Solved

Allow RDP to tunnel from internal to external network through ISA 2006 proxy server?

Posted on 2008-06-17
6
853 Views
Last Modified: 2013-11-21
I have an ISA 2006 proxy server which internal users must go through to gain access to external/ internet resources. Since I implemented the server, internal users are unable to connect to RDP via web connections to external servers. I have modified the rule for internet access to allow the RDP protocol but this hasn't resolved it.

Looking further into it I understand that when you connect to a web RDP server, it simply downloads the ActiveX Terminal Services client and then tries to connect you as standard via 3389 to the server. I think this is where my trouble lies as by default the client machine will only direct port 21, 80 & 443 traffic to the ISA server. THis being the case, the 3389 connection is attempted directly from the client machine and hence, fails as the client machine has no direct internet access.

Is there any way I can get the RDP connection out through the proxy server? Or is there no other way than to bypass the proxy server for this whole process?

Feel free to ask me any more questions, thanks for your time!
0
Comment
Question by:bermyman
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21815689
Setup a live monitoring session for a single test workstation on ISA and attempt to access your RDP site.  What does the monitor say is being denied?  
0
 

Author Comment

by:bermyman
ID: 21815849
I setup live monitoring to check. I see the connections being made initially up to the point where it gets to the activex terminal services client. It's at this point that it'll begin using the TS client, which the proxy will have no record of as it's straight out port 3389.

So all live monitoring sees is the connections up to the point where the active-x control comes down. The client machine makes a separate connection to the TS server from here on - which is completely unbeknownst to the proxy as the client machine will only send ports 80,443 and 21 to the proxy.

The more I think about this the more I'm becoming convinced it's impossible. Thanks for helping though!
0
 

Author Comment

by:bermyman
ID: 21857384
Just for anyone else looking for the same solution, I think it's probably impossible to encapsulate any RDP still through 80 or 443 and telling client machines to proxy 3389 also appears impossible. The more I think about it the more i'm convinced that perhaps my expectations of the proxy server being an all singing and dancing gateway for all users were misguided. It handles the majority of web traffic fine but any FTP or RDP stuff needs to be punched through the firewall directly.

Unless anyone else has any ideas? I'll leave the question open just in case...
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 500 total points
ID: 21904059
This article may be worth a look-see:  http://www.isaserver.org/articles/2004pubts.html  Note...there is now a product made by Collective Software called ClearTunnel which will allow ISA to analyze SSL content.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question