Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Allow RDP to tunnel from internal to external network through ISA 2006 proxy server?

Posted on 2008-06-17
6
Medium Priority
?
873 Views
Last Modified: 2013-11-21
I have an ISA 2006 proxy server which internal users must go through to gain access to external/ internet resources. Since I implemented the server, internal users are unable to connect to RDP via web connections to external servers. I have modified the rule for internet access to allow the RDP protocol but this hasn't resolved it.

Looking further into it I understand that when you connect to a web RDP server, it simply downloads the ActiveX Terminal Services client and then tries to connect you as standard via 3389 to the server. I think this is where my trouble lies as by default the client machine will only direct port 21, 80 & 443 traffic to the ISA server. THis being the case, the 3389 connection is attempted directly from the client machine and hence, fails as the client machine has no direct internet access.

Is there any way I can get the RDP connection out through the proxy server? Or is there no other way than to bypass the proxy server for this whole process?

Feel free to ask me any more questions, thanks for your time!
0
Comment
Question by:bermyman
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21815689
Setup a live monitoring session for a single test workstation on ISA and attempt to access your RDP site.  What does the monitor say is being denied?  
0
 

Author Comment

by:bermyman
ID: 21815849
I setup live monitoring to check. I see the connections being made initially up to the point where it gets to the activex terminal services client. It's at this point that it'll begin using the TS client, which the proxy will have no record of as it's straight out port 3389.

So all live monitoring sees is the connections up to the point where the active-x control comes down. The client machine makes a separate connection to the TS server from here on - which is completely unbeknownst to the proxy as the client machine will only send ports 80,443 and 21 to the proxy.

The more I think about this the more I'm becoming convinced it's impossible. Thanks for helping though!
0
 

Author Comment

by:bermyman
ID: 21857384
Just for anyone else looking for the same solution, I think it's probably impossible to encapsulate any RDP still through 80 or 443 and telling client machines to proxy 3389 also appears impossible. The more I think about it the more i'm convinced that perhaps my expectations of the proxy server being an all singing and dancing gateway for all users were misguided. It handles the majority of web traffic fine but any FTP or RDP stuff needs to be punched through the firewall directly.

Unless anyone else has any ideas? I'll leave the question open just in case...
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 2000 total points
ID: 21904059
This article may be worth a look-see:  http://www.isaserver.org/articles/2004pubts.html  Note...there is now a product made by Collective Software called ClearTunnel which will allow ISA to analyze SSL content.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question