TSweb RDP over the interweb, cannot connect.

Ok so I setup TSweb services on a server here in my office, added object definitions, NAT and Access rules to my ASA and I have verified that I can hit the TSweb page from an external host via the NAT'd public ip.  However any server I enter to connect to all fail, generic errors such as:

"The client could not connect to the remote computer.  Remote connections might not be enabled, blah blah"


I know that terminal services are running correctly on my two targets because they are Terminal Servers, each with about 12 users connected right now.  So the targets are not the issue.. I suspect it's the ASA and probably a misconfiguration on my part.  The access rules I setup allow port 80 and 3389 with the latter over both UDP and TCP.  I googled for a while and could not find a verified statement on which protocol RDP actually used.

I have also verified that the TSWEB connection works like a champ internally...

The plan is to allow about half a dozen users from an office in Charlotte, NC connect to my TS boxes.  I have remote access to their server for testing this... which is how I know the above ;p

Really could use some insight if anyone's done this before..
LVL 14
Ben HartAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Cláudio RodriguesConnect With a Mentor Founder and CEOCommented:
Ok now I get. If you have 2003 TSs and 2003 TSWeb, you MUST open port 3389 from the outside to the TSs. You can load balance them using NLB and then set the firewall to send 3389 to the Virtual IP assigned to the NLB cluster.
So resuming:
External --> 80/443/3389 --> Firewall
Firewall --> 80/443--> TSWeb box
Firewall --> 3389 --> NLB Virtual IP

Cláudio Rodrigues
Citrix CTP
0
 
Cláudio RodriguesFounder and CEOCommented:
What are you entering on the TSWEB page? I assume the TS external IP address.
Also if you simply try a TELNET from a machine that is outside, to the firewall external IP address (the one assigned to the TS on TCP 3389) does it work?
Open a command prompt and type TELNET EXTERNAL_IP 3389 and press enter. Replace EXTERNAL_IP with the IP address of the firewall (again, the one allocated to the TS). What happens?

Cláudio Rodrigues
Citrix CTP
0
 
Ben HartAuthor Commented:
Well crap.. umm well it didn't work.  Seems I did input the access rule incorrectly.
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
Ben HartAuthor Commented:
Wait here's a question.. does the TSweb services need to be running on a full Terminal Server.. or could a "gateway" box be hosting them (along with session directory in my case) then sending the connection to the real Ts servers?
0
 
Cláudio RodriguesFounder and CEOCommented:
TSWeb does not require a full blown TS at all.

Cláudio Rodrigues
Citrix CTP
0
 
Ben HartAuthor Commented:
APPEND TO THE ABOVE POST


I can successfully RDP from this "gateway" box into the TS cluster.  If that makes any difference.
0
 
Ben HartAuthor Commented:
Thanks Claudio,  If that's the case then 3389 doesnt have to be open on the gateway box...correct?
0
 
Cláudio RodriguesFounder and CEOCommented:
I am now confused.
TSWeb is NOT an RDP over HTTPS solution. This was introduced only with Windows Server 2008 and its TSGateway. What do you have exactly? TSWeb, TSGateway, 2003, 2008?

Cláudio Rodrigues
Citrix CTP
0
 
Ben HartAuthor Commented:
OK I've got a cluster of three 2003 boxes running plain terminal services..these my users rdp into.  My "gateway" is a plain 2003 box with Remote Desktop Web Connections installed.. with NAT/Access rules to the outside.
0
 
Ben HartAuthor Commented:
If this will not work.. could I setup 2008 with just the TSGateway role to divy out connections to my 2003 ts servers?
0
 
Ben HartAuthor Commented:
So what about if using 2008 TS Gateway?  Would only ports 80/443 need to be opened?
0
 
Ben HartAuthor Commented:
OK I thought I had this all situated but turns out it's still not working correctly.  Here's what I've got so far..

From what I gathers from Claudio's response above.. that using 2003 terminal Servers with 2003 TS gateway meant that I'd need 3389 opened form external sources for both the GW box and the TS server cluster.

So I ended up blowing the GW away and installing 2008 standard on it, Ive install both TS Web Access and TS Gateway roles.  So as if sits right now from inside my network I can login successfully to both the TS Web access box and the TS server behind it.

However externally I have hit the TS Web Access page but any RDP sessions I attempt fail due to timeout.  Im assuming because "ts" or "jak-2k3-ts01" are not recognized on the internet.  I had thought that by using Server 2008's Web access that the RDP connection would be routed thru the web access or gateway box versus needing to open 3389 straight to the cluster to the internet.


I might need to re-cap on my current setup:

Internal network
      TS cluster
      TS Web Access server
                    Cisco ASA
                                Internet


Im wanting to:

Internet --> TS Web Access webpage --> RDP session into cluster

My TS Web Access server is a member of the domain and situated on the internal network.. not the DMZ nor the Public facing side either.  I mention that because Ive seen alot of troulshooting posts about people putting their GW servers in their DMZ, etc.
0
All Courses

From novice to tech pro — start learning today.