Thanks Jim. Seems to have worked on my computer. Time to push as GPO. Out of curiosity, do you know why this wasn't added to the server side interface, to like something as the Domains tab in the Internal network properties? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: January 24, 2007 8:07 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Problematic RDP/RDP Server protocol behavior over VPN BTW: 1. If you want to only have this operate only for a particular user, you place it in %UserProfile%\Application Data\Microsoft\Firewall Client 2004\ 2. You can validate this change in the cmd line by typing '%ProgramFiles%\Microsoft\Firewall Client 2004\fwctool printglobalconfig' (no quotes) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, January 24, 2007 6:54 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Problematic RDP/RDP Server protocol behavior over VPN The problem you have is that the remote site network is not considered "local" by the FWC-enabled VPN client. You'll have to "educate it". ..at the FWC-enabled host, 1. Create a text file as %AllUsersProfile%\Application Data\Microsoft\Firewall Client 2004\locallat.txt 2. Edit the file in notepad and add this entry: 192.168.200.0 192.168.200.255 1. Save the file (ctrl-s) 2. Close notepad 3. Open a cmd window (Start | run | "cmd") 4. Type 'net stop fwcagent & net start fwcagent' (no quotes) This way, the FWC will not "intercept" traffic destined for the remote network. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: Tuesday, January 23, 2007 12:19 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Problematic RDP/RDP Server protocol behavior over VPN Hi, To sum it up, we have a client, behind one ISA 2004 firewall ("A"), that is attempting to VPN (gets 192.168.200.16) into a certain SBS / ISA 2004 network ("B") over RDP and are seeing some weird packet addressing. Basically: VPN client (192.168.200.16) [with FWC] -> ISA 2004 "A" (66.181.211.YYY / 192.168.100.X/24) <--> {( Internet )} <---> ISA 2004 "B" / SBS (RDP Server) [192.168.200.2 / 192.168.200.17 / 66.51.121.XXX] -This ISA 2004 "B" server has an Access Rule allowing RDP / RDP Server protocol traffic from VPN Clients / Quarantined VPN Clients to Local Host. I do not want it listening on the External network. TS/RDP Server is set to listen on all network adapters. (I thought a Server publishing rule would work, but for some reason it's using RDP and not RDP Server (therefore not an Inbound connection) when VPN clients talk to the Local Host -- so this publishing rule gets skipped over) - The VPN client has a default gateway of 192.168.200.17, which of course means its not a SecureNET client of the ISA 2004 "B" server, if it were possible for VPN clients to be SecureNET/NAT clients as well. This *.17 is automatically set of course by RRAS/ISA. I don't know if this is part of my problem; related to routing? Anyways, I'm seeing some weird tunneling behavior (log to follow). From what I'm seeing, 1) my VPN client (192.168.200.16) is making a DNS lookup to the DNS server (192.168.200.2), which ISA sees as a VPN Client Network connection (which is correct IMO). Then once this VPN client has the resolved IP from the DNS server, it makes a connection to this same server -- the RDP server (SBS server), but for some reason it is being "registered" (packet source/destination) with External / public IPs from what the ISA logging says. It seems to try the external IPs 3 times before giving up. 2) If I try from another VPN client that is not behind an ISA server, it will *sometimes* try the external network addresses way 3 times, then eventually tries with VPN address and it will connect. Anyone have any ideas? (difference is the VPN client behind ISA times out after 3 tries on External, whereas non-ISA protected VPN client will have time to try VPN Client way). In terms of #1, seeing as I do not want to listen on my External connection for RDP connections, one course of action could be to allow from VPN Networks plus this 66.181.211.YYY address, but I would like to know what makes this scenario so flakey. Thanks. Here is a snippet from the log: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 192.168.200.16 WEB-01 - UDP - - 1033 0 0 0 0x0 0x0 0x0 Firewall 23/01/2007 12:17:55 AM 192.168.200.2 53 DNS Initiated Connection SBS Protected Networks Access Rule 192.168.200.16 VPN Clients Local Host - - 66.181.211.YYY WEB-01 - TCP - - 21141 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 23/01/2007 12:18:23 AM 66.51.121.XXX 3389 RDP (Terminal Services) Denied Connection Default rule 66.181.211.YYY External Local Host - - Thanks, Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.