Avatar of mustekkzn
mustekkznFlag for South Africa asked on

ISA 2004 - Remote Destktop and Port Forwarding

Hi Experts
I have managed to setup and configure an ISA 2004 server.
My next step is to configure my ISA 2004 to use Port Forwarding on Remote Desktop.

For example, if I log in remotely and enter my external IP of <externalip:9999> I should go straight to a internal PC which has been published by my ISA 2004.
The following link was given to me which explains it better:
http://www.isaserver.org/articles/2004pubts.html
Now my question is, I did what the above link said I must do, but cant get it to work. I am obviously missing something along the way.
Also, at the moment, I am able to login remote, because I have setup and rule for it, but as soon as I add a rule for port forwarding and add the port to my IP address when using Remote Desktop, it just does not want to make the link.

Thanks so much and any help will be much appreciated.
Regards
mustekkzn

Remote-Desktop-Policy---Port-For.JPG
Microsoft Forefront ISA Server

Avatar of undefined
Last Comment
mustekkzn

8/22/2022 - Mon
ASKER
mustekkzn

Hi experts
Below is the error I am getting when i am trying to log in remotely.
------------------------------------------------------------------------------------------------------------
The client could not connect to the remote computer.
 
Remote connections might not be enabled or the computer might be too busy to accept new connections.
It is also possible that network problems are preventing your connection.
 
Please try connectiong again later. If the problem continues to occur, contact your administrator.
------------------------------------------------------------------------------------------------------------
Thanks so much.
Regards
mustekkzn
Redwulf__53

The (top) rule looks OK.
Next thing to do is to check what happens when you connect, using Logging.
go to Monitoring-> logging, set the condition to:
Record type = Firewall
Log time = live
Protocol = RDP server.
Then click Start query, and try to make a connection again from the internet. The log should now display what is happening....
Redwulf__53

Also remove the second rule; it doesn't look ok and it will conflict with the top rule.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
mustekkzn

Hi Redwulf

Thanks for all the info.
I just want to send you a 2 print screens so long, just to have a look at for me.
With regards to running the query, I am not sure if I am doing it right. Could I please ask you to have a look at the print screen for me.
Also, I went and disabled the Policy number 2 for so long.
I also included a print screen of the policy, just to show you that I have changed the port too 9999.
Thanks so much.
mustekkzn
Logs.JPG
Policy-Details.JPG
ASKER
mustekkzn

Hi there, me again.
I attached another print screen, may this one has got more info for you to work with?
IF you could assist me with setting up the query, I could probably get you more accurate information.
Thanks so much.
mustekkzn
Logs2.JPG
Redwulf__53

Hi,
The query in your first screenshot is almost right: you just need to remove the condition "action - not equal -connection status". The other screenshots do not provide the info.
Then, after running the query and attempting a connection,  you can copy the results to your clipboard from a button on the right-hand task pane (you need to open the taskpane fisrt, by clicking on the little arrow on the right-hand side of the screen) and paste the results here; better to analyse raw data than screenshots.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mustekkzn

Hi Redwulf
I did what you asked me too do. I have also attached the print screen of the policy, just so you can see how it looks like.
Thanks so much.
Mustekkn
Logs.txt
Logs2.JPG
Redwulf__53

Hi
Thanks for the update. Strangely, the log file contains only one line (initiating connection), and your screenshot of the log shows 2 lines....
Anyway, the log proves that your rule works, but we still need to find out why the traffic is then dropped...
Could you configure your logging to log all fields? (on the logging tasks, click "configure firewall logging", then on the Fields tab, check all boxes) then run the query again? You only need to post the log.


ASKER
mustekkzn

Hi there Redwulf
Thanks for your response, I just did what you requested and attached the log to this post.
Hope this helps a bit more.
Regards
mustekkzn
Logs.txt
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Redwulf__53

Hi,
wow quick reply.
The log shows it's a "gracefull shutdown" of the connection. That means that for some reason the destination host (10.3.3.22) closes the connection... it seems to me that the ISA server is not the problem here.... are you sure TS connections to 10.3.3.22 over port 3389 in your local network work?
ASKER
mustekkzn

Okay, we are one step closer now . . . from the ISA server, I am NOT able to connect to the internal PC.
It seems that I am not able to connect to any PC on the internal PC, with that said, it seems that the problem could be from the ISA 2004 server. Could be that I missed installing some service on the server??
I mite be jumping the gun a bit here, but i would like to ask the following question; Do I need to do something on the internal PC to change the port number to 9999 for example. as I would like to be able to connect to multiple PC's internally.
Thanks so much for all your help up to now, it is much appreciated.
Regards
mustekkzn
Redwulf__53

". from the ISA server, I am NOT able to connect to the internal PC. "
-> that is possible, but doesn't necesserily have to do with this issue.  ISA doesn't allow much by default. But it's worth looking into also. Add the "Local Host" object to the "From" group in the "RDP to test" rule.
Other thing to check:
Are you running a (Windows) firewall on machine 10.3.3.22? Maybe it has an Exception defined for TS, but only for the local subnet.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mustekkzn

I am playing around a bit at the mo, but with out that feature, this ISA 2004 box is pretty pointless at the moment, because I need to be able to login to others servers from there (even without using Port Forwarding)  
I am pretty sure I am missing something here, a service or something. Just cant think of it at the moment.
-- I could be totally off track here too--

With regards to your above post, I added Local Host to the RDP to test rule and still the same problem.
I went and check for Firewall settings on internal PC and it all looks fine, I was even able to connect to this PC via another server.
I will keep you posted....
Thanks once again for all you are doing
Regards
mustekkzn
ASKER
mustekkzn

Another quick Update for you:
I am able to Remote Desktop now from the ISA 2004 to an IP address which is specified in RDP to Test Rule. Only that IP, no other internal IP's at this point in time. So I have to say sorry to for not thinking it is a Policy Rule that is doing this. Attached I have sent you a print screen of the changes I have made.
On the RDP To Test Rule, I added Internal and LocalHost and another change I made was that I change the port number from 9999 to 3389. That seem to do the trick in the end.

A quick Summary then:
With policy one enabled, I am able to login remotely to internal PC's.
With policy two enabled, I am able to come in remotely.
SO with that said, I can safely say that we have come a long way from where we were.
Now we must just be able to link the to up and do the port forwarding on.

--I know I asked this before, but dont need to change the default port (3389) on my internal PC for this to work like it should?

Regards
mustekkzn

Policy-Details---Update.JPG
Redwulf__53

Ok so now for each TS that you want to reach from the internet, you'll make a new rule similar to the RDP to Test rule, with the only differences being a different Firewall Listen port and different Destination IP.
Since you're forwarding all to port 3389 on the destination, you will not need to change the TS port on the individual servers/pc's.


Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
mustekkzn

HiRedwulf
I am not to sure if I explained myself to you to well in my last post.

I am able to log in remotely into the ISA 2004 server, from there I am able to go to the internal PC's as specified in my rule (1).
But with that said, I am not able to go directly, by passing the ISA 2004 as yet with just entering
<external IP:port #> into Remote Desktop.
That is the one problem I am still having
                                       ----------------------------------------
My next problem is; if I go to the Policy rule and change from the default port number 3389 to 9999 for example,  I am not able to log into my internal PC from the ISA 2004 server after entering <internal IP:9999> into Remote Desktop.
But if I change my Policy Rule's port number to 3389 and then type in <internal IP:3389> then I am able to connect, no problem.
I hope this makes sense.
Thanks so much.
Regards
mustekkzn
Redwulf__53

Allright, let's take a step back.
In the scenario as I understand it, you have the following (examples):
TS1 - 10.3.3.22 - Listens to RDP on port 3389
TS2 - 10.3.3.27 - Listens to RDP on port 3389

ISA - listens to RDP on port 3389 for connection to ISA desktop
ISA - Listens to RDP on port 9999 for connection to TS1 (rule 1)
ISA - Listens to RDP on port 9998 for connection to TS2 (no rule yet)

Webhost: a computer on the Internet that you want to connect to TS1 and TS2
Workstation: a PC on your LAN  that you want to connect to TS1 and TS2

Now, to make the connections:
From Webhost to TS1: connect to <publicIP:9999>
From Webhost to TS2: connect to <publicIP:9998> (after creating such a rule)
From Workstation to TS1: connect to <10.3.3.22:3389>
From Workstation to TS2: connect to <10.3.3.27:3389>

Does this make sense? Which of these don't work now?

ASKER
mustekkzn

Hi Redwulf
Can I do it like this rather, please. as I am not sure what your descriptions mean are....

--External PC = This is for example a PC that is at home and is not connected to the internal network, but can connect to the internet.
--ISA 2004 = Is the server which links the internet to my internal network.
--Internal Workstation  = A PC that is on my private network.

What I need to do:
*Link from an external PC to an internal workstation, directly. . . this gets done apparently by using Port Forwarding. At the moment (with my old ISA 2000 server box), how we are doing it is; logging in from external PC to the ISA 2000 server and then from there use Remote Desktop again to connect to an Internal Workstation.

What we are able to do:
*We can log in with Remote Desktop to the ISA 2004 from the External PC. <PublicIP>
*From the ISA 2004 box, I am able to go to an internal Workstation, but only one IP which has been specified in the rule.(not added any other rules as yet) <10.3.3.22>

Where my problems are lying:
*From ISA 2004 to Internal Workstation - After entering a rule with for Port Forwarding to the port number 9999, it does not want to work, but if I had to change it too 3389, it goes through, no problem.
*From External PC to ISA 2004 box - IF I enter <publicIP> it works. If I enter <publicIP:9999> (With Rule stating port 9999) it does NOT do to the Internal Workstation.
*From External PC to ISA 2004 box - IF enter <publicIP:3389> or just <publicIP> goes to the ISA 2004 straight.
At NO point in time was I ever able to go straight from EXternal PC to my Internal Workstation.

I hope this makes more sense this time, sorry that it seems a bit confusing to you, I am getting a bit confused myself at the moment - lol
Regards
Mustekkzn
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Redwulf__53

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mustekkzn

Yes, just doubled check it and it is disabled.
I am not to sure what to do next.
I did stumble across the following document with regards to changing port numbers on a XP machine, not to sure if it could be related to my problem in anyway.
http://support.microsoft.com/kb/306759
Just so you know, I did try and change the port number on Internal Workstation, even restarted, and still no luck.
But got to say that changing the port number to 9999 and then trying to just connect via ISA 2004 (not trying to do anything from outside as yet) I could NOT connect to the Internal Workstation from the ISA 2004 server using 10.3.3.22 straight and 10.3.3.22:9999.
I am not to sure what to try next?
Any suggestions perhaps?
Regards
mustekkzn
ASKER
mustekkzn

Hi there
My question has not been completely resolved as I would have liked it, but the expert that assist me, Redwulf 53, managed to assist me with other problems I was having.
With that said, will be closing off this question for now.
I would like to say thank so much to Redwulf for all his help.
Kind regards
mustekkzn