]

(in reply to asuh)

Post #: 4

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 9:07:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi asuh,

according to the Firewall log, the outbound RDP request is sent by a SecureNAT client and has been allowed by the ISA Firewall Policy but refused by the destination. The field sc-status = 10061 and means "Connection Refused". In more detail:

quote:
No connection could be made because the target computer actively refused it. This usually results from trying to connect to a service that is inactive on the foreign host�that is, one with no server application running.

HTH,
Stefaan

(in reply to asuh)

Post #: 5

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 9:15:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Stefaan,

You're right that the problem is that the client is a SecureNAT client! When will people realize the way, the truth and the light is the firewall client? Otherwise, you could use a dumb PIX for a "firewall" [Big Grin]

The problem is that allow all is only "all" for firewall clients. The pcA Protocol Def's still need to be created.

HTH,
Tom

(in reply to asuh)

Post #: 6

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 10:19:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

How funny!

I actually was sending those as a Firewall client to begin with, but then shut down the software and sent it as JUST a secureNAT. Neither way worked.

I did add those protocol definitions to the protocol rules and it still was unsuccessful. I tried sending TS requests with all combinations of Firewall client, no Firewall client, no protocol defs, protocol defs, etc, etc!

I have checked the log files for any sign of the PCAnywhere ports 5631 and 5632 but cannot find that anything was ever attempted. The Terminal Service port 3389 shows up in the Firewall log but the PCAnywhere, which is run by the same computer, does not have any record.

[ October 23, 2003, 10:30 PM: Message edited by: asuh ]

(in reply to asuh)

Post #: 7

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 10:31:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

just for debugging purposes, enable in the IP packet filter properties the logging for allowed packets too. Make a new test and post the IP packet log excerpt. Of course, make sure you have enabled the logging of all fields.

HTH,
Stefaan

(in reply to asuh)

Post #: 8

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 10:59:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

10/23/2003, 16:08:18, 192.168.101.1, 255.255.255.255, Udp, 1087, 162, -, BLOCKED, 192.168.101.225, 45 00 00 9d 00 00 00 00 96 11 fe a6 c0 a8 65 01 ff ff ff ff, 04 3f 00 a2 00 89 6b 1e 30 82 00 7d 02 01 00 04 06 70 75 62 6c 69 63 a4 82 00 6e 06 09 2b 06 01 04 01 9e 73 01 01 40 04 c0 a8 65 01 02 01 06 02 01 01 43 04 00 00 00 00 30 82 00 4d 30 82 00 49 06 0a 2b 06 01 04 01 9e 73 01 01 00 04 82 00 39
10/23/2003, 16:08:18, 66.136.22.36, 192.168.101.225, Tcp, 3389, 17197, RST ACK , ALLOWED, 192.168.101.225, 45 00 00 28 93 40 00 00 7d 06 2b 5a 42 88 16 24 c0 a8 65 e1, 0d 3d 43 2d 00 00 00 00 d1 0b a8 04 50 14 00 00 67 20 00 00
10/23/2003, 16:08:18, 192.168.101.225, 66.136.22.36, Tcp, 17197, 3389, SYN , ALLOWED, 192.168.101.225, 45 00 00 30 62 03 40 00 80 06 00 00 c0 a8 65 e1 42 88 16 24, 43 2d 0d 3d d1 0b a8 03 00 00 00 00 70 02 ff ff 3a 70 00 00
10/23/2003, 16:08:19, 66.136.22.36, 192.168.101.225, Tcp, 3389, 17197, RST ACK , ALLOWED, 192.168.101.225, 45 00 00 28 93 41 00 00 7d 06 2b 59 42 88 16 24 c0 a8 65 e1, 0d 3d 43 2d 00 00 00 00 d1 0b a8 04 50 14 00 00 67 20 00 00
10/23/2003, 16:08:19, 192.168.101.225, 66.136.22.36, Tcp, 17197, 3389, SYN , ALLOWED, 192.168.101.225, 45 00 00 30 62 04 40 00 80 06 00 00 c0 a8 65 e1 42 88 16 24, 43 2d 0d 3d d1 0b a8 03 00 00 00 00 70 02 ff ff 3a 70 00 00
10/23/2003, 16:08:19, 66.136.22.36, 192.168.101.225, Tcp, 3389, 17197, RST ACK , ALLOWED, 192.168.101.225, 45 00 00 28 93 42 00 00 7d 06 2b 58 42 88 16 24 c0 a8 65 e1, 0d 3d 43 2d 00 00 00 00 d1 0b a8 04 50 14 00 00 67 20 00 00

(in reply to asuh)

Post #: 9

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 11:10:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

aha... just what I thought, ISA is not to blame! [Smile]

ISA is sending a 'SYN' what means a TCP connection request to the destination on port 3389, but receives a 'RST ACK' back what means TCP connection reset. In other words, either the destination or a device along the path refuses the TCP connection request.

I see your external interface uses a private IP address. So, there must be some upstream device who is doing NAT. Maybe another firewall. Is TCP port 3389 outbound allowed on that device?

BTW --- don't forget to disable again the logging of allowed packets because otherwise the log will grow very fast and the performance will drop.

HTH,
Stefaan

(in reply to asuh)

Post #: 10

RE: pcanywhere and terminal services - in but not out? - 23.Oct.2003 11:20:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

hmm... well this complicates things.

At the remote network, there is a Router in front of the LAN and behind the DSL modem. We have forwarded port 3389 to the Terminal Services Server. I would assume that because of that, it allows inbound and outbound connections, right?

Well, since I found the information about terminal service port 3389, how come I'm not seeing anything on PCAnywhere ports 5631 and 5632? Behind the ISA server, we are not able to connect to the remote LAN using PCAnywhere. However, in front of the ISA server, we *ARE* able to make a connection with PCAnywhere.

BTW, Where do you uncheck to stop logging allowed packts?

[ October 23, 2003, 11:24 PM: Message edited by: asuh ]

(in reply to asuh)

Post #: 11

RE: pcanywhere and terminal services - in but not out? - 24.Oct.2003 11:43:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

let's tackle one problem at a time! [Big Grin]

Did you test the TS connection outside of ISA and did it work?

You stop the logging of allowed packets in the IP packet filter properties, tab 'Packet Filters'.

HTH,
Stefaan

(in reply to asuh)

Post #: 12

RE: pcanywhere and terminal services - in but not out? - 24.Oct.2003 5:38:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

When I used Remote Desktop Connection in front of the ISA, I was unsuccessful in connecting to the remote network. Obviously, behind the ISA has not worked either.

I believe I found the packet filter properties and unchecked the allow packet filter logging.

(in reply to asuh)

Post #: 13

RE: pcanywhere and terminal services - in but not out? - 24.Oct.2003 7:33:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

OK, when the outbound RDP is working we can move to the next problem! Keep us informed! [Wink]

Thanks,
Stefaan

(in reply to asuh)

Post #: 14

RE: pcanywhere and terminal services - in but not out? - 24.Oct.2003 7:44:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

Let me ask you another question. On the remote LAN to which we are unsuccessful in connecting, behind the DSL modem is a Linksys BEFVP41. When you install the modem, I would assume that all ports are open by default. Right? If not, we've also tried forwarding port 3389 to the server which has Terminal Services installed. Our connection basically goes like this:

LAN client--ISA Server--Router--Internet--Remote Router--TS Server.

I don't see what would be causing the refuses of the TCP connection request on the remote LAN.

(in reply to asuh)

Post #: 15

RE: pcanywhere and terminal services - in but not out? - 24.Oct.2003 8:11:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

you should find out if it is the TS or the Linksys who refuses the connection. I would take a network monitor trace at the TS to check if he sees the incoming TCP request. If he doesn't, it is likely the Linksys who is the culprit.

HTH,
Stefaan

(in reply to asuh)

Post #: 16

RE: pcanywhere and terminal services - in but not out? - 31.Oct.2003 12:46:00 AM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

After much searching and testing, we figured out that the Linksys router was not accepting the TS protocol 3389. We did a hard reset of the router and somehow that seemed to fix it!

Now we need to figure out the same for PC Anywhere.

(in reply to asuh)

Post #: 17

RE: pcanywhere and terminal services - in but not out? - 31.Oct.2003 2:59:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

good to hear you have the TS part working! [Smile]

I've no first hand experience with PCAnywhere, but according to http://www.isaserver.org/tutorials/Publishing_a_host_using_PCAnywhere_behind_ISA.html the protocols used are TCP and UDP ports 5631 and 5632.

Assuming you need *outbound* PCA connectivity, then you need to create 4 protocol definitions:
- PC-Anywhere-1 : TCP port 5631 Outbound
- PC-Anywhere-2 : UDP port 5631 Send/Receive
- PC-Anywhere-3 : TCP port 5632 Outbound
- PC-Anywhere-4 : UDP port 5632 Send/Receive

Next, you have to allow those 4 protocol definitions in a protocol rule.

HTH,
Stefaan

(in reply to asuh)

Post #: 18

RE: pcanywhere and terminal services - in but not out? - 31.Oct.2003 6:20:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I have already setup PCAnywhere as per URL=http://www.isaserver.org/tutorials/Publishing_a_host_using_PCAnywhere_behind_ISA.html . At the moment, the default protocol rule is "allow all" meaning all ports are open. Once we figure out the problem, we'll change this.

In front of the ISA server, I am able to connect to the remote computer running the PCAnywhere host. Behind the ISA server, I am not.

[ October 31, 2003, 06:21 PM: Message edited by: asuh ]

(in reply to asuh)

Post #: 19

RE: pcanywhere and terminal services - in but not out? - 31.Oct.2003 8:11:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

you said "In front of the ISA server, I am able to connect to the remote computer running the PCAnywhere host". OK, that's good to start with! [Wink]

Now, the article you mentioned is for publishing a PCA host and that is inbound access. So, for outbound access you should create the protocol definition I posted (direction is outbound or send/receive instead of inbound and receive/send).

Just for testing you can use an open protocol rule (all IP traffic, any request, any time) and an open site&content rule (all destinations, all content, any request, any time). That should work if and only if you use the Firewall client. So, give it a try.

If it still doesn't work, check out the Firewall log. That should give you a clue why it is not working.

HTH,
Stefaan

(in reply to asuh)

Post #: 20