[isalist] Re: Problematic RDP/RDP Server protocol behavior over VPN
- From: "Jonathon J. Howey" <Jonathon@xxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 26 Jan 2007 16:22:36 -0700
Thanks Jim. Seems to have worked on my computer. Time to push as GPO.
Out of curiosity, do you know why this wasn't added to the server side
interface, to like something as the Domains tab in the Internal network
properties?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: January 24, 2007 8:07 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problematic RDP/RDP Server protocol behavior over
VPN
BTW:
1. If you want to only have this operate only for a particular
user, you place it in %UserProfile%\Application Data\Microsoft\Firewall
Client 2004\
2. You can validate this change in the cmd line by typing
'%ProgramFiles%\Microsoft\Firewall Client 2004\fwctool
printglobalconfig' (no quotes)
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, January 24, 2007 6:54 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problematic RDP/RDP Server protocol behavior over
VPN
The problem you have is that the remote site network is not considered
"local" by the FWC-enabled VPN client.
You'll have to "educate it".
..at the FWC-enabled host,
1. Create a text file as %AllUsersProfile%\Application
Data\Microsoft\Firewall Client 2004\locallat.txt
2. Edit the file in notepad and add this entry:
192.168.200.0 192.168.200.255
1. Save the file (ctrl-s)
2. Close notepad
3. Open a cmd window (Start | run | "cmd")
4. Type 'net stop fwcagent & net start fwcagent' (no quotes)
This way, the FWC will not "intercept" traffic destined for the remote
network.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathon J. Howey
Sent: Tuesday, January 23, 2007 12:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Problematic RDP/RDP Server protocol behavior over VPN
Hi,
To sum it up, we have a client, behind one ISA 2004 firewall ("A"), that
is attempting to VPN (gets 192.168.200.16) into a certain SBS / ISA
2004 network ("B") over RDP and are seeing some weird packet addressing.
Basically:
VPN client (192.168.200.16) [with FWC] -> ISA 2004 "A" (66.181.211.YYY /
192.168.100.X/24) <--> {( Internet )} <---> ISA 2004 "B" / SBS (RDP
Server) [192.168.200.2 / 192.168.200.17 / 66.51.121.XXX]
-This ISA 2004 "B" server has an Access Rule allowing RDP / RDP Server
protocol traffic from VPN Clients / Quarantined VPN Clients to Local
Host. I do not want it listening on the External network. TS/RDP
Server is set to listen on all network adapters.
(I thought a Server publishing rule would work, but for some reason it's
using RDP and not RDP Server (therefore not an Inbound connection) when
VPN clients talk to the Local Host -- so this publishing rule gets
skipped over)
- The VPN client has a default gateway of 192.168.200.17, which of
course means its not a SecureNET client of the ISA 2004 "B" server, if
it were possible for VPN clients to be SecureNET/NAT clients as well.
This *.17 is automatically set of course by RRAS/ISA. I don't know if
this is part of my problem; related to routing?
Anyways, I'm seeing some weird tunneling behavior (log to follow). From
what I'm seeing, 1) my VPN client (192.168.200.16) is making a DNS
lookup to the DNS server (192.168.200.2), which ISA sees as a VPN Client
Network connection (which is correct IMO). Then once this VPN client
has the resolved IP from the DNS server, it makes a connection to this
same server -- the RDP server (SBS server), but for some reason it is
being "registered" (packet source/destination) with External / public
IPs from what the ISA logging says. It seems to try the external IPs 3
times before giving up. 2) If I try from another VPN client that is not
behind an ISA server, it will *sometimes* try the external network
addresses way 3 times, then eventually tries with VPN address and it
will connect. Anyone have any ideas? (difference is the VPN client
behind ISA times out after 3 tries on External, whereas non-ISA
protected VPN client will have time to try VPN Client way).
In terms of #1, seeing as I do not want to listen on my External
connection for RDP connections, one course of action could be to allow
from VPN Networks plus this 66.181.211.YYY address, but I would like to
know what makes this scenario so flakey. Thanks.
Here is a snippet from the log:
Original Client IP Client Agent Authenticated Client Service Server Name
Referring Server Destination Host Name Transport MIME Type Object Source
Source Proxy Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Raw Payload Source Port
Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record Type Log Time Destination
IP Destination Port Protocol Action Rule Client IP Client Username
Source Network Destination Network HTTP Method URL
192.168.200.16 WEB-01 - UDP - - 1033 0 0 0 0x0 0x0 0x0
Firewall 23/01/2007 12:17:55 AM 192.168.200.2 53 DNS Initiated
Connection SBS Protected Networks Access Rule 192.168.200.16 VPN
Clients Local Host - -
66.181.211.YYY WEB-01 - TCP - - 21141 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 23/01/2007 12:18:23 AM
66.51.121.XXX 3389 RDP (Terminal Services) Denied Connection Default
rule 66.181.211.YYY External Local Host - -
Thanks,
Jonathon J. Howey
MENSE Inc.
P 780.409.5620
F 780.409.5621
D 780.409.5628
C 780.965.8363
Jonathon@xxxxxxxx
Defining the Future of Industry
www.MENSE.ca <http://www.mense.ca/>
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
