locked
Fresh install of UAG , Unable to RDP to it RRS feed

  • Question

  • Hi

    I have a UAG install inted ed as a reverse proxy machine, Having some trouble getting the rules I entered to be honoured so I am trying to RDP in

    so what I am wondering is what needs to be done to allow RDP

    Friday, July 8, 2011 7:11 AM

Answers

All replies

  • Hello,

    • First of all activate RDP on Windows of course.
    • On the Forefront TMG Management console, click on the Firewall node.
    • On the Toolbox tab, open the Enterprise Remote Management Computers object located on the Computer Sets folder on the Network Objects section.
    • Click on Add... to specify a computer name, IP Addresses and description.
    • Click on Apply to validate the changes and to apply the changes to the Forefront UAG server.

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    • Proposed as answer by Ran [MSFT] Sunday, July 10, 2011 5:29 AM
    Friday, July 8, 2011 8:18 AM
  • I too have a fresh install of UAG and I am able to RDP to it from a server in the same network segment (VLAN). However, I am unable to access it from the IT VLAN...

    I added the network segment address in the RDP access rule and even tried adding static routes, so my internal interface could find the addresses. It just does not respond and I cannot ping it, although I also enable that.

    I could RDP to the box before the UAG install. Is there a setting in TMG that I am missing?

     


    Matthew Barrett Concept Interactive Inc.
    Wednesday, July 20, 2011 2:14 PM
  • Hello,

    Try to check all of this on the UAG box and your client:

    • Default gateway
    • Route table with the route -print command

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Wednesday, July 20, 2011 2:16 PM
  • In addition to specifying the IP addresses in the "Remote Management Computers" section of TMG, you also need to ensure that the UAG server has the correct routing and that UAG/TMG recognize that new route as part of the "Internal" network before UAG/TMG will allow any traffic to flow to or from that new VLAN. Here are the steps to take:

    1. Ensure the routing table is correct. Because on a UAG server the default gateway is applied to the external NIC, your internal NIC should not have a default gateway (if it does, remove it) and because of that, you need to manually define the routes necessary for the server to be able to contact any subnets outside of the one the internal NIC is currently plugged into.

    2. Once the routing table is set, open UAG Management and click on the "Admin" menu. Then click on "Network Interfaces". This will launch the mini-wizard that lets you define what network segments (IP ranges) are part of your "Internal" network. You need to make sure that the new IT VLAN's IP addresses are included in this internal network definition. Once that wizard is finished, make sure to "Activate" UAG to push those changes into place.

    3. In the Firewall Policy of TMG, as specified in Lionel's post above, make sure the IPs you want to define as Remote Management Computers get added to the Remote Management Computers group.

    Wednesday, July 20, 2011 2:20 PM
  • I had already the static routes but, I created the policy in TMG instead of using the procedure in your step 2.

    After adjusting the network setting in UAG management I am now able to access the UAG box via RDP.

    Thank you for your help.

     


    Matthew Barrett Concept Interactive Inc.
    Wednesday, July 20, 2011 3:15 PM
  • If you install UAG from an RDP session it will automatically add your remote IP address to the Remote Management Computers group so that you can RDP into it (among other things like PING and access file shares).  If installed from Console or if you are trying to connect from a different IP address, then your source IP is not in that group and you won't be able to get back in after UAG/TMG is installed.

    Here's a guide on some of the changes you might want to make to TMG to allow remote management.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-firewalls-and-tmg-settings/


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:57 PM
    Thursday, July 21, 2011 7:16 PM