ddotson
asked on
Forwarding Port in ISA
Hello:
I need to forward a request on a port 3389 of a specific IP address to a specific internal IP address. We are using ISA server.
Here is a newsgroup thread that can provide some background on the question:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=gr%25gb.10829%24La.7826%40fed1read02&rnum=1&prev=/groups%3Fsourceid%3Dnavclient%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Ddan%2Bdotson%2Bterminal
The acceptable solution provided was without instructions. Here is the solution:
"An alternative is to have them forward port 3389 on a different IP address assigned to the firewall. That's how I do it. I have a main IP address on the firewall that allows RDP access from the Internet to the firewall. The firewall has been assigned numerous other IP addresses on its external interface, so if I need to access a server on the internal side, I just use a different IP address on the firewall and forward port 3389 to the internal server."
So, how do I forward port 3389 of this different IP address to the internal server?
An appropriate answer should have reference to some sort of Microsoft instructions for completing the task. (I couldn't find anything - probably wasn't asking the right questions)
Thanks in advance.
I need to forward a request on a port 3389 of a specific IP address to a specific internal IP address. We are using ISA server.
Here is a newsgroup thread that can provide some background on the question:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=gr%25gb.10829%24La.7826%40fed1read02&rnum=1&prev=/groups%3Fsourceid%3Dnavclient%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Ddan%2Bdotson%2Bterminal
The acceptable solution provided was without instructions. Here is the solution:
"An alternative is to have them forward port 3389 on a different IP address assigned to the firewall. That's how I do it. I have a main IP address on the firewall that allows RDP access from the Internet to the firewall. The firewall has been assigned numerous other IP addresses on its external interface, so if I need to access a server on the internal side, I just use a different IP address on the firewall and forward port 3389 to the internal server."
So, how do I forward port 3389 of this different IP address to the internal server?
An appropriate answer should have reference to some sort of Microsoft instructions for completing the task. (I couldn't find anything - probably wasn't asking the right questions)
Thanks in advance.
In most cases, it is preferable to open ports dynamically. Therefore, it is usually recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, but the access policy and publishing rules open the ports dynamically (as a request arrives). For example, suppose you want to grant all internal users access to Hypertext Transfer Protocol (HTTP) sites. You should not create an IP packet filter that opens port 80. Rather, you should create the necessary site and content rule and protocol rule that allow this access.
ASKER
So, your first post gives me instructions on how to create a static packet filter. How would I go about accomplishing this task with access policies / publishing rules?
And most importantly, I need to be able to show some Microsoft documentation on this task to our admins (to satisfy thier minds).
And most importantly, I need to be able to show some Microsoft documentation on this task to our admins (to satisfy thier minds).
you dont have printed documentation of isa server? anyway, on the isa cdrom, you may find the e-version of it, in my mind, the filename is isa.chm.
the 2nd post is just for your reference, if you want to open your internal web server or similar ones. for a specific port, you may use packet filter. btw, you want to share your internal terminal services (on port 3389)?
the 2nd post is just for your reference, if you want to open your internal web server or similar ones. for a specific port, you may use packet filter. btw, you want to share your internal terminal services (on port 3389)?
ASKER
I am just looking to getting to my server for Remote Admin, because the ISA admins won't let me use TS on the ISA server. So, if I am reading into your question correctly, are you concerned that I would be using a default port?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there a greater security risk than what is already obvious?
it depends: where the TS locates at, how many other services are running there on same computer with TS, are these services critical to your business, how is your password policy, how is your isa security policy, how many people (what kind of people) know this hole (the published TS)....
I didn't read through all the comments, but you need to make sure you have the networking set right first. The IP address that external users will access the terminal server needs to be on the external adapter of the isa server. The internal address of that terminal server needs to be on the same subnet as the isa server's internal NIC.
I am doing this from memory as I don't have an ISA server in front of me right now...
Next, you need a packet filter rule for tcp port 3389 inbound. Then publish a server using the external IP address, the protocol defined in the packet filter, and the internal IP of the terminal server.
Again, I don't have this in front of me right now, but it's pretty easy stuff. The only thing I can think of that I might be screwing up is that it might be a protocol definition not a packet filter you need to define.
Here is a great resource for ISA - www.isaserver.org
Regards,
Andy
I am doing this from memory as I don't have an ISA server in front of me right now...
Next, you need a packet filter rule for tcp port 3389 inbound. Then publish a server using the external IP address, the protocol defined in the packet filter, and the internal IP of the terminal server.
Again, I don't have this in front of me right now, but it's pretty easy stuff. The only thing I can think of that I might be screwing up is that it might be a protocol definition not a packet filter you need to define.
Here is a great resource for ISA - www.isaserver.org
Regards,
Andy
Update to my last post...
Look here: http://isaserver.org/tutorials/Publishing_Terminal_Services_and_the_TSAC_Client__Updated.html
and search for "Creating the Sever Publishing Rule"
Do what it says there in steps 1 - 11. You can ignore the rest of that stuff on that page.... and yes it was a protocol defn, not a packet filter. My bad. :)
Look here: http://isaserver.org/tutorials/Publishing_Terminal_Services_and_the_TSAC_Client__Updated.html
and search for "Creating the Sever Publishing Rule"
Do what it says there in steps 1 - 11. You can ignore the rest of that stuff on that page.... and yes it was a protocol defn, not a packet filter. My bad. :)
ASKER
I showed these articles to the ISA admin, and he said, "oh yeah, why didn't I think of that?"
oh yeah, why didn't I see that?! ;-))
1. Click Start, click Programs, click Microsoft ISA Server, and then click ISA Management.
2. Click to expand Server, click to expand Arrays, click to expand the entry for the computer that is running ISA Server, and then click to expand Access Policy.
3. Right-click IP packet filters, click New, and then click Filter.
4. In the Packet filter box, type "TCP 3389" for the first filter name, and then click Next.
5. Click Allow packet transmission, and then click Next.
6. Click Custom.
7. Configure the following filter settings, and then click Next:
8. Click TCP in the IP Protocol box.
9. Click Inbound in the Direction box.
10. Click Fixed in the Local Port box, and then type 3389 in the Port Number box, and input your internal IP address
11. Confirm that All Ports is selected in the Remote Port box (this setting is the default setting).
12. Confirm that the Default IP addresses for each external interface on the ISA Server computer setting is selected (this setting is the default setting), and then click Next.
13. Confirm that only your external IP address is allowed, and then click Next.
14. Click Finish.