Thank you Tom, I stand corrected or at least over looked the Packet Filtering, the reason why TS was not responding on my Public Interface because I did in fact have Packet Filtering enabled because I do have established L2TP Tunnels between other ISA servers .. as far as locking down to specific IP addresses, could you not create a custom packet filter specifying addresses for TS services ? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 17, 2003 7:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org Hi Glenn, Terminal services, by default, listens on all interfaces. If packet filtering is enabled, then the external interface won't accept incoming RDP connection requests. However, if you publish terminal services, then you need to configure the TS to listen only on the internal interface. In that case, there is no mechanism that I'm aware of that allows you to control what IP address can connect; however, that's a none issue because you have to authenticate to connect. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Wednesday, September 17, 2003 7:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org I would not be so quick to bash Terminal Services in Administration mode on a Microsoft ISA server, as a matter of fact Microsoft suggests this as a means for remote administration of the ISA server if your ISA server is installed as a stand a lone server outside of a Active Directory Domain. To put your worries to rest, Terminal Services installed on a ISA Server will answer only from a Internal Interface, NOT the public interface, in addition, there are ways to allow and deny by specific IP addresses, which will further secure attempted access if people discover that Terminal Services are running. Speaking for myself I know I would NOT want to drive into work at 1:00 AM if I got a service call and had to look at the ISA server to resolve the problem ... think about it. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')