RE: ISA server cannot connect to Internet
- From: "Paul Nuernberger" <pen@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 17 Sep 2003 20:51:14 -0500
The best reason to control what IP addresses can connect to TS is to limit
exposure to a brute force attack. If the IP address can't connect to a
service it (obviously) cannot attack the service.
I have experienced weirdness with TS when I set it to listen to a specific
interface - both on standalone and domain integrated ISA boxen, and on SBS
boxen - the usual occurrence is that it stops working to the external world
at some point while still being available to internal machines. I didn't
have the time to properly troubleshoot it, then or now, so I just punted and
used packet filters (which I like better for this anyhow).
Paul Nuernberger
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 17, 2003 6:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server cannot connect to Internet
http://www.ISAserver.org
Hi Glenn,
Terminal services, by default, listens on all interfaces. If packet
filtering is enabled, then the external interface won't accept incoming RDP
connection requests. However, if you publish terminal services, then you
need to configure the TS to listen only on the internal interface. In that
case, there is no mechanism that I'm aware of that allows you to control
what IP address can connect; however, that's a none issue because you have
to authenticate to connect.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, September 17, 2003 7:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server cannot connect to Internet
http://www.ISAserver.org
I would not be so quick to bash Terminal Services in Administration mode on
a Microsoft ISA server, as a matter of fact Microsoft suggests this as a
means for remote administration of the ISA server if your ISA server is
installed as a stand a lone server outside of a Active Directory Domain. To
put your worries to rest, Terminal Services
installed on a ISA Server will answer only from a Internal Interface, NOT
the public interface, in addition, there are ways to allow and deny by
specific IP addresses, which will further secure attempted access if people
discover that Terminal Services are running. Speaking for myself I know I
would NOT want to drive into work at 1:00 AM if I got a service call and had
to look at the ISA server to resolve the problem ... think about it.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
