Re: ISA & ultraVNC

Thanks Phillip - I suppose what I don't understand is why they need a VPN
connection?
If I am making an outbound rule for VNC to the guys target pc (or at least
its public IP, why is that Rule not just from my internal network (so as to
include all pc's that might need to call via vnc for remote assistance) to
the external target IP (or indeed the "Internet"), rather than needing a VPN
connectiom by them as well? I suspect there is something basic in the logic
that is escaping me, but I need to understand the thinking here to start to
get a hold of ISA's setup!
Thanks


"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:ObUWRoX9HHA.4584@xxxxxxxxxxxxxxxxxxxxxxx
You would have to use a Server Publishing Rule to publish VNC on the
target server out to the Internet. This makes it difficult to use VNC for
anything else after that. I do not recomment doing that.

I recommend that you configure ISA to accept incomming VPN (not VNC)
connections. You would create a specific User Account for these guys to
use. I typically make accounts like that a member of a different group
that I also create,..then make that the Primary Group,...then remove the
account from the Domain Users or any other group. The account is then a
member of only a single created group that has permissions to absolutely
nothing.

You then create an Access Rule for VNC outbound. Yes it is outbound. VPN
Clients become part of the logical VPN Clients Network when they connect.
The Rule would be for the VNC Protocol *outbound* from the VPN Clients
Network to the Computer Object representing the target machine.

This means that once they connect over VPN using the particular user
account you assigned them,...the only thing they are allowed to connect to
is that one machine specified by the Rule,...and the VNC Protocol is the
only protocol they can use. You can even set a schedule on it to limit
them to certain times of the day.

On their end the only thing they need to use is the normal Dialup
Networking tool in Windows,...there is no "special" client software.

This allows you to use VNC for your own purposes on other machines that
you would access via VPN as well,...but using a different Access Rule.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"Al" <nospamplease@xxxxxxxxxxxxxxxxxx> wrote in message
news:Y7CdnTS9wr16oXXbnZ2dneKdnZydnZ2d@xxxxxxxxxxxxxxxxx
Can someone assist? With the help of the SBS NG I have got part way with
this issue. Using ISA 2004 (fully SP/patched), as part of SBS2003R2 on a
dual NIC set up with an ADSL router to connect to internet and an
application we use gets support from its programmers via ultra VNC. This
is not working & I am fairly sure that it is an ISA issue. Apparently
the vnc acts as a server over possibly ports TCP 5500, 5800/5801 &
5900/5901, therefore I set up a new ISA Rule, having configured a user
defined protocol set for vnc covering the above ports, by setting
"allow", protocols being "vnc" (my protocol set), set the Source as
"Internal" and the Destination as "Internet" & all users. Rule then
created & appeared at the top of list(?)
However, it worked once & has not since! - I have recreated it - moved it
down the list (after a proibited sites rule) & various other things all
to no avail! Have also set redirections etc in the router in case it was
firewalling it + have tried setting the Windows Firewall on the client PC
to allow vnc ports but nothing helps!
Can anyone with experience of running VNC (in any of its flavours) behind
ISA talk me through this please!?





.

Relevant Pages

  • Re: vpn to either xp pro or 2000 pro desktop
    ... drives/machines outside each network.. ... I can have her log into her machine with the same vnc viewer over the vpn.. ... have to install PRO on the laptop also or does that matter? ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: VPN woes
    ... >>up as a VPN server here in the office, using my DSL broadband connection. ... When I take the server off of the wireless routers ... The bottom line is that I can get VPN and VNC to work until the ...
    (microsoft.public.windows.server.sbs)
  • Re: UltraVNC
    ... I prefer to use VNC over VPN. ... If you want to use VNC only, you need to do port forwarding. ... Is it safer to use UltraVNC with a VPN, or is it safe on its own to use it ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: VPN to sbs server
    ... If you do want both, let's forget about PCA and VNC ... for now and configure the server to accept VPN connections. ... > PCanywhere is installed on the server and so is vnc. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: VNC behind ISA Server
    ... I understand that the VNC behind the ISA ... Please rerun the CEICW to make sure your SBS 2003 server have right ... 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)
Loading