Publish RDP server to/from specific external IP?

We currently have 8 RDP servers (XP machines) that should be available to a specific external IP address.  For testing, I allowed all external addresses in my firewall policy for 1 of these 8 machines.  Each of these 8 PCs has a 1:1 NAT policy in our old firewall (Sonicwall), which was done in groups.  So, I would configure an address object representing internally, and another object representing  I cannot find a way to do this in Forefront.  

I spoke briefly with a MS support tech, and he mentioned that network policies are not required for server publishing, only firewall policies.  I am seeing connections that are listed as "successful" but their infomation reads "The connection attempt was borted when the client ent a RST packet".  

While researching this issue, I stumbled on this utility:

That made me wonder if maybe the issue is that my published servers aren't responding via the same IP that they are listening?  So, if I RDP to and that's NAT'd (published) to, maybe the RDP server is responding on, or worse yet, my primary ISP interface (the 1:1 NAT is supposed to be on my secondary interface).

Anybody have experience with this?
Who is Participating?
justadadConnect With a Mentor Commented:
You mention that you allowed all external addresses in the firewall to only 1 of the 8 machines?  Shouldn't you be doing that for all 8 machines?  Also you only need to allow on the incoming interface the RDP port (3389) for each of these computers.  I have not used Forefront but in the firewall I use (pfSense), I map each computer individually instead of a group.

I wouldn't think that if the NAT is set up correctly that you would have it replying on the wrong address. The traffic is considered inbound and the replies would not be the same as the outbound traffic that IPbinder is supposed to fix for Forefront. (ie if the XP machines were doing browsing on the Internet after you RDP'd to them from external the browsing could go out the primary ISP interface while the RDP continued to go out the secondary as that is where the address came in on.)

sbumpasAuthor Commented:
Correct, I do need to allow all external to 8 machines, but I need to get 1 of them working first so I know how to set up the other 7.

I question whether or not NAT is set up correctly - MS claims you only need a publishing rule in your firewall policy, but that's simply  not working.  Not sure where to go next?
simonlimonConnect With a Mentor Commented:
What do you mean it is not working?

Maybe this can help, get the session information first, so you get a better idea of what is not working:

ISA COnsole, logs and reporting, logging tab.

Instead of publishing RDP, have you considered using VPN instead, ISA can be a VPN server too.  
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

simonlimonConnect With a Mentor Commented:
Is the TMG the gateway for your network, if not then you have to select "connections appear to come from ISA server" in the "from" tab of the rule.
sbumpasAuthor Commented:
I opened a case with MS and we sorted this out.  The problem was, as I mentioned in the original post, the replies to the client were going out my primary ISP interface even though the requests were coming in my secondary ISP interface.  We set up a route statement (which we could do in this case because only 1 external IP is allowed this access) and that set things straight.

Rather than setting a route, do you know if it possible to configure this with IP load balancing?  I see there a section in the ISP load balancing config which assigns IP addresses (servers or ranges) to specific ISP interfaces.  We solved this issue with a route, but we have similar issues that aren't faring as well with this strategy.
sbumpasAuthor Commented:
I gave up on this - whether it's because I suck, or because TMG is too complex, it was nothing but problems.  I can't have something in my network that I can neither control nor understand.

Thanks to all for their help along the way!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.