External Connection to W2K3 Terminal Server as part of SBS2003 Domain

I am trying to figure out how to set up external connection to Termainal Server for users. I brought in a second server running W2K3 and added it to part of the domain of the SBS2003.  I am able to connect via Remote Desktop internally (Server name and ip) but cant to seem how to figure out how mobile users can get access.  I want to keep the ability of having Terminal Server for the SBS2003 server for administrators roles but have everyone else going to W2K3.  We have ISA rules to allow for access so currently access but when ever we connect i can only get the SBS server rather than the W2k3

Have looked and cant seem to find anything.  How do you configure this for external access?

We are running SBS 2003 R2 with ISA 2004.  

ipconfig /all

LAC
physical .......               0019-b9-ec-68-32
DHCP endabled           No
Ip addr                         192.168.16.2
Subnet mask               255.255.255.0
Default Gateway
DNS Server                  192.168.16.2
Primary WINS Server   192.168.16.2

Network Connections
Physical Addr                00-19-b9-ec-68-34
DHCP endabled           No
Ip addr                         67.79.193.74
Subnet mask               255.255.255.0
Default Gateway         67.79.193.73
DNS Server                  192.168.16.2
NetBios over Tcpip      Disabled

Secondary server running W2K3 - 192.168.16.32
atmdmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ryansotoCommented:
Externally you shoudl set up a name such as ts.domainname.com and point it to the external interface of your firewall.
You then need to configure yoru firewall to allow traffic on port 3389  and forward to the internal IP of the terminal server.
This will get access going ... from the network standpoint.
Next you need to put all the members you want to allow access to the terminal server in the remote users group.  This will allow access from the windows standpoint.

Here are some articles you should read over...
You just cant install applications they same way your used to they have to be installed a special way.  Also configuration is critical to making a TS work well

http://technet.microsoft.com/en-us/library/cc779334.aspx
http://support.microsoft.com/kb/300847
http://support.microsoft.com/kb/306626
0
Keith AlabasterEnterprise ArchitectCommented:
not that big a deal to sort out - your issue is going to be port numbers i expect. ISA can only listen for a port ONCE per external IP address. I assume your SBS TS is listed in the rule set above the new w2k3 TS publishing rule? Can you confirm this is the case?
0
atmdmanAuthor Commented:
Yes the rule for SBS TS rule is above the W2k3.  So I need to create another url and have it forward to a different port and have w2k3 isa rule to allow under that port?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Keith AlabasterEnterprise ArchitectCommented:
Not quite - You need to listen externally on a different port (assuming you only have the one external IP address). for example, you could forward port 3390 through your external router to the ISA/SBS box - publish a server that listens on port 3390 but forwards on port 3389 (the normal port) to the new windows server ip address.

For external access you would simply load up rdp/client with the same fqdn but with :3390 on the end. ISA will only listen to ONE occurence of a port number per IP address. As you only have the one IP, you can't listen twice for 3389 on it - so make one 3389 like you have currently and another port listener on 3390.

You may want to change your rules around so the simple one that users have is the default 3389 - and the admins use the one where you need more than one brain cell and have to port the listener port on to the fqdn :)
0
Keith AlabasterEnterprise ArchitectCommented:
If you have TWO external ip's then it is dead simple. Add the second IP onto the ISA external nic - edit your first publish (TS) rule, select the listening interface (external) and click the addresses tab. Pick the IP you want. Make a second publishing (TS) trule and repeat but this time select the second ip address.

Now you can have both on 3389 because each IP address is supporting only ONE publication of 3389
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.