• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 594
  • Last Modified:

Publish RDP server to/from specific external IP?

We currently have 8 RDP servers (XP machines) that should be available to a specific external IP address.  For testing, I allowed all external addresses in my firewall policy for 1 of these 8 machines.  Each of these 8 PCs has a 1:1 NAT policy in our old firewall (Sonicwall), which was done in groups.  So, I would configure an address object representing 10.1.1.2-10.1.1.9 internally, and another object representing 200.200.200.201-200.200.200.210.  I cannot find a way to do this in Forefront.  

I spoke briefly with a MS support tech, and he mentioned that network policies are not required for server publishing, only firewall policies.  I am seeing connections that are listed as "successful" but their infomation reads "The connection attempt was borted when the client ent a RST packet".  

While researching this issue, I stumbled on this utility:

http://www.collectivesoftware.com/Products/IPbinder

That made me wonder if maybe the issue is that my published servers aren't responding via the same IP that they are listening?  So, if I RDP to 200.200.200.203 and that's NAT'd (published) to 10.1.1.4, maybe the RDP server is responding on 200.200.200.201, or worse yet, my primary ISP interface (the 1:1 NAT is supposed to be on my secondary interface).

Anybody have experience with this?
0
sbumpas
Asked:
sbumpas
  • 3
  • 2
3 Solutions
 
justadadCommented:
You mention that you allowed all external addresses in the firewall to only 1 of the 8 machines?  Shouldn't you be doing that for all 8 machines?  Also you only need to allow on the incoming interface the RDP port (3389) for each of these computers.  I have not used Forefront but in the firewall I use (pfSense), I map each computer individually instead of a group.

I wouldn't think that if the NAT is set up correctly that you would have it replying on the wrong address. The traffic is considered inbound and the replies would not be the same as the outbound traffic that IPbinder is supposed to fix for Forefront. (ie if the XP machines were doing browsing on the Internet after you RDP'd to them from external the browsing could go out the primary ISP interface while the RDP continued to go out the secondary as that is where the address came in on.)

0
 
sbumpasAuthor Commented:
Correct, I do need to allow all external to 8 machines, but I need to get 1 of them working first so I know how to set up the other 7.

I question whether or not NAT is set up correctly - MS claims you only need a publishing rule in your firewall policy, but that's simply  not working.  Not sure where to go next?
0
 
simonlimonCommented:
What do you mean it is not working?

Maybe this can help, get the session information first, so you get a better idea of what is not working:

ISA COnsole, logs and reporting, logging tab.

Instead of publishing RDP, have you considered using VPN instead, ISA can be a VPN server too.  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
simonlimonCommented:
Is the TMG the gateway for your network, if not then you have to select "connections appear to come from ISA server" in the "from" tab of the rule.
0
 
sbumpasAuthor Commented:
I opened a case with MS and we sorted this out.  The problem was, as I mentioned in the original post, the replies to the client were going out my primary ISP interface even though the requests were coming in my secondary ISP interface.  We set up a route statement (which we could do in this case because only 1 external IP is allowed this access) and that set things straight.

Rather than setting a route, do you know if it possible to configure this with IP load balancing?  I see there a section in the ISP load balancing config which assigns IP addresses (servers or ranges) to specific ISP interfaces.  We solved this issue with a route, but we have similar issues that aren't faring as well with this strategy.
0
 
sbumpasAuthor Commented:
I gave up on this - whether it's because I suck, or because TMG is too complex, it was nothing but problems.  I can't have something in my network that I can neither control nor understand.

Thanks to all for their help along the way!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now