ISA 2006 Client VPN to Terminal Server

Our employees on our network can't rdp to a separate network pc over VPN.  We are using an ISA 2006 Server as our gateway.  The client machines are using the ISA Firwall Clients.  The VPN to the client's site is extablished successfully.  When you attempt to RDP to any usual client machine, it fails while the ISA Firewall client is running.  If the employee disables the ISA Firewall client and reconnects the VPN and then trys to RDP, it works fine.  What would cause RDP connections to fail when the ISA Firewall client enabled?
smccurninAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnmenZCommented:
The ISA firewall client has settings in place to prevent client computer to go beyond the ISA VPN server, which can be changed from ISA server side.
0
pwindellCommented:
The FWC is doing exactly what it is expected to do,...which isn't what you are wanting it to do in this case.  You have the exact same thing going on here that I just dealth with in another thread.
Here is a quote from that other thread:
---------------------------------------------------------------------------------------------------------
The problem is that this is a VPN and the IP Range on the Remote Network is not configured within ISA as being part of the Internal Network,...therefore the FWC interprets it as being a connection attempt to "External" and winging it out to the Internet where it fails.  So it isn't being denied,..it is being allowed,...it is just failing because it is being tossed down the wrong path.

Why does it work without the FWC?  Because without the FWC the local machine's regular "routing" takes over.  By the very nature of how VPN works,..the VPN is overriding the local machines Default Gateway with itself (the VPN becomes the new Default Gateway).  Since the target IP# is obviously not part of the local machine's local network the traffic gets "tossed" to the Default Gateway (which happens to be the VPN at the moment) and it works.
So....
(Option #2 is often the easiest choice)

Option #1
Find out the IP Range (or at least the one you are targeting) and add it to the Internal Network Definition.  This would be the IP Range inside the Tunnel,...not the outside of the Tunnel.  Then from a command prompt create a "blackhole" Static Route on the ISA machine for the same IP Range.  This route will never actually get used,...it is only there so that ISA has a route that corresponds to all the listed IP Ranges in the Internal Network Definition.  Without the Route it will probably whine and complain about it and give alerts that it sees address on the LAN that may be spoofed. In other words it will complain that is see addresses on the Internal Interface that have no corresponding route.
 
Option #2
Just disable/enable the FWC as needed as you are already doing and don't worry about it.
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.