Link to home
Start Free TrialLog in
Avatar of maximyshka
maximyshka

asked on

How to set up port forwarding with isa server

I need to do port forwarding on ISA 2004, please help me i need it urgently.
Avatar of Bembi
Bembi
Flag of Germany image

Depends on, what you mean. The Port forwarding in ISA means usually, ISA listens on an external port and redirects the traffic to an internal server on the same or on a different port. This is a server publishing rule, where you can select predefined protocols or dedicated listener and forwarding ports.

Is this, what yopu mean?
hello Max.
Isa does not port forward; instead it publishes internal servers.

I'll assume it it is ISA2004 rather than isa2000
Either let us know which ports you wish to pass through ISA or alternatively, have a look here.

https://www.experts-exchange.com/questions/21774126/Configuring-ISA-Server-2004-for-Radmin.html
This is another call I am working on where the user needs to 'port-forward TCP port 4489. It gives you an idea

For publishing Exchange servers, use the punlish a mail server option, for http, publish a web server etc
Avatar of maximyshka
maximyshka

ASKER

keith_alabaster I actually trying to accomplish the same thing but with remote desktop connection.
From my router it goes to server so i am trying to forward port 3389 to computer which is connected to the server...

Also, What is advantage of RAdmin vs Remote Desktop or Remote console?
None that I am aware of; although I have specifically not used RAdmin. I always use Remote Console, predominantly because it is part of the OS.
by remote console you mean "mstsc" , if yes that is what i am trying to use. But it work only connecting to server...
mstsc or remote desktop. Both use tcp port 3389.

You have two options:

1. Connect to the server via RDP/MSTSC and then remote desktop or TS from there to the necessary machines etc as if you were inside.
2. Create different protocol/port definitions for each machine and publish seperately.

ie  
tcp 3389 --> Publish as  192.168.0.1
tcp 3390 --> Publish as 192.168.0.2
etc where 192.168.0.x  = internal IPs of your different machines

Regards
Keith
> What is advantage of RAdmin vs Remote Desktop or Remote console?
I think, a lot of these tools like RAdmin, PCAnywhere or WinVNC are coming out of WinNT times. As the newer OS brings everything you need like RDC or Messenger and NetMeeting, most of the users are using these tools as part of the OS and free of charge. What may be a reason for other tools is the fact, that RDC is a terminal server session and the currently logged on user can not see, what you are doing. Means, two persons are connected independedn from each other on one single machine. With WinVNC for example, the user can see, what you are doing (I think RAdmin as well). This may be good for showing the user, what is to do.

RDC has one advantage, that either you can make a direct connection to a client and secondary, that there are different implementations. The peer connections method (= No. 2 of Keith) has the problem, that this is only intended for internal use. For publishing throug a firewall, you have to open one port for each client machine, what is not recomended.

A common used way is to establish a cascaded connection, as Keith stated before, from outside to the server and from there a second internal connection to the client (tsweb or MSTSC). (also stated by Keith)

The last option is to use RDC via the microsoft servers. All XP clients have the option to request a RDC connection. In this scenario, the clients connects to a MS server and informs the requested supporter. This supporter then can establish also a connection which is then redirected by the MS server. This method simplifies the peer to peer connection, as it is a outgoing request from the client and therefore a route exists bridged by the public MS server (as long as ISA allows this).

Last option may be fail, if clients are behind NAT routers with dynamic IPs, as this may also depend on the router settings.
About sums it up :)
keith_alabaster Some reason your solution doesn't work. When I do  :3389 I am grited by server. I created rule for 3390, but it doesnt work, I did exactly the same as you recommended to guy on https://www.experts-exchange.com/questions/21774126/Configuring-ISA-Server-2004-for-Radmin.html
i use MSTSC
Have you allowed 3390 through your external firewall/router to the ISA server?
Have you published TS on 3390 also in the ISA server? When you did the publish and selected your RDP on port 3390, did you change the port setting to forward it on to the client on 3389? Remember you are receiving it on 3390 from the outside then ISA must forward to the selected workstation/server as 3389.
can you guide me step by step as I am a bit new to it..
thanx
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
sorry.
enter the internal server ip - you mean my server or computer I am trying to connect?
do i need to create any incoming protocols?
should i choose external requests?
can you write me steps assuming i didnt do anything before. As a clean list and person who doesn't know a lot in networking
Just follow the steps.
The only incoming rules will be on your external router/dsl etc to allow the ports through to ISA server in the first place.
No, you do NOT create any incoming protocols.

The call I did the other day was for a different scenario.
oh. ok thanks i will try it and let you know
Not a problem mate. Its a big subject. Just take it one step at a time and ask if you need help.

The protocol is already there. (RDP Terminal services) All we are doing is saying use the same protocol but for the second instance, listen on 3390 and then forward it internall y to this machine (the IP address you entered) using 3389. Then again for the third machine, listen using the RDP terminal services protocol but this time on 3391 then forward it to the (next ip address etc) on 3389

Regards
Keith
when you wrote internal server ip - I understand that you meant computer ip, not the server ip , right?
server, workstation, it is the ip address of the 'machine' you want to take over :)
ok, I understan. sorry i missed your last comment
do you know if it should work, if someone actualy working on computer?
The machine must be switched on.
On the machine you are tring to take over, it must have remote desktop enabled.

right-click the my computer icon.
Select the remote tab
Tick enable remote desktop on this computer
Tick enable remote assistance if you wish although I have not used that function so cannot really comment on that.
I have not tried it if someone is actually using the machine at the time :) lol, don't know the answer :(
Yes it is available, the way i do remote now, is logging in to server and then from server i can get to any computer... but now i need to permit access to some of my employees i do not want them to log in to server....
I have tried what you wrote, but it doesnt work. It might be because person is using computer and it locked.... Will keep you posted.. thanks for helping me...
In the ISA console,
click on monitoring - logging - click on start query.

Try the connections.
Do you see the attempts in the logs?
hmmm, i don't see attempts on those ports, may be i am looking for wrong things, but i don't see anything related to it...
Now, noone works with pc, but it doesnt work...
If you use RDC on a client, the currently logged on user is logged off. And if a admin is loogin oin on the client during the session, the session is killed.

What works on a server work different on a client, as only on user can be logged on at a time. I think, this is not realy what you want, right?

I think we come back to messenger with work as expected or to another Programm like VNC.
well i tried to log in when no body was using computer, and that solution still didn't work.
I will back out of this call. No point in going in two different directions.

Keith
Check your client again:

- right-click the my computer icon - properties
- tab "remote"
- make sure "remote desktop on this computer" is enabled (2. Option)
- You can also allow the use to request remote help (1. Option)

Also make sure, if the windows firewall in enabled, that Remotedesktop is allowed (nevertheless you don not need a local firewall on the clients behind ISA).

You can check it by telnet clientname 3389
- If you get nothing and a timeout after a while, the connection is ok, otherwise you get a messegae at one, that the connection is refused.

Check this first from inside the network to make sure, it is working in general, so we can seperate, if your problem is a connection problem or an ISA issue.
 
Thanks :)
You also need use the domain administrator's account to log on to client workstation. You also need permit rdp traffic on your ISA 2004 policy settings.

I met the same problem as yours, i could log on to the server using VPN, but i could not log on to my workstations. You need check many settings such as domain users' permission, you need enable the remote logon permission on Actory directory also.

good luck