[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ISA 2004 issues with remote desktop connecting through LAN

Posted on 2006-05-17
10
Medium Priority
?
473 Views
Last Modified: 2010-04-11
I am running ISA server as an Internet gateway to two local LAN's. I have multiple external IPs terminating on the Public NIC of the ISA server. And two local subnets running on two other NICs in the ISA server. Both these local LAN's have the IP of the ISA server NIC they are connected to as their default gateway ie 192.168.1.253 and 192.168.2.253

I can easily route all incoming traffic such as SMTP, POP, remote desktop etc based on the incoming IP to the correct servers on either of the two local LAN's. That works fine. I can also remote desktop locally to any of the other servers in either of the two subnets. But locally from either of the two local LANs I am completely unable to remote desktop into the ISA server itself. I get a client could not connect error. It would seem to me that this should be a fairly simple problem and i keep looking at the way I have set it up and wonder why it doesn’t work! But here is what I have done anyway.

I have created an access rule"
"Allow" "rdp terminal services" and "rdp terminal services server" FROM "all networks and local host" TO "all networks and local host".

Then I created a server publishing rule:
"allow" "rdp terminal services server" FROM "Anywhere" TO,  I have tried the local IP's that the ISA servers NICS are configured to such as 192.168.1.253 and 192.168.2.253 and I have tried 127.0.0.1. none seem to work. I have also tried both settings such as "requests appear to come from original client" or "requests appear to come from ISA server" Since I am only trying to connect locally the choice to have the requests appear to come from the original client makes most sense to me but I do not know which setting is correct in this case. Then for networks to listen on I chose “internal and local host”.

I get no errors in the monitoring window after applying these setting and yet if I try locally when connected to either local LAN and connect remote desktop to 192.168.1.253 or 192.168.2.253 it will not connect! I also cannot telnet to port 3389 on the ISA server from either of the two LAN's. I have also double checked that remote desktop is on.

Please help me resolve this issue! It might be something very simple I have missed and am doing wrong or I might be going about this in completely the wrong way! Either way I’m happy for any help and advice!
0
Comment
Question by:GavinJamesHughes
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16708545
Firstly, do NOT assign more than 1 default gateway to a machine. Irrespective of the number of NIC's you've got installed. Only 1 default gateway per machine.

Sort out those settings and test.

I'll read the rest of your post now.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 600 total points
ID: 16708579
Edit your System policy, and assign the neccessary networks as allowed in the Terminal Server Settings.

Howto:
right click firewall policy.
select 'Edit System Policy'
Look for 'Remote Management'
Select Terminal Server
Check Enable
Select 'From' Tab
Add the neccessary network ranges/machine/ip's


0
 

Author Comment

by:GavinJamesHughes
ID: 16714789
Hi Localboy thanks for replying I was abit vauge with the description of the gateways, when i said "Both these local LAN's have the IP of the ISA server NIC they are connected to as their default gateway ie 192.168.1.253 and 192.168.2.253" I meant that the client computers on these subnets, not the ISA server. The ISA server has only one default gateway. The clients have either 192.168.1.253 or 192.168.2.253 depending on with subnet thier are in.

Just going to change system policy now see how that goes.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:GavinJamesHughes
ID: 16738640
I have looked at the System policy as explained above and Terminal Server was already enabled I have added "All networks and Local host" and "all users" to the allow list just to see if authentication is the issue. But I am still unable to remote into the ISA server locally. Any other ideas?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 150 total points
ID: 16788718
<<But I am still unable to remote into the ISA server locally>>

Are you trying to access/control your ISA Server remotely?  If so, why not use ISA Server Management console - just install the "client-side" tool on a workstaion (i.e., a Windows XP machine).  Then by using the ISA Server Management console, you can connect to the specified ISA Server and control it from the workstation.
0
 

Author Comment

by:GavinJamesHughes
ID: 16804095
Thanks for your reply Jkaios,

I have been using the ISA server management console since I first started to get sick of walking out to the server room and back again a million times it works perfectly and allows me to do many of the things I need to do on the ISA server. Unfortunately many of the changes I have to make are not in the ISA management console itself, changes such as Configuring network cards, configuring the routing table etc need to be done in the operating system itself. These are things that remote desktop allows me to do but using a remote installation of ISA server management console will not.

I am also just really annoyed that something that should be so easy has beaten me so comprehensively. So I am really keen to get remote desktop working even though the ISA server managment console does allow a fairly good level of remote control of the ISA server.
0
 
LVL 12

Expert Comment

by:jkaios
ID: 16805510
About try adding trusted subnets to the Windows Routing Table (WRT) on the ISA Server by using the "Route Add" command.

See http://www.isaserver.org/pages/article_p.asp?id=1342
0
 
LVL 12

Expert Comment

by:jkaios
ID: 16805517
... If the ISA Server you are trying to remotely connect to resides on a different subnet.
0
 
LVL 7

Accepted Solution

by:
Kumar_Jayant123 earned 750 total points
ID: 16940209
Hi,

1. Funny but important question, Remote Desktop is enabled or not?
2. Lets be more Specific in the Rules. Try to put in Internal in place of all Network in the Rule. (i.e. From Internal and Localhost to Internal And Localhost).
3. After aplying the rules try and restart the Firewall Service as sometimes it takes time to open the Ports even after applying the rule.
4. Add one computer from any subnet in the Remote Management Computers and Try to connect to the server.

Let me know if it works..
Kumar

0
 

Author Comment

by:GavinJamesHughes
ID: 16965239
Hi Kumar,
Remote desktop is definitely enabled and has been the whole time.

I have done exactly as you said and it has fixed the problem! It may have been the restart of the service that did the trick cause I cant see how having only internal and local host could allow it to work when having all networks and local host would not work. But regardless of that it is working now and I have tested from a number of local machines and it works from all of them on both subnets. So thank you for you help!


Regards
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question