Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Terminal Server access through ISA 2006

Posted on 2010-08-17
5
Medium Priority
?
606 Views
Last Modified: 2013-11-21
Hi Guys,

I configured a terminal server on a Windows 2003 box, all went well and the terminal server is accessible over the LAN.  However, I am trying to configure the ISA firewall to allow connections from the internet, but I keep getting log entry, ACTION:  "denied connection" for the new ISA rule I created for TS.

I created an Access Rule in ISA with source:  "the Internet" and destination:  "IP that of the terminal server".

With RDP port enabled "outbound".  
When I change to "inbound" no log entries appear, and access to the TS still fails.
0
Comment
Question by:Rupert Eghardt
  • 3
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 33461576
Need to publish the RDP service using a non-web-server publishing rule instead of an access rule to cover the RDP traffic that is initiated from the Internet and is inbound.
An access rule for RDP from internal to external will cover RDP traffic that is initiated from the internal network
0
 

Author Comment

by:Rupert Eghardt
ID: 33461948
Thanks keith, could you perhaps just explain why an access rule won't work, and the reason why a non-web-server "PUBLISHING" rule is required?   What is the general consensus regarding the use of "access rule" v/s "non-web-server publishing rule".

0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 2000 total points
ID: 33469061
An access rule is traditionally used for outbound connections i.e. traffic leaving a network that is more secure than the network to which the traffic is destined.
A publishing rule is used to create a 'fronting' connection point for a service that is hosted on a network that is considered by ISA or FTMG as more secure than the requesting device.

I have indicated a non-web-server publishing rule on the assumption that you are using port 3389, the traditional Terminal Services port. Port 3389 is not a proxyable protocol therefore would use a non web-server publishing rule. If you are using TS Gateway over port 443 then you would use a web publishing rule.

If the relationship between two interfaces defined within ISA or FTMG is routed rather than natted then access rules can be used but require to be made in both directions - one for each outbound traffic flow.
0
 

Author Comment

by:Rupert Eghardt
ID: 33472803
Thanks Keith,

I'ts working.  I just had to tick the box for "Requests appear to come from the ISA server computer.

* I believe, if we want to publish TSWEB for the terminal server access, we will have to create a "web-publishing" rule instead?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33472823
Correct
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question