locked
Publishing TS Web Access, RPC Access Denied

    Question

  • Hi Everyone,

         I'm currently using ISA 2006 (Server 2003 R2) to publish TS Web Access (Server 2008) with RSA SecurID two-factor authentication. The authentication part is working fine (I think), I get the prompts from ISA, and the TS Web Access webpage is displayed. When I try to start an application, I'm prompted for my credentials and afterwards, one of two things might happen:

        1) The prompt pops back up and continues to do so.
        2) I get an error message stating: "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later..."

    Both of these problems results back to the same RPC error in the ISA logs:

        Denied Connection ISA1 2/11/2009 1:32:07 PM 
        Log type: Web Proxy (Reverse) 
        Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
        Rule: RSA | TS Web Access 
        Source: (My Client IP) 
        Destination: (My Server IP:443) 
        Request: RPC_IN_DATA
    http://myserver.com/rpc/rpcproxy.dll?localhost:3388 
        Filter information: Req ID: 0d7017a3; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes 
        Protocol: https 
        User: anonymous 
        Additional information 
            Client agent: MSRPC
            Object source: (No source information is available.)
            Cache info: 0x8 (Request includes the AUTHORIZATION header.)
            Processing time: 1 ms
            MIME type: 


    Followed by another RPC error, with a slight difference in the Request line:

        RPC_OUT_DATA http://myserver.com/rpc/rpcproxy.dll?localhost:3388

    I'm lost. I can't discern from the error log what I need to change in my rules, if anything. I've rebuild the TS Gateway / TS Web Access server to scratch, and I've rebuilt my rules a number of times. I came across a TechNet article that referenced some changes to try with a similar problem, but to no avail. My listener is only over HTTP/443, and authentication is SecurID. Authentication on the rule is set to NTLM (and I've tried all other options as well). Any ideas?

    Cheers,

    Grant

    mercredi 11 février 2009 19:10

Réponses

  • Bump.

    So here's some more info. I was troubleshooting the fact that this was RPC-related. When I try to access the https://myserver/rpc site, at first I was getting an Error 64 "Host not available". I disabled HTTP / HTTPS compression in the web filters tab, and the site responds properly with "No delegation, but client may authenticate directly" authentication. When I set the authentication to NTLM, I get an Error 500 "The pipe is being closed (232)".

    The reason I'm using TS Gateway with TS Web Access is because I don't want to have to open 3389 to the outside world, and TS Gateway allows me to tunnel everything over 443.

    Somehow after enough tweaking I've gotten to the point where the only error message I get is "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later..." and still continuing with the RPC errors listed in the first post. Is there something special I'm missing about publishing TS Gateway RPC? I've walked through all the step-by-step guides, and I keep hitting a brick wall.

    One edited thought: My internal server name is, for example, gate1.contooso.com. The certificate, and publicly registered DNS name is external.contooso.com. I've loaded the external.contooso.com certificate on both the ISA server and the web server, and I've created an internal DNS alias rule to resolve external.contooso.com to gate1.contooso.com. In my ISA rules, I never use the name gate1.contooso.com, just external.contooso.com to avoid certificate errors. Could I be looping through the firewall somehow?

    Thanks ahead.

    Cheers,

    Grant
    mercredi 18 février 2009 19:52

Toutes les réponses

  • Are you sure you're publishing TSWeb and not TS Gateway?
    The request you logged (http://myserver.com/rpc/rpcproxy.dll?localhost:3388) indicates that the client thinks it has to use a TSGateway server to connect to that machine.
    You should note that TSGateway can use NTLM or Smartcard, but not SecurID.
    Make sure you are not selecting "use a Terminal Services Gateway server" in your client options.

    Jim Harrison Forefront Edge CS
    vendredi 13 février 2009 00:29
  • Thanks for the reply Jim.

    I'm sure I'm publishing TS Web Access now, but I guess I probably have to publish both TS Web Access and Gateway. Unfortunately the documentation and step-by-step process is pretty thin from what I've seen.

    In order to publish TS Web Access published apps to the Internet, you need to use TS Gateway to tunnel over 443 and provide the network translation, otherwise the outside client can't see the servers. I know that TS Gateway does not support pass-through outside of the domain and must use NTLM or smart card, which is why I get a second prompt for credentials prior to launching the app.

    I'm using SecurID authentication with prompts for additional credentials (which I'll be able to stop doing once RSA actually releases an ACE client for Server 2008), which gets me authentication to the web site. Then TS Gateway prompts me again to launch the app, which I'd love to avoid if possible.

    In any case, would you have any recommendations for best practice in this setup? Because I'm using ISA does that mean I don't need TS Gateway anymore?
    vendredi 13 février 2009 19:52
  • Bump.

    So here's some more info. I was troubleshooting the fact that this was RPC-related. When I try to access the https://myserver/rpc site, at first I was getting an Error 64 "Host not available". I disabled HTTP / HTTPS compression in the web filters tab, and the site responds properly with "No delegation, but client may authenticate directly" authentication. When I set the authentication to NTLM, I get an Error 500 "The pipe is being closed (232)".

    The reason I'm using TS Gateway with TS Web Access is because I don't want to have to open 3389 to the outside world, and TS Gateway allows me to tunnel everything over 443.

    Somehow after enough tweaking I've gotten to the point where the only error message I get is "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later..." and still continuing with the RPC errors listed in the first post. Is there something special I'm missing about publishing TS Gateway RPC? I've walked through all the step-by-step guides, and I keep hitting a brick wall.

    One edited thought: My internal server name is, for example, gate1.contooso.com. The certificate, and publicly registered DNS name is external.contooso.com. I've loaded the external.contooso.com certificate on both the ISA server and the web server, and I've created an internal DNS alias rule to resolve external.contooso.com to gate1.contooso.com. In my ISA rules, I never use the name gate1.contooso.com, just external.contooso.com to avoid certificate errors. Could I be looping through the firewall somehow?

    Thanks ahead.

    Cheers,

    Grant
    mercredi 18 février 2009 19:52
  • Hi Grant,

    It has been nearly 18 months since there was any activity on this thread. I'm going to mark it as answered for now. If you still have an issue, re-open the thread.

    James.

    mardi 28 septembre 2010 08:10