Two problems: 1 - This only works for ISA 2004; ISA 2000 cannot perform port translation for server publishing. 2 - This is the same thing as I decried before as "security by obscurity"; it's a fool's errand Tiago was correct; use the highest encryption level on the TS configuration (not "FIPS Compliant") ________________________________ From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Tue 11/30/2004 5:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internal access to remote external TS? http://www.ISAserver.org Krisna, I was not talking about changing RDP's port internally like that link suggests you do not do, I am suggesting you change it externally on your ISA machine. When it comes in ISA will still talk to your RDP box on 3389. ;) Andrew -----Original Message----- From: Krisna Keo [mailto:krisnak@xxxxxxxxxxxxxxx] Sent: Tuesday, November 30, 2004 3:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internal access to remote external TS? http://www.ISAserver.org http://www.ISAserver.org Thank you very much Andrew for alerting the hot point to me. Changing the RDP port is one of highest risk stuff, and it does not recommend changing as well from Microsoft unless necessary. http://support.microsoft.com/kb/187623/EN-US/ Could let me know the RDP port can be usefully changed by most people? I followed the link to configure my server http://support.microsoft.com/default.aspx?scid=kb;en-us;294720 Jim, could you please detail on "set the encryption to "ungodly high" and leave it there." Due to I'm not a native English speaker. (Sorry) Regards, Krisna -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, November 30, 2004 1:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internal access to remote external TS? http://www.ISAserver.org "Security by obscurity". This isn't worth your time as any script kiddie worth his (her) salt can easily find listening ports with some readily-available tools. Once they have those; they can hit them with some standard "banner-chasing" toys that'll ferret out your RDP service in no time. Rather than wasting your time in useless pursuits, set the encryption to "ungodly high" and leave it there. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, November 29, 2004 8:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internal access to remote external TS? http://www.ISAserver.org I would suggest that you do not use port 3389 as your external port. 3389 is the first thing hackers look for when port hunting because TS is easy to hack. When you select RDP (Term Services) Server click on ports and then enable the firewall port publish and give it a value of 33000 or higher. This way when you RDP in from the internet into your box(es) you just need to put a :33000 or whatever the port number is and your in. :-) Andrew ________________________________ From: Krisna Keo [mailto:krisnak@xxxxxxxxxxxxxxx] Sent: Monday, November 29, 2004 8:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internal access to remote external TS? http://www.ISAserver.org Hi Rajia, Protocol rule: Allow Terminal Services - OUT Description : Enabled : True Action taken with requests : Allow Rule applies to : Selected Protocols Protocols : RDP (Terminal Services) Rule Applies to : Any Request Protocol Definition: RDP (Terminal Services) Description : Remote Desktop Protocol (Terminal Services) Initial Connection Port Number : 3389 Initial Protocol Type : TCP Initial Direction : Outbound Hope this will helps Krisna -----Original Message----- From: Raji Arulambalam [mailto:RajiA@xxxxxxxxxxxxxx] Sent: Tuesday, November 30, 2004 8:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] Internal access to remote external TS? http://www.ISAserver.org Hi Using ISA Server 2000, whats required to allow an internal client to access a remote Terminal Services server. The client has a FW client. Thanks RajiA All mail to and from this domain is GFI-scanned.