Forwarding Port in ISA

Hello:

I need to forward a request on a port 3389 of a specific IP address to a specific internal IP address.  We are using ISA server.

Here is a newsgroup thread that can provide some background on the question:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=gr%25gb.10829%24La.7826%40fed1read02&rnum=1&prev=/groups%3Fsourceid%3Dnavclient%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Ddan%2Bdotson%2Bterminal

The acceptable solution provided was without instructions.  Here is the solution:

"An alternative is to have them forward port 3389 on a different IP address assigned to the firewall.  That's how I do it.  I have a main IP address on the firewall that allows RDP access from the Internet to the firewall.  The firewall has been assigned numerous other IP addresses on its external interface, so if I need to access a server on the internal side, I just use a different IP address on the firewall and forward port 3389 to the internal server."

So, how do I forward port 3389 of this different IP address to the internal server?

An appropriate answer should have reference to some sort of Microsoft instructions for completing the task.  (I couldn't find anything - probably wasn't asking the right questions)

Thanks in advance.
ddotsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
at first, i think you need to forward a request from a specific IP address to port 3389 of a specific internal IP address, the port 3389 is for destination, not for source, right? if i am wrong, the following procedures need some changes.

1. Click Start, click Programs, click Microsoft ISA Server, and then click ISA Management.
2. Click to expand Server, click to expand Arrays, click to expand the entry for the computer that is running ISA Server, and then click to expand Access Policy.
3. Right-click IP packet filters, click New, and then click Filter.
4. In the Packet filter box, type "TCP 3389" for the first filter name, and then click Next.
5. Click Allow packet transmission, and then click Next.
6. Click Custom.
7. Configure the following filter settings, and then click Next:
8. Click TCP in the IP Protocol box.
9. Click Inbound in the Direction box.
10. Click Fixed in the Local Port box, and then type 3389 in the Port Number box, and input your internal IP address
11. Confirm that All Ports is selected in the Remote Port box (this setting is the default setting).
12. Confirm that the Default IP addresses for each external interface on the ISA Server computer setting is selected (this setting is the default setting), and then click Next.
13. Confirm that only your external IP address is allowed, and then click Next.
14. Click Finish.
0
bbaoIT ConsultantCommented:
In most cases, it is preferable to open ports dynamically. Therefore, it is usually recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, but the access policy and publishing rules open the ports dynamically (as a request arrives). For example, suppose you want to grant all internal users access to Hypertext Transfer Protocol (HTTP) sites. You should not create an IP packet filter that opens port 80. Rather, you should create the necessary site and content rule and protocol rule that allow this access.
0
ddotsonAuthor Commented:
So, your first post gives me instructions on how to create a static packet filter.  How would I go about accomplishing this task with access policies / publishing rules?

And most importantly, I need to be able to show some Microsoft documentation on this task to our admins (to satisfy thier minds).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

bbaoIT ConsultantCommented:
you dont have printed documentation of isa server? anyway, on the isa cdrom, you may find the e-version of it, in my mind, the filename is isa.chm.

the 2nd post is just for your reference, if you want to open your internal web server or similar ones. for a specific port, you may use packet filter. btw, you want to share your internal terminal services (on port 3389)?
0
ddotsonAuthor Commented:
I am just looking to getting to my server for Remote Admin, because the ISA admins won't let me use TS on the ISA server.  So, if I am reading into your question correctly, are you concerned that I would be using a default port?
0
bbaoIT ConsultantCommented:
ok let me introduce two microsoft official kb articles to answer your question:

How to Allow Access to Terminal Services on ISA from the External Interface (275210)
http://support.microsoft.com/?id=kb;en-us;275210
This article describes how to allow access to Terminal Services on an ISA server from the external interface by creating a static packet filter.
 
How to Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server (294720)
http://support.microsoft.com/?id=kb;en-us;294720
This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server (either in Application Mode or...

cheers,
bbao
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ddotsonAuthor Commented:
Is there a greater security risk than what is already obvious?
0
bbaoIT ConsultantCommented:
it depends: where the TS locates at, how many other services are running there on same computer with TS, are these services critical to your business, how is your password policy, how is your isa security policy, how many people (what kind of people) know this hole (the published TS)....
0
dadmunCommented:
I didn't read through all the comments, but you need to make sure you have the networking set right first.  The IP address that external users will access the terminal server needs to be on the external adapter of the isa server.  The internal address of that terminal server needs to be on the same subnet as the isa server's internal NIC.

I am doing this from memory as I don't have an ISA server in front of me right now...

Next, you need a packet filter rule for tcp port 3389 inbound.  Then publish a server using the external IP address, the protocol defined in the packet filter, and the internal IP of the terminal server.

Again, I don't have this in front of me right now, but it's pretty easy stuff.  The only thing I can think of that I might be screwing up is that it might be a protocol definition not a packet filter you need to define.

Here is a great resource for ISA - www.isaserver.org

Regards,
Andy
0
dadmunCommented:
Update to my last post...

Look here:  http://isaserver.org/tutorials/Publishing_Terminal_Services_and_the_TSAC_Client__Updated.html

and search for "Creating the Sever Publishing Rule"

Do what it says there in steps 1 - 11.  You can ignore the rest of that stuff on that page....  and yes it was a protocol defn, not a packet filter.  My bad.  :)
0
ddotsonAuthor Commented:
I showed these articles to the ISA admin, and he said, "oh yeah, why didn't I think of that?"
0
bbaoIT ConsultantCommented:
oh yeah, why didn't I see that?! ;-))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.