Publish RDP server to/from specific external IP?

Posted on 2011-05-02
Last Modified: 2012-05-11
We currently have 8 RDP servers (XP machines) that should be available to a specific external IP address.  For testing, I allowed all external addresses in my firewall policy for 1 of these 8 machines.  Each of these 8 PCs has a 1:1 NAT policy in our old firewall (Sonicwall), which was done in groups.  So, I would configure an address object representing internally, and another object representing  I cannot find a way to do this in Forefront.  

I spoke briefly with a MS support tech, and he mentioned that network policies are not required for server publishing, only firewall policies.  I am seeing connections that are listed as "successful" but their infomation reads "The connection attempt was borted when the client ent a RST packet".  

While researching this issue, I stumbled on this utility:

That made me wonder if maybe the issue is that my published servers aren't responding via the same IP that they are listening?  So, if I RDP to and that's NAT'd (published) to, maybe the RDP server is responding on, or worse yet, my primary ISP interface (the 1:1 NAT is supposed to be on my secondary interface).

Anybody have experience with this?
Question by:sbumpas
    LVL 7

    Accepted Solution

    You mention that you allowed all external addresses in the firewall to only 1 of the 8 machines?  Shouldn't you be doing that for all 8 machines?  Also you only need to allow on the incoming interface the RDP port (3389) for each of these computers.  I have not used Forefront but in the firewall I use (pfSense), I map each computer individually instead of a group.

    I wouldn't think that if the NAT is set up correctly that you would have it replying on the wrong address. The traffic is considered inbound and the replies would not be the same as the outbound traffic that IPbinder is supposed to fix for Forefront. (ie if the XP machines were doing browsing on the Internet after you RDP'd to them from external the browsing could go out the primary ISP interface while the RDP continued to go out the secondary as that is where the address came in on.)


    Author Comment

    Correct, I do need to allow all external to 8 machines, but I need to get 1 of them working first so I know how to set up the other 7.

    I question whether or not NAT is set up correctly - MS claims you only need a publishing rule in your firewall policy, but that's simply  not working.  Not sure where to go next?
    LVL 10

    Assisted Solution

    What do you mean it is not working?

    Maybe this can help, get the session information first, so you get a better idea of what is not working:

    ISA COnsole, logs and reporting, logging tab.

    Instead of publishing RDP, have you considered using VPN instead, ISA can be a VPN server too.  
    LVL 10

    Assisted Solution

    Is the TMG the gateway for your network, if not then you have to select "connections appear to come from ISA server" in the "from" tab of the rule.

    Author Comment

    I opened a case with MS and we sorted this out.  The problem was, as I mentioned in the original post, the replies to the client were going out my primary ISP interface even though the requests were coming in my secondary ISP interface.  We set up a route statement (which we could do in this case because only 1 external IP is allowed this access) and that set things straight.

    Rather than setting a route, do you know if it possible to configure this with IP load balancing?  I see there a section in the ISP load balancing config which assigns IP addresses (servers or ranges) to specific ISP interfaces.  We solved this issue with a route, but we have similar issues that aren't faring as well with this strategy.

    Author Closing Comment

    I gave up on this - whether it's because I suck, or because TMG is too complex, it was nothing but problems.  I can't have something in my network that I can neither control nor understand.

    Thanks to all for their help along the way!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
    Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now