Solved

Forwarding Port in ISA

Posted on 2003-12-03
12
1,723 Views
Last Modified: 2013-12-23
Hello:

I need to forward a request on a port 3389 of a specific IP address to a specific internal IP address.  We are using ISA server.

Here is a newsgroup thread that can provide some background on the question:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=gr%25gb.10829%24La.7826%40fed1read02&rnum=1&prev=/groups%3Fsourceid%3Dnavclient%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Ddan%2Bdotson%2Bterminal

The acceptable solution provided was without instructions.  Here is the solution:

"An alternative is to have them forward port 3389 on a different IP address assigned to the firewall.  That's how I do it.  I have a main IP address on the firewall that allows RDP access from the Internet to the firewall.  The firewall has been assigned numerous other IP addresses on its external interface, so if I need to access a server on the internal side, I just use a different IP address on the firewall and forward port 3389 to the internal server."

So, how do I forward port 3389 of this different IP address to the internal server?

An appropriate answer should have reference to some sort of Microsoft instructions for completing the task.  (I couldn't find anything - probably wasn't asking the right questions)

Thanks in advance.
0
Comment
Question by:ddotson
  • 6
  • 4
  • 2
12 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
at first, i think you need to forward a request from a specific IP address to port 3389 of a specific internal IP address, the port 3389 is for destination, not for source, right? if i am wrong, the following procedures need some changes.

1. Click Start, click Programs, click Microsoft ISA Server, and then click ISA Management.
2. Click to expand Server, click to expand Arrays, click to expand the entry for the computer that is running ISA Server, and then click to expand Access Policy.
3. Right-click IP packet filters, click New, and then click Filter.
4. In the Packet filter box, type "TCP 3389" for the first filter name, and then click Next.
5. Click Allow packet transmission, and then click Next.
6. Click Custom.
7. Configure the following filter settings, and then click Next:
8. Click TCP in the IP Protocol box.
9. Click Inbound in the Direction box.
10. Click Fixed in the Local Port box, and then type 3389 in the Port Number box, and input your internal IP address
11. Confirm that All Ports is selected in the Remote Port box (this setting is the default setting).
12. Confirm that the Default IP addresses for each external interface on the ISA Server computer setting is selected (this setting is the default setting), and then click Next.
13. Confirm that only your external IP address is allowed, and then click Next.
14. Click Finish.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
In most cases, it is preferable to open ports dynamically. Therefore, it is usually recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, but the access policy and publishing rules open the ports dynamically (as a request arrives). For example, suppose you want to grant all internal users access to Hypertext Transfer Protocol (HTTP) sites. You should not create an IP packet filter that opens port 80. Rather, you should create the necessary site and content rule and protocol rule that allow this access.
0
 

Author Comment

by:ddotson
Comment Utility
So, your first post gives me instructions on how to create a static packet filter.  How would I go about accomplishing this task with access policies / publishing rules?

And most importantly, I need to be able to show some Microsoft documentation on this task to our admins (to satisfy thier minds).
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
you dont have printed documentation of isa server? anyway, on the isa cdrom, you may find the e-version of it, in my mind, the filename is isa.chm.

the 2nd post is just for your reference, if you want to open your internal web server or similar ones. for a specific port, you may use packet filter. btw, you want to share your internal terminal services (on port 3389)?
0
 

Author Comment

by:ddotson
Comment Utility
I am just looking to getting to my server for Remote Admin, because the ISA admins won't let me use TS on the ISA server.  So, if I am reading into your question correctly, are you concerned that I would be using a default port?
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
Comment Utility
ok let me introduce two microsoft official kb articles to answer your question:

How to Allow Access to Terminal Services on ISA from the External Interface (275210)
http://support.microsoft.com/?id=kb;en-us;275210
This article describes how to allow access to Terminal Services on an ISA server from the external interface by creating a static packet filter.
 
How to Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server (294720)
http://support.microsoft.com/?id=kb;en-us;294720
This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server (either in Application Mode or...

cheers,
bbao
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ddotson
Comment Utility
Is there a greater security risk than what is already obvious?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
it depends: where the TS locates at, how many other services are running there on same computer with TS, are these services critical to your business, how is your password policy, how is your isa security policy, how many people (what kind of people) know this hole (the published TS)....
0
 

Expert Comment

by:dadmun
Comment Utility
I didn't read through all the comments, but you need to make sure you have the networking set right first.  The IP address that external users will access the terminal server needs to be on the external adapter of the isa server.  The internal address of that terminal server needs to be on the same subnet as the isa server's internal NIC.

I am doing this from memory as I don't have an ISA server in front of me right now...

Next, you need a packet filter rule for tcp port 3389 inbound.  Then publish a server using the external IP address, the protocol defined in the packet filter, and the internal IP of the terminal server.

Again, I don't have this in front of me right now, but it's pretty easy stuff.  The only thing I can think of that I might be screwing up is that it might be a protocol definition not a packet filter you need to define.

Here is a great resource for ISA - www.isaserver.org

Regards,
Andy
0
 

Expert Comment

by:dadmun
Comment Utility
Update to my last post...

Look here:  http://isaserver.org/tutorials/Publishing_Terminal_Services_and_the_TSAC_Client__Updated.html

and search for "Creating the Sever Publishing Rule"

Do what it says there in steps 1 - 11.  You can ignore the rest of that stuff on that page....  and yes it was a protocol defn, not a packet filter.  My bad.  :)
0
 

Author Comment

by:ddotson
Comment Utility
I showed these articles to the ISA admin, and he said, "oh yeah, why didn't I think of that?"
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
oh yeah, why didn't I see that?! ;-))
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now