?
Solved

Server 2003, ISA, Surf Control & RDP

Posted on 2006-05-08
12
Medium Priority
?
612 Views
Last Modified: 2010-04-09
The network has 7 server 2003 Enterprise boxes on it.  The IP set is 10.0.xx.xx.  Matthew runs ISA and Surf Control.  Last Wednesday, everything worked fine.  This morning, Surf Control is down (down meaning it is not blocking any traffic based on the rules we've written) and we cannot RDP from Matthew to any other server on the network.  The error at RDP attempt is:

Because of a protocol error detected at the client (code 0x1104), this session will be disconnected.

We were on the phone with Surf Control and they say it's an ISA issue.  When we go to Services and turn off the Microsoft Firewall, everything works fine so we feel sure it's an ISA issue as well.  However, so far as the three network admins are concerned, the network has been static.  No IMAC's within the last two weeks.

Network logs are silent.  Googleing the above error message reveals only a FEW similar problems and none relating to my problem.

Anyone have any thoughts on this?

Thanks

Cliff
0
Comment
Question by:crp0499
  • 7
  • 5
12 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16632421
Forget the IMAC's; just a backside covering exercise....

Are all these servers on the internal network?
Check your rule for rdp and make sure 'local host' is in the rule set.
Anyone changed the System Policy?

I'm assuming this is ISA2004 or 2006?
Open the GUI.
select monitoring - logging - click on start query
Try and make the rdp connection from Matthew. What do you see in the log?
0
 

Author Comment

by:crp0499
ID: 16632470
ISA 2004

All on Internal...same IP set.

Local host and internal is in rule.

Will check on system policy.

Can initiate and receive RDP from all other servers.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632473
PS, Any changes in policy? Is the remote desktop option selected on the servers?
run netstat on another server and make sure 3389 is listening.

Can you connect using rdp from one server to another?

The default protocol for rdp is tcp 3389 outbound. Anyone fooled with the protocol?
Is there a new rule above the one you are using that is dealing with the rdp traffic first, a block/deny?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632476
sorry. overtyped you :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632485
If we can check the logging then. Will be interested to see if a particular rule reports the block or whether it returns a faild connection
0
 

Author Comment

by:crp0499
ID: 16632634
can RDP from all other servers to other servers.  Only Matthew giving us grief.  Also, can RDP OUT from Matthew, just not IN to Matthew.

No policy changes.

Will run Netstat and see what's listening.  We haven't changed listening port.
0
 

Author Comment

by:crp0499
ID: 16632644

PS:  we queried rule and it opened port and then closed it.  No error reported.
0
 

Author Comment

by:crp0499
ID: 16632663
Sorry...we can't RDP OUT or IN from Matthew.  All other servers can access each other from each other.  Problem is specific to Matthew.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632667
Did you see return traffic though from the server you called the connection to or was it one way only?

If the traffic left then the rule per se is working. If the traffic did not come back in then this is a different area to identify. (still the ISA but a different approach).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632694
Also, if you rdp in from another server to Matthew, do you not see anything in the log then?
0
 

Author Comment

by:crp0499
ID: 16645110
We went thru ISA one rule at a time and disabled each one.  Rules 14, a rule for our AVg updates, was the problem.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16645766
Thanks

Regards
Keith
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question