Hello, I was just reading these comments on TSE and would like to have some advices. We have published TSE on a ?DMZ? between an adsl router (ZYWALL) and ISA, same for OWA. We need TSE for some distant users to use applications on TSE. On the router the 3389?s port is open and this is not very nice. What is the best I can do to secure as much as possible my internal network from people scanning my network through 3389 port? If as I just see below I can control IP addresses that connect, this is one good thing. Is there an article about that ? Thanks for your reply Gérard Dumazet _____ De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Envoyé : jeudi 18 septembre 2003 20:21 À : [ISAserver.org Discussion List] http://www.ISAserver.org Hi Glenn, I think where I was misinterpreting things was that I thought you mentioned controlling by IP address when TS is listening on the INTERNAL interface. When you create a packet filter on the external interface, or even when you create a Server Publishing Rule that allows inbound access, you can control the source IP address that connects, and that is a good security policy, since it deals with dictionary, brute force, and other unplesant attacks :-) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, September 18, 2003 1:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org Thank you Tom, I stand corrected or at least over looked the Packet Filtering, the reason why TS was not responding on my Public Interface because I did in fact have Packet Filtering enabled because I do have established L2TP Tunnels between other ISA servers .. as far as locking down to specific IP addresses, could you not create a custom packet filter specifying addresses for TS services ? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 17, 2003 7:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org Hi Glenn, Terminal services, by default, listens on all interfaces. If packet filtering is enabled, then the external interface won't accept incoming RDP connection requests. However, if you publish terminal services, then you need to configure the TS to listen only on the internal interface. In that case, there is no mechanism that I'm aware of that allows you to control what IP address can connect; however, that's a none issue because you have to authenticate to connect. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: inflanester@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')