ISA 2004 issues with remote desktop connecting through LAN

I am running ISA server as an Internet gateway to two local LAN's. I have multiple external IPs terminating on the Public NIC of the ISA server. And two local subnets running on two other NICs in the ISA server. Both these local LAN's have the IP of the ISA server NIC they are connected to as their default gateway ie and

I can easily route all incoming traffic such as SMTP, POP, remote desktop etc based on the incoming IP to the correct servers on either of the two local LAN's. That works fine. I can also remote desktop locally to any of the other servers in either of the two subnets. But locally from either of the two local LANs I am completely unable to remote desktop into the ISA server itself. I get a client could not connect error. It would seem to me that this should be a fairly simple problem and i keep looking at the way I have set it up and wonder why it doesn’t work! But here is what I have done anyway.

I have created an access rule"
"Allow" "rdp terminal services" and "rdp terminal services server" FROM "all networks and local host" TO "all networks and local host".

Then I created a server publishing rule:
"allow" "rdp terminal services server" FROM "Anywhere" TO,  I have tried the local IP's that the ISA servers NICS are configured to such as and and I have tried none seem to work. I have also tried both settings such as "requests appear to come from original client" or "requests appear to come from ISA server" Since I am only trying to connect locally the choice to have the requests appear to come from the original client makes most sense to me but I do not know which setting is correct in this case. Then for networks to listen on I chose “internal and local host”.

I get no errors in the monitoring window after applying these setting and yet if I try locally when connected to either local LAN and connect remote desktop to or it will not connect! I also cannot telnet to port 3389 on the ISA server from either of the two LAN's. I have also double checked that remote desktop is on.

Please help me resolve this issue! It might be something very simple I have missed and am doing wrong or I might be going about this in completely the wrong way! Either way I’m happy for any help and advice!
Who is Participating?

1. Funny but important question, Remote Desktop is enabled or not?
2. Lets be more Specific in the Rules. Try to put in Internal in place of all Network in the Rule. (i.e. From Internal and Localhost to Internal And Localhost).
3. After aplying the rules try and restart the Firewall Service as sometimes it takes time to open the Ports even after applying the rule.
4. Add one computer from any subnet in the Remote Management Computers and Try to connect to the server.

Let me know if it works..

Leon FesterSenior Solutions ArchitectCommented:
Firstly, do NOT assign more than 1 default gateway to a machine. Irrespective of the number of NIC's you've got installed. Only 1 default gateway per machine.

Sort out those settings and test.

I'll read the rest of your post now.
Leon FesterSenior Solutions ArchitectCommented:
Edit your System policy, and assign the neccessary networks as allowed in the Terminal Server Settings.

right click firewall policy.
select 'Edit System Policy'
Look for 'Remote Management'
Select Terminal Server
Check Enable
Select 'From' Tab
Add the neccessary network ranges/machine/ip's

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

GavinJamesHughesAuthor Commented:
Hi Localboy thanks for replying I was abit vauge with the description of the gateways, when i said "Both these local LAN's have the IP of the ISA server NIC they are connected to as their default gateway ie and" I meant that the client computers on these subnets, not the ISA server. The ISA server has only one default gateway. The clients have either or depending on with subnet thier are in.

Just going to change system policy now see how that goes.
GavinJamesHughesAuthor Commented:
I have looked at the System policy as explained above and Terminal Server was already enabled I have added "All networks and Local host" and "all users" to the allow list just to see if authentication is the issue. But I am still unable to remote into the ISA server locally. Any other ideas?
jkaiosIT DirectorCommented:
<<But I am still unable to remote into the ISA server locally>>

Are you trying to access/control your ISA Server remotely?  If so, why not use ISA Server Management console - just install the "client-side" tool on a workstaion (i.e., a Windows XP machine).  Then by using the ISA Server Management console, you can connect to the specified ISA Server and control it from the workstation.
GavinJamesHughesAuthor Commented:
Thanks for your reply Jkaios,

I have been using the ISA server management console since I first started to get sick of walking out to the server room and back again a million times it works perfectly and allows me to do many of the things I need to do on the ISA server. Unfortunately many of the changes I have to make are not in the ISA management console itself, changes such as Configuring network cards, configuring the routing table etc need to be done in the operating system itself. These are things that remote desktop allows me to do but using a remote installation of ISA server management console will not.

I am also just really annoyed that something that should be so easy has beaten me so comprehensively. So I am really keen to get remote desktop working even though the ISA server managment console does allow a fairly good level of remote control of the ISA server.
jkaiosIT DirectorCommented:
About try adding trusted subnets to the Windows Routing Table (WRT) on the ISA Server by using the "Route Add" command.

jkaiosIT DirectorCommented:
... If the ISA Server you are trying to remotely connect to resides on a different subnet.
GavinJamesHughesAuthor Commented:
Hi Kumar,
Remote desktop is definitely enabled and has been the whole time.

I have done exactly as you said and it has fixed the problem! It may have been the restart of the service that did the trick cause I cant see how having only internal and local host could allow it to work when having all networks and local host would not work. But regardless of that it is working now and I have tested from a number of local machines and it works from all of them on both subnets. So thank you for you help!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.