Publish Multiple RPD from ISA 2004 - Getting Unidentified IP Traffic Error

I followed the below article on Publishing Servers with ISA Firewall (2004), great article - but I am having troubles making it work.

Here is my setup
My ISA Server (2004, Standard) is behind a NAT; The NAT forwards to an Private IP address.
Web publishing works perfectly; I am currently publishing 5 different Web Servers.

I now need to allow those servers to be administered remotely, but my server has only 1 external IP, so publishing RDP under
different ports should work in my scenario.

The problem I am having is my firewall port in ISA is not being reconigized.
Under monitoring | logging | my request appears with my destination IP and Port, and the Protocol says Unidentified IP Traffic.
Then the action is denied under the default rule.

I have setup the firewall port as described here:
go to firewall policy | and setup a server publishing rule |
On the traffic page I selected RDP |  I have assigned another port (9950) in the firewall ports section

Any assistance will be appreciated.
Who is Participating?
Keith AlabasterEnterprise ArchitectCommented:
Thats interesting. The routing table sstates that you have two network cards installed.

One at
Second at

If you are using ISA as a firewall, then one of these cards must be external and the other must be internal.
If you are using the box as a Proxy server then both cards are internal but you can't have both in the ISA server.

If this is accurate then ISA can route to both the and the subnets directly because it has an interface card attached to each. In fact, the default gateway is pointing to the network. The default gateway on ISA MUST be on the external NIC, not on the internal NIC. The internal NIC MUST not have a default gateways set.

So, if we follow this through based on this.... is your external network and is your internal network.

The and any other external systems can only get to the machines if you have a service published

All of your external traffic is coming in through the subnet from the Internet to the ISA server address on port whatever

Now we hit a problem in our scenario.
<<<<  my lab webserver ips are 192.168.2.x >>>>

This suggests that your lab webservers are 'external' to ISA, not internal. That being the case, you cannot publish (in ISA) servers that are already external to it.

Does that make sense or have I missed something here?

Keith AlabasterEnterprise ArchitectCommented:
I would do this differently to the article

Take this scenario.

Your one outside IP address on your router is
Your internal IP address on your router is

Your external ISA IP is
Your inside ISA IP is

web server 1 -
web server 2 -
web server 3 -

Option 1
Leave all web servers running rdp on port 3389 (which is the default)
On your external firewall/router, forward TCP ports 3389,3390,3391,3392,3393 to (the isa server)

Open the ISA gui.
select firewall policy
use the toolbox (on the right) to create 4 new protocols
TCP - incoming - 3390, TCP - incoming - 3391. keep going and make for 3392 & 3393. Give them names such as rdp - 3390, rdp - 3391 etc

right-click firewall policy and select publish a server as per Tom's document.
give it a name such as rdp to web server 2
select the protocol rdp - 3390. Click on ports
leave the firewall ports exactly as they are (publish using defaults). Change the published server port from 3390 to 3389.
in the destination put in the internal IP of web server 2 (our example

make another publish rule, select rdp - 3391 and repeat for each web server.
save the policy

on your remote client (using our example)
rdp   - web server 2
rdp   - web server 3

Keith AlabasterEnterprise ArchitectCommented:
PS Obviously web server 1 will be the de facto rdp protocol using the predefined port 3389
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

gspronychAuthor Commented:
Hi Keith

Awesome example, that is very close to what I want to do.

external firewall / NAT IP is
inside ISA IP is

My websites DNS A records point to
My NAT redirects requests for to on my internal network to be processed by ISA

Web Servers
web server 1 -
web server 2 -
web server 3 -

I have followed your recommendations but I am still having troubles.
Here is the situation

I have setup protocols as you recommended.
When I setup a firewall policy 'web server 1', I am using protocol 'rdp - 3390'.
When I assign the TO tab to, I still get an error on the montiroring | logging
Port: 3390, Unidentified IP Traffic, Denied under default rule

When I assign the TO tab to I also get the same error.
BUT, if I goto the TRAFFIC tab and Ports... and leave ports on the defaults, the protocol shows in my log.
Port: 3390, RDP 3390

Do I have something else misconfigured?
It seems very straight forward.

Thanks for your assistance
Keith AlabasterEnterprise ArchitectCommented:
basically you are doing this:

Traffic is arriving at on port 3390 and being forwarded (by your external router) to ISA.
ISA says haha! Here come traffic on port 3390. Goodee :)
I have a published server called rdp - 3390
My ports section says forward this to port 3389 but at the IP address of web server 2

Traffic is arriving at on port 3391 and being forwarded (by your external router) to ISA.
ISA says haha! Here come traffic on port 3391. Goodee :)
I have a published server called rdp - 3391
My ports section says forward this to port 3389 but at the IP address of web server 3

If you look in the ports section of each published server (you should have five now, one per web server).
the first section says to publish to the firewall either the default protocol rule (which is what we want) or an alternative port. We want the publishing to be as we have made them. 3389 published to the normal rdp port of 3389. rdp - 3390 published to its own 3390, rdp - 3391 publishes to its own 3391. exactly as we have created them in the new protocols.

The second section 9server) says do I push this protocol to the internal server on its default port or change it for something different? We wan t ALL of our five rules to forward on 3389 because this is what the web servers are ALL listening on. So, in essence we have:

client               --- router on port 3389  ** ISA ** port 3389--- web server 1 (no change)
client       --- router on port 3390  ** ISA ** port 3389 --- web server 2
client       --- router on port 3391  ** ISA ** port 3389 --- web server 3
client       --- router on port 3392  ** ISA ** port 3389 --- web server 4
etc etc

gspronychAuthor Commented:
Hi Keith

I understand what we are trying to accomplish, but something is not working.

The protocol I created only seems to work when the ISA firewall policy points to the ISA server.
When I point the policy to the IP any of my webservers... 1, 2, 3... etc the request appears as unidentified IP traffic?

gspronychAuthor Commented:
Also, when I change the Published Server Port to anything but default, it also appears as unidentified.
Even thought the Destination port is correct in the log.

I have even set the protocol port to publish on the same port to make sure it is not somehow getting the wrong value.
Keith AlabasterEnterprise ArchitectCommented:
Lets do a walkthrough of the 3390 traffic.

open the protocols and double click the rdp - 3390 definition
all this should show is tcp   port 3390   inbound
If it shows anything different, edit the protocol accordingly.

Now double click the publishing rule you have for the server that is to be contacted when the ISA receives traffic over port 3390.
name should be what ever you have called it.
Action should be allow
Traffic should be rdp-3390 (as per our protocol above)
clicking on ports should show everything at default except server ports which should have 3389 in the box
FROM should be anywhere
TO should be the internal IP address of the web server you want to pick
Networks should have EXTERNAL only ticked.
Schedule should be always.

make sure you have clicked the yellow Apply button as well at the top of the screen.... :)
Now try it again from an outside work station.

PS Sometimes I hate ISA even though I am an MCT for it.
gspronychAuthor Commented:
I would love to be an MCT in my specialization... but it will never happen at the rate I am going at. ;)

I am RDP'd into our data center on the other side of the country (logically) where I am making the changes, and I am testing them locally.
I have been clicking apply after every group of changes I make then test them... a real pain.

I have my settings exactly how you have described, and I still have the problem I described.

Let me clarify my situation since I think I have found a potential problem.

My ISA, and my web servers (1,2,3 etc) are running in a virtualized environment hosted on the same server.
My ISA server can ping my web servers, but my web servers cannot ping my ISA server.

My web server ISA publishing is working correctly, but RDP does not work at all.
Should it matter if there is no 2-way communication? Web publishing works, so why shouldn't other protocols?

I didn't create the environment... I have been assigned to fix someone elses problem.
The web servers are to be virtual labs for our product, and the intention is to give them limited network access.

Thanks for your insight
Keith AlabasterEnterprise ArchitectCommented:
You will not be able to test the RDP local to the ISA, this has to come from the external intrface  ie through the internet (it won't work from the isa server directly...
gspronychAuthor Commented:
I don't intent to test connecting from the ISA server.

I was wondering if there is a problem with my configuration.

My ISA server has external and internal access, which is a virtual server on the same server as my web servers.
My web servers only have access to the host server, and the virtual servers it contains.

I am trying to look at any other potiental problem since my configuration 'should' work.

Keith AlabasterEnterprise ArchitectCommented:
Agreed, it should.

I am wondring if some other form of lockdown is being used on the box as two way communication should be fine also.

What other rules are in place on the ISA besdies the ones we have put in?
gspronychAuthor Commented:
My network configuration is set to 'Back Firewall' if that makes any difference.

for rules,
1 | server publish rule | the RDP connection I am trying to configure
2 | web publish rule | is an HTTP protocol from an HTTP listener to my virtual lab
3 | server publish rule |  protocol - RDP | from - internal | to my internal adapater (allows me to RDP the server instead of the activeX control)
4 | last rule | deny all traffic, all networks

Keith AlabasterEnterprise ArchitectCommented:
Back firewall simply means that their is another firewall between the ISA and the internet. Edge firewall is when ISA is directly connected to the Internet and no other firewall is in place. Front is the converse of back obviously.The templates set the defaults of some of the registry keys and configuration settings.

Would you humour me for a minute or two?

in the gui, click on the firewall policy.
You will see a line of icons along the top of the window. the last icon should be the system policy. Clicking on it one will show the additional (hidden) system policy rules. Clicking it again rehides them.

There are rules in here about allowing remote management from the ISA itself.

I am using ISA2006 at the moment so I can't remove it to reinstall ISA2004 but on 2006 it is rule 3 (allow terminal services from or to ISA). You may need to add the addresses etc into these two rules.
gspronychAuthor Commented:
Hi Keith

I set the rule to allow from Anywhere, I also tried 'all networks'.
Still no change.

At this point I am considering building a new Virtual Server, since these steps should work on a base install.

Would you see any benifit from using Enterprise version instead of Standard?
We are a Gold partner and have licenses avialable for each.
Keith AlabasterEnterprise ArchitectCommented:
I would love to say yes but it will make no odds. There is also no point in adding more levels of complexity when we are not able to get the basics functioning. A re-install/new install may operate straightaway. I use vmware rather than virtual server but I am planning to install ISA this evening on the vmware platform to see if I can emulate your problem.
gspronychAuthor Commented:
Doing more testing I found this interesting.

I used my allow internal RDP to the ISA server rule.
I changed to the TO to my webservers, but it would connect me with the ISA server, not with the server I specified.

Changing ports still caused the Unidentified IP Traffic error.

If I add Anywhere to the 'allow remote maangement from selected computers using TS', I could connect to the ISA server externally not the specified server as well.
Keith AlabasterEnterprise ArchitectCommented:
lol, another step forward....

Not the answer but once you have rdp'ed onto the ISA, can you rdp from the ISA to the web servers?
gspronychAuthor Commented:
Yes, once connected to the ISA server, it is possible to RDP to the webservers.

However, that is not my desired outcome.
Potiental clients will be connecting to our web servers so I do not want them to RDP to the ISA server, then RDP to their web server.

When they are done with our webservers we simply discard the undo disks and we have a new web server again; having them connect through our ISA server would be a security risk.
I am having enough trouble to get ISA to work how I want the first time...

Would it help to create an Access Rule for those protocols?
I have been playing around with them to see if it will make any difference.

Keith AlabasterEnterprise ArchitectCommented:
Doing this as an access rule means that you bypass the main security of the ISA. You are, in effect, simply pushing those packets to an internal IP address and acting like a simple layer 3 router; not an application layer firewall.

I am home now so will be having my grub shortly. After this, I will see if I can reproduce your scenario.
gspronychAuthor Commented:

Is there anyway to disable the last default rule?
My ISA is essentially a back firewall so I really do not need the additional firewall protection.

I only need ISA to route traffic to the correct HTTP/RDP address.
Do you have any advice how I can accomplish this?

gspronychAuthor Commented:
OK, HUGE break through.

The web server IPs where missing on the config | networks | internal setting
HUGE oversight, I apologize.

If I have my external adapter added to my internal network here is my log:
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection
And works
idenitified ip traffic

If I do not have my external adapter added to my internal network here is my log:
(same messages internally and externally)
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection RDP 2112
Then the next line has denied connection | protocol RDP
And I can no longer RDP from my ISA server to my web servers with the same error

Do you have any advice at this point?
Keith AlabasterEnterprise ArchitectCommented:
I'm bushed to be honest. Its 12.10 here (just checked my mail before going to bed). I'll read this properly in the morning and respond rather than rushing it.

Cheers Keith.

PS, yes, that will make a difference. Thanks for the update as I had never seen the scenario not work before.
PPS. I was unable to recreate your issue.
Keith AlabasterEnterprise ArchitectCommented:
Ok. the external adaptor address should not be on the internal LAT. In effect you are saying the outside is trusted.

So apart from the ones we have created, where is the bog standard rdp (port 3389) being directed to? What is the intrnal IP address of the web server?

On your client, you are just opening a connection to the IP address, you are not using a port number?

for example,, you are just using the external IP address

gspronychAuthor Commented:
Currently, the standard port (3389) is consumed by the ISA server itself.
I can RDP externally to the ISA server since I added anywhere to the 'allow remote management from selected computers'
I will want to change the port so clients do not try to connect to the standard port

I setup a protocol I called RDP - 2112 to accept on 2112 and publish to 3389
I created an access rule to allow RDP terminal services and my custom protocol RDP - 2112

when I bring up RDC I connect with
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection RDP 2112
Then the next line has denied connection | protocol RDP

This is where I am at today.
gspronychAuthor Commented:

This is the error in the ISA logs

I can no longer ping the webservers from the ISA server either, also denied.

The web servers are still up and running, I can RDP from another server in the network.
gspronychAuthor Commented:
I didn't think this would be an issue since the web servers are accessable from the 1.x IPs, but it seems to be.

my actual internal ips are 192.168.1.X
my lab webserver ips are 192.168.2.x

I changed my RDP 2112 to point to another IP in the 1.x, and it works externally.
But once I change it to point to my webservers 2.x RDP denies the connection.

Does this help?
Keith AlabasterEnterprise ArchitectCommented:
OK, the custome rule does not need terminal services as well; it just needs.
You do not need a custom rule at all. Just publish a server using the custom protocol and change the PORTS setting to make sure the received traffic is forwarded from ISA on 3389 as we have discussed.
Does ISA server have a route to get to the network?
gspronychAuthor Commented:
I am reading up on articles on as we speak, and I am thinking the same thing; there may be a routing issue.
I am looking at this article right now

Unfortunately my routing knowledge is limited
here is my routes table; I do have an entry for, but I have no idea if it is correct.
I do know before I added the webservers to the Internal Network I was able to access them.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     20      1     20     20     20     20     20     20     20     20      1      1
Default Gateway:
Persistent Routes:

gspronychAuthor Commented:
WoW, you are good. 8)

Your description does make sense, and does describe why I cannot make it work.
But I have set my lab IP range as internal on the networks tab?

Here is the scenario
1.x is our hosting environment
2.x is our lab environment

The person who deployed this server wanted it on both networks.
BUT, they wanted all traffic to be routed via the 2.x network so not to interfere with hosting traffic.

So what you are saying is my external connection cannot be used for internal and external traffic.
I should be using ISA as a proxy server, and should not have a default gateway.

How do I change the configuration so it is only a proxy server?
Keith AlabasterEnterprise ArchitectCommented:
What you have ended up with basically is using ISA as a router, not a firewall.

Open configuration - networks
Click on network rules (at the bottom)
For local host access, have you got local host - All networks - route?
gspronychAuthor Commented:
No problem, ISA is a back firewall in my scenario... I only need it as a routing server.

for Network Rules I have

1. Local host access | route | local host |all networks
2. VPN Clients to Internal network | route | VPN Clients and Quarantined VPN | internal
3. Internet Access | NAT | Internal and VPN | external

What do I need to change?
Keith AlabasterEnterprise ArchitectCommented:
I need to have a think on this as I am not convinvd in my own mind that we 'can' just make a change.
gspronychAuthor Commented:
Hi Kieth

Any thoughts on which way will work?
Keith AlabasterEnterprise ArchitectCommented:
I am trying it here as we speak (I have just got in from work). As I run ISA2006 now as standard, I have to reload images etc to get back to your scenario with 2004....

I know I make statements but it helps me to think :)

1. You currently have a firewall scenario but have put the external interface address range into the internal LAT. You are now routing between the two diiferent areas even though they are opposite sides of the ISA. This is why publishing will not work properly and everything was denied. ISA expexts to pass everything THROUGH its filters (external to internal). because the external addresses are now seen as internal, ISA doesn't feel that it is passing traffic through the filters, it is simply passing traffic from internal to internal.

2. In concept you are happy to do this because really you just want to route between the two subnets. However, you need ISA (working really) as you want to be able to contact each web server individually.

3. The end result required is to get to each of the web servers to administrate them but to keep the real web servers and the lab servers seperate.

I will post shortly with a set of options that we can discuss.

gspronychAuthor Commented:
I appreciate all your help Keith, here is what I did based on your guidance.

Since I cannot forward on the external adapter, I created an additional virtual adapter on the ISA server in the 11.x

I changed my virtual servers to use the same 11.x, added the adapter to the Internal adapter in ISA.

Just like magic... everything works as you described.

Thanks for ALL of your help.
Keith AlabasterEnterprise ArchitectCommented:
Thats a great solution Gary, nice one as this was a tricky little blighter. Your idea has taught me something there as well.

Best regards
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.