Solved

Allow RDP to tunnel from internal to external network through ISA 2006 proxy server?

Posted on 2008-06-17
6
847 Views
Last Modified: 2013-11-21
I have an ISA 2006 proxy server which internal users must go through to gain access to external/ internet resources. Since I implemented the server, internal users are unable to connect to RDP via web connections to external servers. I have modified the rule for internet access to allow the RDP protocol but this hasn't resolved it.

Looking further into it I understand that when you connect to a web RDP server, it simply downloads the ActiveX Terminal Services client and then tries to connect you as standard via 3389 to the server. I think this is where my trouble lies as by default the client machine will only direct port 21, 80 & 443 traffic to the ISA server. THis being the case, the 3389 connection is attempted directly from the client machine and hence, fails as the client machine has no direct internet access.

Is there any way I can get the RDP connection out through the proxy server? Or is there no other way than to bypass the proxy server for this whole process?

Feel free to ask me any more questions, thanks for your time!
0
Comment
Question by:bermyman
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21815689
Setup a live monitoring session for a single test workstation on ISA and attempt to access your RDP site.  What does the monitor say is being denied?  
0
 

Author Comment

by:bermyman
ID: 21815849
I setup live monitoring to check. I see the connections being made initially up to the point where it gets to the activex terminal services client. It's at this point that it'll begin using the TS client, which the proxy will have no record of as it's straight out port 3389.

So all live monitoring sees is the connections up to the point where the active-x control comes down. The client machine makes a separate connection to the TS server from here on - which is completely unbeknownst to the proxy as the client machine will only send ports 80,443 and 21 to the proxy.

The more I think about this the more I'm becoming convinced it's impossible. Thanks for helping though!
0
 

Author Comment

by:bermyman
ID: 21857384
Just for anyone else looking for the same solution, I think it's probably impossible to encapsulate any RDP still through 80 or 443 and telling client machines to proxy 3389 also appears impossible. The more I think about it the more i'm convinced that perhaps my expectations of the proxy server being an all singing and dancing gateway for all users were misguided. It handles the majority of web traffic fine but any FTP or RDP stuff needs to be punched through the firewall directly.

Unless anyone else has any ideas? I'll leave the question open just in case...
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 500 total points
ID: 21904059
This article may be worth a look-see:  http://www.isaserver.org/articles/2004pubts.html  Note...there is now a product made by Collective Software called ClearTunnel which will allow ISA to analyze SSL content.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server Licensing - Home Server 6 57
SBS 2011 Reports / Alerts / Security Critical 12 76
can i use dropbox on a server used as a local share 8 118
Bios changes 5 70
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Know what services you can and cannot, should and should not combine on your server.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now