Terminal Server access through ISA 2006

Hi Guys,

I configured a terminal server on a Windows 2003 box, all went well and the terminal server is accessible over the LAN.  However, I am trying to configure the ISA firewall to allow connections from the internet, but I keep getting log entry, ACTION:  "denied connection" for the new ISA rule I created for TS.

I created an Access Rule in ISA with source:  "the Internet" and destination:  "IP that of the terminal server".

With RDP port enabled "outbound".  
When I change to "inbound" no log entries appear, and access to the TS still fails.
Rupert EghardtProgrammerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Need to publish the RDP service using a non-web-server publishing rule instead of an access rule to cover the RDP traffic that is initiated from the Internet and is inbound.
An access rule for RDP from internal to external will cover RDP traffic that is initiated from the internal network
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rupert EghardtProgrammerAuthor Commented:
Thanks keith, could you perhaps just explain why an access rule won't work, and the reason why a non-web-server "PUBLISHING" rule is required?   What is the general consensus regarding the use of "access rule" v/s "non-web-server publishing rule".

0
Keith AlabasterEnterprise ArchitectCommented:
An access rule is traditionally used for outbound connections i.e. traffic leaving a network that is more secure than the network to which the traffic is destined.
A publishing rule is used to create a 'fronting' connection point for a service that is hosted on a network that is considered by ISA or FTMG as more secure than the requesting device.

I have indicated a non-web-server publishing rule on the assumption that you are using port 3389, the traditional Terminal Services port. Port 3389 is not a proxyable protocol therefore would use a non web-server publishing rule. If you are using TS Gateway over port 443 then you would use a web publishing rule.

If the relationship between two interfaces defined within ISA or FTMG is routed rather than natted then access rules can be used but require to be made in both directions - one for each outbound traffic flow.
0
Rupert EghardtProgrammerAuthor Commented:
Thanks Keith,

I'ts working.  I just had to tick the box for "Requests appear to come from the ISA server computer.

* I believe, if we want to publish TSWEB for the terminal server access, we will have to create a "web-publishing" rule instead?
0
Keith AlabasterEnterprise ArchitectCommented:
Correct
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.