locked
FTMG Client and Remote Desktop RRS feed

  • Question

  • Hello,
    I have deploy FTMG 2010 in my company.Everything is fine so far, but i detect a serious problem with ftmg client...
    I have set up a rule that allow VPN traffic to external Networks (its working fine) but the problem is  when i want to make a RDP connection throw this VPN, the RDP session cannot be established...
    I 've tried to find the reason by monitoring FTMG sessions...The RDP session never reach the FTMG server...
    When i disable the ftmg client everything was working.
    Is there something that i didn't setup correctly?
    I have setup my WPAD entry in DNS and 252 Option in DHCP.The autodiscover for TMG client working perfect.
    I tried also ISA 2006 Client with exactly the same issues..
    Is anybody there that have solve this problem? According to my internet search everyone believes that there is no workaround in this problem...

    Thnx
    Vangelis Kapsalakis
    Monday, December 14, 2009 4:54 PM

Answers

  • Since the destination of the RDP session is not in the local address table (LAT) the TMG client will catch it and send it to TMG instead of through the VPN tunnel established by the client.

    A few ways to work around this are:
    1: Disable = 1 for mstsc in Firewall TMG Client Settings (Click Networking and look in Tasks pane).
    This will however make TMG client ignore all mstsc originated sessions.

    2: Add the destination IPs (the ones on the other side of the VPN) part of the LAT
    This will however make TMG client always think theese addresses are part of lokal network.

    Monday, December 14, 2009 8:18 PM
  • Two options that come to mind is:
    Name resolution depends on how clients type names, FQDN or just servernames.

    1: Add the records required to your internal DNS servers.
    Now only servernames are needed if records are added tou the default DNS search suffix zone.
    You can also add a new DNS domain into your internal DNS servers. And add that as search suffix on clients.

    2: Add the remote DNS domain as DNS Suffix to the DNS configuration of the VPN connection.
    This will cause the client to use the DNS optained from the VPN connection to be used for that domain suffix.
    Clients can then use like rdpserver1.remotedomain.local (if DNS suffix is remotedomain.local)
    This approach i think only works with Microsoft VPN clients (not sure about Cisco)

    However.
    If this is many users to one remote destination you should consider configuring Site-to-site VPN from your TMG instead. Now clients do not need to start a VPN from each client. And you can set up conditional forwarders on your DNS servers to make name resolution easier for clients.

    Tuesday, December 15, 2009 6:14 PM

All replies

  • Since the destination of the RDP session is not in the local address table (LAT) the TMG client will catch it and send it to TMG instead of through the VPN tunnel established by the client.

    A few ways to work around this are:
    1: Disable = 1 for mstsc in Firewall TMG Client Settings (Click Networking and look in Tasks pane).
    This will however make TMG client ignore all mstsc originated sessions.

    2: Add the destination IPs (the ones on the other side of the VPN) part of the LAT
    This will however make TMG client always think theese addresses are part of lokal network.

    Monday, December 14, 2009 8:18 PM
  • Thank you very much Kent,
    Now it 's working, but i need also the name resolution for the remote Computers.
    With this setting that i made, i can connect to the remote computer only with the IP address.
    I ve try to exclude the nslookup disable=1 but this didn't work.
    Do you have something in your mind?
    Thnx again!
    Tuesday, December 15, 2009 10:43 AM
  • Two options that come to mind is:
    Name resolution depends on how clients type names, FQDN or just servernames.

    1: Add the records required to your internal DNS servers.
    Now only servernames are needed if records are added tou the default DNS search suffix zone.
    You can also add a new DNS domain into your internal DNS servers. And add that as search suffix on clients.

    2: Add the remote DNS domain as DNS Suffix to the DNS configuration of the VPN connection.
    This will cause the client to use the DNS optained from the VPN connection to be used for that domain suffix.
    Clients can then use like rdpserver1.remotedomain.local (if DNS suffix is remotedomain.local)
    This approach i think only works with Microsoft VPN clients (not sure about Cisco)

    However.
    If this is many users to one remote destination you should consider configuring Site-to-site VPN from your TMG instead. Now clients do not need to start a VPN from each client. And you can set up conditional forwarders on your DNS servers to make name resolution easier for clients.

    Tuesday, December 15, 2009 6:14 PM
  • I follow the first solution as the better one..
    I just want to have VPN connection with my Customers  Servers.
    So i make Host A records on my DNS Server and the name resolution was Solved.
    Thanks again Kent, i hope those posts to help someone out there.

    Have a Nice day!
    Wednesday, December 16, 2009 5:56 PM