RE : RE: ISA server cannot connect to Internet

  • From: Gérard Dumazet <inflanester@xxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 20 Sep 2003 20:55:38 +0200

Hello,
 
I was just reading these comments on TSE and would like to have some
advices.
 
We have published TSE on a ?DMZ? between an adsl router (ZYWALL) and ISA,
same for OWA. We need TSE for some distant users to use applications on TSE.
 
On the router the 3389?s port is open and this is not very nice.
 
What is the best I can do to secure as much as possible my internal network
from people scanning my network through 3389 port? If as I just see below I
can control IP addresses that connect, this is one good thing. Is there an
article about that ?
 
Thanks for your reply
 
Gérard Dumazet
  _____  

De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Envoyé : jeudi 18 septembre 2003 20:21
À : [ISAserver.org Discussion List]
 
http://www.ISAserver.org
Hi Glenn,
 
I think where I was misinterpreting things was that I thought you mentioned
controlling by IP address when TS is listening on the INTERNAL interface.
When you create a packet filter on the external interface, or even when you
create a Server Publishing Rule that allows inbound access, you can control
the source IP address that connects, and that is a good security policy,
since it deals with dictionary, brute force, and other unplesant attacks :-)
 
Thanks!
Tom
Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx] 
Sent: Thursday, September 18, 2003 1:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server cannot connect to Internet
http://www.ISAserver.org
Thank you Tom,
    I stand corrected or at least over looked the Packet Filtering, the
reason why TS was not responding on my Public Interface because I did in
fact have Packet Filtering enabled because I do have established L2TP
Tunnels between other ISA servers .. as far as locking down to specific IP
addresses, could you not create a custom packet filter specifying addresses
for TS services ?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 17, 2003 7:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server cannot connect to Internet
http://www.ISAserver.org
Hi Glenn,
 
Terminal services, by default, listens on all interfaces. If packet
filtering is enabled, then the external interface won't accept incoming RDP
connection requests. However, if you publish terminal services, then you
need to configure the TS to listen only on the internal interface. In that
case, there is no mechanism that I'm aware of that allows you to control
what IP address can connect; however, that's a none issue because you have
to authenticate to connect.
 
HTH,
Tom
Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
inflanester@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: