Problem publishing a non-web server with ISA 2006
- Hello,
I run ISA Server 2006 with SP1 which has 3 network interfaces - Internal, External and Perimeter. Internal is a network with public addresses, Perimeter is a private network. Network rules are Internal to External - Route, Perimeter to External - NAT.
I need to publish a RDP server which is in the Internal network to the Internet. I have done the following:
1. Access rule from ISA Server (Localhost) to Internal RDP Server. Outbound RDP (Terminal Services). Applied and tested - I can open RDP session to the Internal server from ISA Server console.
2. Access rule from External to ISA Server (Localhost). Outbound RDP (Terminal Services). Applied.
3. Non-web server publishing rule. Properties are as follows. Traffic: RDP (Terminal Services) Server. From: Anywhere. To: Internal server IP address; Requests appear to come from the original client. Networks: External. Schedule: Always.
For my test Terminal Services at the ISA Server were disabled - nothing listened to tcp:3389 before the ISA rules were configured.
Everything is applied. Now I try to connect with Remote Desktop client to ISA Server external interface. I don't get connected. telnet ISA_Server_external_interface 3389 promptly (no timeout) returns Connect failed error. At the same time ISA Server monitor logs 3 successful pairs of Initiated Connection / Closed Connection events. Network sniffer shows 3 SYN packets followed by ACK-RST packets. So, the ISA Server actively refuses the connection. Why?
Tried the same setup with a RDP server located inside the Perimeter network - it works fine.
What could be the problem? Any ideas are appreciated.
The OS is Windows Server 2003 SP2. I have other publishing rules on the same server, all of them are web servers from both Internal and Perimeter networks - they work fine. Only the non-web publishing doesn't work.
Alex
Answers
Hi,
Thank you for your update.
As we know, concept of non-web server publishing is designed for NAT relations not route relations.
Please refer to: http://technet.microsoft.com/en-us/library/dd547089.aspx
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorTuesday, October 06, 2009 3:30 AM
All Replies
- Alex,
Does the Internal server you are trying to RDP to use ISA Server as it's default gateway or ultimately route traffic out through ISA? You may have to change it so that "traffic appears to come from ISA Server" instead of "orginal client".
See this blog
http://blogs.technet.com/isablog/archive/2009/01/09/server-publishing-is-failing-through-isa-server.aspx - Hi Keith,
All of the servers in my test have corresponding ISA Server's interface as a default gateway. I have tried already "traffic appears to come from ISA Server" option with no success.
Will check the blog. - Keith,
Just checked the blog. The scenario described in the blog doesn't apply to my case. I do not suspect routing since I can open a direct RDP session to my Internal RDP Server from the Internet right after I have created an Access rule which allows RDP protocol from External to my Internal RDP Server. I have public addresses in my Internal.
Also, I can publish a RDP Server from Perimeter (NAT) network - that works with both "original client" and "from ISA Server" options.
Same thing with FTP protocol. HTTP and HTTPS are published and everything works fine. - You only need rule #3 if your goal is to publish an internal server to external. Get rid of the other 2 for now.
Can you put a network sniffer on the RDP server and see if traffic is making it there through ISA? Do you see the 3 SYN packets? - About rules #3 suggestion. When I remove rule #1 it changes nothing in my current environment (which is obvious - there is no ISA->Internal traffic anyways). When I remove rule #2 my RDP client connection times out, I see 3 SYN packets in the sniffer at the ISA Server side - no ACK packets at all, and ISA Server monitor logs 3 denies with Default Rule applied.
Sniffer registers nothing related on the Internal RDP server. Also, sniffer on the ISA server side never registers any RDP traffic from ISA Server to Internal RDP. Hi,
Thank you for your post.
According to your description, I suspect that you may confused with the setting of your network rules: Internal to External – Route. I think you should change it to “NAT”: from Internal to External.
Here are some guidelines to create network rules, you may have a look and test it to see if it will solve your problem.
1. NAT relationship is unidirectional. For example, if you create a NAT relationship from the Internal network to the perimeter network, traffic returned from the perimeter network to the Internal network is not translated. You cannot use access rules to control traffic from the network that does not have NAT applied to the network that does have NAT applied. To use access rules, networks must have knowledge of IP addresses in the other network. In this example, the Internal network is aware of addresses in the perimeter network, but clients in the perimeter network are not aware of addresses in the Internal network because NAT is applied. Instead, you would use Web publishing rules or server publishing rules to allow traffic from the perimeter network to the Internal network.
2. Route relationship is bidirectional. Defining a network rule with a route relationship between the Internal network and the perimeter network implicitly defines the same relationship from the perimeter network to the Internal network. You can use access rules, Web publishing rules, or server publishing rules to control traffic between networks linked with a route relationship.
Regards,
Nick Gu - MSFT- Hi Nick,
I am not confused with the difference between routed networks and NATed. I have the Route network rule between Internal ans External intentionally, there is no plan to change it.
Do you have any idea related to the actual issue, not to the network layout?
Regards,
Alex
P.S. I don't want to be rude in any way, but you don't even explain why you think NAT is better than Route in my case - you just say "I think you should"... ;) Hi,
Thank you for your update.
As we know, concept of non-web server publishing is designed for NAT relations not route relations.
Please refer to: http://technet.microsoft.com/en-us/library/dd547089.aspx
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorTuesday, October 06, 2009 3:30 AM
