Allow RDP through ISA using Firewall Client


I have the following problem.
We've recently installed a Forefront TMG server.
Because of a shared network infrastructure, it's not possible to set this TMG as the gateway (of last resort). We need to be able to access an RDP server on the Internet.
I've installed the firewall client on my machine. As I understand, this should cause all winsock traffic that's destined to internal to be handled by the TMG server.
I've created a rule, allowing RDP to the specific servers for all users.
However, when I try to set up and RDP session, I don't see any 3389 traffic in the TMG logs.

Do I need to configure some application settings for the firewall client? If so, what would they be? Is there anything I'm missing here? Please help! All links I've found so far suggest that it works when I'm a secure NAT client, but that's not an option in our case.
Internal <> External network rule is NAT. Changing it to routing is probably not an option either.

Please help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will this link help...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
That is the wrong context.  He is not connecting to the TMG,...he it trying to go through it.

I am of aware of the RDP Client (mstsc.exe) not being able to use the Firewall Client.  In the ISA logging set the Filter to show all traffic from the IP# of the Client you are testing from, matter what the traffic is,..just have it show everything from that IP#.

What do you get when you attempt?

If the "mstsc.exe" won't use the Firewall Client then go into the ISA MMC to Configuration-->General,...then the Application Settings Tab.  Create a new entry according to this:

Application = mstsc
Key = Disable
Value = 0

It may take up to 30 minutes for the changes to effect the Client.

But I really believe that you should not have to do that.  So if it does not solve the problem then remove the entry.


I am of aware of the RDP Client (mstsc.exe) not being able to use the  Firewall Client.

Meant to say:

I am NOT of aware of the RDP Client (mstsc.exe) not being able to use the  Firewall Client.
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

MNH1966Author Commented:
Realworld scenario is that I have users who need to access an eLearning site that uses the RDP Active-X component. Since the ISA/TMG is not the default gateway or gateway of last resort, Internet traffic (other then web) needs to be forcibly directed to the TMG, so I use the Firewall Client.
However, looking at the logging, it appears the RDP traffic is not directed to the ISA. I've tried using mstsc instead, but same result. Unfortunately I'm not in the position to test all suggestions immediately, so it may take a while before I can provide the results.

Doesn't the change you suggest disable the use of the Firewall Client for mstsc.exe? That would be a good way to force secure-NAT, but since the ISA is not the Gateway, the RDP traffic would never reach it?!?
Doesn't the change you suggest disable the use of the Firewall Client  for mstsc.exe? That would be a good way to force secure-NAT, but since  the ISA is not the Gateway, the RDP traffic would never reach it?!?

No. It is bolean reverse-logic

Disabled = 1 ,...means "yes"(1) it is disabled
Disabled = 0,...means "no" (0) it is not disabled

I'm not sure what to tell you about the ActiveX Control.  Those usually "follow" the browser,...whoever the browser is probably running as a Web Proxy Client (proxy settings in the browser).  This only provides http, https, ftp.  However the Control should still fall back to using the Firewall Client which is what the browser is supposed to do anyway.  You could try removing the proxy settings from the browser (leave all proxy settings "blank", disabled) and that should force the browser and the Control to use the Firewall Client,...but again should should not have to do that.  It should already be working just as you have things after installing the firewall Client.

Maybe something in here below may be helpful.  (ISA2004, 2006, TMG work the same way here).

Troubleshooting Firewall Clients in ISA Server 2004
MNH1966Author Commented:
Very sorry I didn't reply yet. Still haven't had a chance to test the suggestions but I promise I'll award points if they lead to a sollution.
No problem!

MNH1966Author Commented:
Well... The sollution turned out to be to disable Remote Desktop on the TMG itself.
It's almost like the port is simply blocked for firewall traffic if TMG needs it itself.

I know this doesn't make sense and I plan to investigate this issue further, but for now it's working.
MNH1966Author Commented:
it was a solution for a different issue, but it did point me in a direction where I finally found the real solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.