?
Solved

External Connection to W2K3 Terminal Server as part of SBS2003 Domain

Posted on 2008-10-31
6
Medium Priority
?
404 Views
Last Modified: 2012-06-27
I am trying to figure out how to set up external connection to Termainal Server for users. I brought in a second server running W2K3 and added it to part of the domain of the SBS2003.  I am able to connect via Remote Desktop internally (Server name and ip) but cant to seem how to figure out how mobile users can get access.  I want to keep the ability of having Terminal Server for the SBS2003 server for administrators roles but have everyone else going to W2K3.  We have ISA rules to allow for access so currently access but when ever we connect i can only get the SBS server rather than the W2k3

Have looked and cant seem to find anything.  How do you configure this for external access?

We are running SBS 2003 R2 with ISA 2004.  

ipconfig /all

LAC
physical .......               0019-b9-ec-68-32
DHCP endabled           No
Ip addr                         192.168.16.2
Subnet mask               255.255.255.0
Default Gateway
DNS Server                  192.168.16.2
Primary WINS Server   192.168.16.2

Network Connections
Physical Addr                00-19-b9-ec-68-34
DHCP endabled           No
Ip addr                         67.79.193.74
Subnet mask               255.255.255.0
Default Gateway         67.79.193.73
DNS Server                  192.168.16.2
NetBios over Tcpip      Disabled

Secondary server running W2K3 - 192.168.16.32
0
Comment
Question by:atmdman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 24

Expert Comment

by:ryansoto
ID: 22851845
Externally you shoudl set up a name such as ts.domainname.com and point it to the external interface of your firewall.
You then need to configure yoru firewall to allow traffic on port 3389  and forward to the internal IP of the terminal server.
This will get access going ... from the network standpoint.
Next you need to put all the members you want to allow access to the terminal server in the remote users group.  This will allow access from the windows standpoint.

Here are some articles you should read over...
You just cant install applications they same way your used to they have to be installed a special way.  Also configuration is critical to making a TS work well

http://technet.microsoft.com/en-us/library/cc779334.aspx
http://support.microsoft.com/kb/300847
http://support.microsoft.com/kb/306626
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22851871
not that big a deal to sort out - your issue is going to be port numbers i expect. ISA can only listen for a port ONCE per external IP address. I assume your SBS TS is listed in the rule set above the new w2k3 TS publishing rule? Can you confirm this is the case?
0
 

Author Comment

by:atmdman
ID: 22852024
Yes the rule for SBS TS rule is above the W2k3.  So I need to create another url and have it forward to a different port and have w2k3 isa rule to allow under that port?
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22852859
Not quite - You need to listen externally on a different port (assuming you only have the one external IP address). for example, you could forward port 3390 through your external router to the ISA/SBS box - publish a server that listens on port 3390 but forwards on port 3389 (the normal port) to the new windows server ip address.

For external access you would simply load up rdp/client with the same fqdn but with :3390 on the end. ISA will only listen to ONE occurence of a port number per IP address. As you only have the one IP, you can't listen twice for 3389 on it - so make one 3389 like you have currently and another port listener on 3390.

You may want to change your rules around so the simple one that users have is the default 3389 - and the admins use the one where you need more than one brain cell and have to port the listener port on to the fqdn :)
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 22852883
If you have TWO external ip's then it is dead simple. Add the second IP onto the ISA external nic - edit your first publish (TS) rule, select the listening interface (external) and click the addresses tab. Pick the IP you want. Make a second publishing (TS) trule and repeat but this time select the second ip address.

Now you can have both on 3389 because each IP address is supporting only ONE publication of 3389
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22951366
Thanks :)
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question