Publishing Terminal Server with ISA firewall 2004

Publishing a Terminal (RDP) Server using the ISA Firewall

Publishing a Terminal Server is fairly easy using the ISA firewall. There are just a couple basic rules you need to keep in mind:

  • You need to bind an IP address for each Terminal Server you want to publish to the external interface of the ISA firewall if you want to publish them using the default RDP port (3389). For example, if you want to publish the RDP server on the ISA firewall and you also want to publish the Terminal Server on the internal network, then you値l need to bind two addresses to the external interface of the ISA firewall.
  • If you do not have multiple IP addresses to bind to the external interface, then you can publish each terminal server on a different port. For example, you can publish one Terminal Server on TCP port 9999 and a second Terminal Server on TCP port 8888. You don稚 even need to change the Terminal Server痴 listening port when using the ISA firewall to publish these sites

I think the second option will be more popular than the first. This option allows you to publish all your Terminal Servers on alternate ports, which gives you a small measure of security through obscurity. This option also allows you to publish hundreds of Terminal Servers through the ISA firewall using a single IP address on the external interface of the ISA firewall.

In this article we値l publish two RDP servers: the RDP server on the ISA firewall and an RDP server on the internal network. The figure below shows the basic layout of the scenario.

We will cover the following steps:

  • Publish the Terminal Server on the ISA firewall using an alternate listening port
  • Publish the Terminal Server on the Internal network using an alternate listening port
  • Test the Server Publishing Rules by using the RDP 5.1 client to connect to the RDP server on the ISA firewall and on the RDP server on the internal network

Publishing the RDP Server on the ISA Firewall

The first step is to publish the RDP Server on the ISA firewall. I値l assume that you have already enabled the Remote Desktop on the ISA firewall so that the ISA firewall is ready to accept incoming RDP connections.

Perform the following steps to publish the RDP server on the ISA firewall:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane. Click the Create a New Server Publishing rule.
  3. On the Welcome to the New Server Publishing Rule page, enter a name for the rule in the Server Publishing Rule name text box. In this example we値l name it ISA Firewall RDP Server. Click Next.
  4. On the Select Server page, enter the IP address of the internal interface of the ISA firewall in the Server IP address text box. In this example, we値l enter 10.0.0.1. Click Next.
  5. On the Select Protocol page, select the RDP (Terminal Services) Server option from the Selected protocol list. Click the Ports button.

  1. In the Ports dialog box, select the Publish on this port instead of the default port option in the Firewall Ports frame. Enter the alternate port number in the text box. In this example, we値l use port number 9999. Click OK.

  1. Click Next on the Select Protocol page.
  2. On the IP Addresses page, put a checkmark in the External checkbox and click Next.
  3. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Publishing the RDP Server on the Internal Network

Now we can publish the second RDP server, which is located on the Internal network. Perform the following steps to publish the second RDP server:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane. Click the Create a New Server Publishing rule.
  3. On the Welcome to the New Server Publishing Rule page, enter a name for the rule in the Server Publishing Rule name text box. In this example we値l name it Internal RDP Server. Click Next.
  4. On the Select Server page, enter the IP address of the Terminal Server on the corporate network in the Server IP address text box. In this example, we値l enter 10.0.0.2. Click Next.
  5. On the Select Protocol page, select the RDP (Terminal Services) Server option from the Selected protocol list. Click the Ports button.

  1. In the Ports dialog box, select the Publish on this port instead of the default port option in the Firewall Ports frame. Enter the alternate port number in the text box. In this example, we値l use port number 8888. Click OK.

  1. Click Next on the Select Protocol page.
  2. On the IP Addresses page, put a checkmark in the External checkbox and click Next.
  3. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Your Firewall Policy should look like the figure below.

Click Apply to save the changes and update the firewall policy and then click OK in the Apply New Configuration dialog box.

Testing the ISA Firewall Server Publishing Rules

Now for the fun part! Let痴 test our Server Publishing Rules. First, you値l need the RDP 5.1 or RDP 5.2 client. Either one will work. If you池e not using Windows XP or Windows Server 2003, you can download version 5.2 at http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-4b4a-40e7-a706-cde7e9b57e79&displaylang=en

We値l connect to the RDP server on the ISA firewall first. Open the Remote Desktop Connection application and enter the IP address on the external interface of the ISA firewall and the port number you configured that Server Publishing Rule to listen on. In this case, its port 9999. It should appear as in the figure below.

It worked!

Now let痴 try it with the internal network RDP server. You can leave the connection open to the ISA firewall while you connect. This will demonstrate that these connections do not interfere with one another.

Great! It worked again!

 

Summary

In this article we examine methods you can use to publish Terminal Servers using the ISA firewall. We focused on the ISA firewall痴 ability to change the listening port for the RDP Server protocol and used this feature to publish multiple Terminal Servers using just a single IP address on the external interface of the ISA firewall.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=22;t=000054  and post a message. I値l be informed of your post and will answer your questions ASAP. Thanks! 傍om

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Original Document: http://www.isaserver.org/articles/2004pubts.html