How to secure Terminal Services to DMZ

I am currently following KB816521 to secure terminal services communication to all my servers.  However, when I do the same thing on the servers in my DMZ I can no longer connect to them.  We don't see any reason in the firewall.  In fact I put a laptop in the dmz to try to connect to one of the servers and still was unable to connect.  Anyone have any idea on this or another way to encrypt/secure terminal services/remote desktop connections.  Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi, ewest111

Without seeing your firewall config, (which you can send me) mostly likely you did not open the following ports I listed below to allow the IPSEC , Kerberos, DNS and SMB (if you need file sharing on this TS), so none of the traffic you need to pass is allowed.
DNS is needed to resolve host names on the domain, Kerberos to authenticate users, LDAP for queries to Active Directory, and most important, the ports to allow IPSEC traffic through.

There are links to the microsoft articles to configure IPSeC policies for this server below:

IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

    * IP Protocol ID 50:
      For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
    * IP Protocol ID 51:
      For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
    * UDP Port 500:
      For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50).

It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
253169  ( ) Traffic That Can--and Cannot--Be Secured by IPSec
254949  ( ) IPSec support for client-to-domain controller traffic and domain controller-to-domain controller traffic

This traffic must be allowed from DMZ to LAN hosts

   KerberosTCP 88, UDP 88
   DNSTCP 53, UDP 53
   LDAPTCP 389, UDP 389
   LDAP over SSLTCP 636
   SMB over IPTCP 445, UDP 445
ewest111Author Commented:
Issue was due to fact that the servers in the DMZ are not part of the domain so kerberos won't work.  Configured using preshared keys instead of kerberos and all is well now.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.