Oh, then no, I'm not sure. My default action is to only bind services to
adpaters that a I know will be used. I was not aware of this feature in
2004, so thanks for the info and correction!
t
http://www.ISAserver.org
Hey Tim,
RE: #1 -- you sure about that? ISA Server 2004 has a "port stealing" feature that makes this not required. It might have been the case for ISA Server 2000, but not now. I have it working now without having to make changes to the Terminal Services configuration and can publish internal RDP servers and the RDP server on the ISA firewall.
Next week, Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Tuesday, November 22, 2005 7:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Securing Remote access for RDP (Terminal Services)
http://www.ISAserver.org
I know Doc already replied, but to specifically answer the last question, Yes, the TSAC client will use the server publishing RDP rule to communicate with the terminal server. The client is (apparently) using the Web Publishing rule to access the TSAC itself, then, once the TSAC is loaded into the client's memory, the client will connect to the server using RDP.
A couple of Q's-
1) You don't have RDP bound to the external interface on the ISA server itself, right? By default, in Terminal Server Configuration, any server with Remote Desktop enabled will bind RDP to all available interfaces. If you are publishing RDP on the ISA Box, the external interface of the ISA itself can't be bound to RDP. If you do indeed have Remote Desktop enabled on the ISA box, go into Terminal Server Configuration, right click on the RDP protocol, go to properties, select the Network Adapters tab, and select the internal adapter you wish to use to bind RDP to. Then you can publish RDP from the external interface to the internal box while still allowing RDP connections on the ISA's internal interface.
2) The TSAC client can directly hit the external interface of the ISA box with RDP (3389) right? Some people tend to think that the TSAC does some sort of RDP proxying - it provides the client with the ActiveX control- the client must still be able to hit the ISA box directly... Can you connect with the default RDP client on the client box? (mstsc.exe)
t
----- Original Message ----- From: "Raji Arulambalam" <rajia@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 22, 2005 3:52 PM
Subject: [isalist] RE: Securing Remote access for RDP
(Terminal Services)
http://www.ISAserver.org
Hi
I followed as described in article KB895433 for using certificate based authentication for RDP clients. This worked fine, but I came to grief when I tried to access the Terminal Server via the TSAC web client. I got the error message that the server was unavailable giving 3 different reasons. I have both Web and Server publishing rules for the IIS and terminal servers. Does the TSAC client use the server published (RDP)rule to communicate with the Terminal server?
The ISA server 2000 was setup as using To's article http://www.isaserver.org/tutorials/Publishing_Terminal_Service s_and_the_ TSAC_Client__Updated.html
How do I get both working?
RajiA
> -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Tuesday, 22 November 2005 11:41 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Securing Remote access for RDP > (Terminal Services) > > http://www.ISAserver.org > > To be specific, one can indeed use SSL for RDP connections. > Win2k3 allows specifying certificate-based TLS authentication > at the server by installing a valid cert, specifying SSL as > the security layer, and then choosing what encryption level > you want, all the way to 140 bit FIPS as described in > KB895433. But this, as you pointed out, has nothing to do > with ISA other than publishing RDP. > > t > Email disclaimer: This email and any attachments are confidential. If you are not the intended recipient, do not copy, disclose or use the contents in any way. If you receive this message in error, please let us know by return email and then destroy the message. Environment Bay of Plenty is not responsible for any changes made to this message and/or any attachments after sending. ****************************************************** This e-mail has been checked for viruses and no viruses were detected.
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx