Re: RDP through ISA 2000 for a non-domain user on SBS2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thanks Terence, will try installing the firewall client, but cannot join the
laptop to the domain because it is part of another companys domain already.

Thanks agin for your reply

Gary D


"Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:6yQRTzswHHA.4536@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello Gary,

Thank you for posting here.

According to your description, I understand that one client does not join
SBS domain cannot access external RDP. If I have misunderstood the
problem,
please don't hesitate to let me know.

Based on my research, the web proxy and the ISA firewall client can
provide
user authentication to ISA server when the traffic need to go through the
ISA. You can access the external web sites from the laptop, because you
set
web proxy on the laptop. You cannot access RDP from the laptop, because
the
web proxy only support http, https, ftp and socks. The RDP cannot go
through the web proxy. The RDP access will go through SecureNAT (ensure
the
default gateway of the laptop is pointing to ISA internal NIC), but the
SecureNAT cannot provide user authentication, so the access will fail.

Therefore, the only way to resolve this issue is install the ISA firewall
client on the laptop and logon the laptop with domain account you created
for the laptop user (so I suggest you join the laptop to SBS domain). Then
the RDP access with go through the firewall client, and the firewall
client
can provide user authentication to the ISA server.

If we cannot resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:

1. Run command "ipconfig /all > c:\ipconfig_sbs.txt" and "route print >
c:\route_sbs.txt" on SBS, send the files c:\ipconfig_sbs.txt and
c:\route_sbs.txt to me at v-terliu@xxxxxxxxxxxxx

2. Run command "ipconfig /all > c:\ipconfig_client.txt" and "route print >
c:\route_client.txt" on laptop client, send the files
c:\ipconfig_client.txt and c:\route_client.txt to me at
v-terliu@xxxxxxxxxxxxx

3. Please help to gather the ISA Info:

1) Please download the isainfo.vbe from:
http://www.isatools.org/tools/isainfo.vbe.

2) Run the script isainfo.vbe on the SBS server.

3) Send the ISAinfo log files to me at v-terliu@xxxxxxxxxxxxxx

4. Please also help to gather the ISA logs:

1) Open ISA Management console, navigate to 'Monitoring
Configuration'\'Logs'. In the right panel, right-click 'Packet filters'
and
choose 'Properties'.

2) In the 'Fields' tab, select ALL log fields. Also enable all the log
fields for 'ISA Server Firewall service' and 'ISA Server web proxy
service'
log. Navigate to 'Monitoring'\'Services', restart the ISA related
services.

3) After reproducing the problem, gather the recent log files in
C:\Program
Files\Microsoft ISA Server\ISAlogs\ folder and send them to me for further
research.

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
| From: "Gary D" <gary@xxxxxxxxxxxxxxxx>
| Subject: RDP through ISA 2000 for a non-domain user on SBS2003
| Date: Mon, 9 Jul 2007 16:50:13 +0100
| Lines: 15
| Message-ID: <D671F179-41EC-43D4-806C-C04A5FE8D6F3@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16480
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16480
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {D671F179-41EC-43D4-806C-C04A5FE8D6F3}
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:49175
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a user who connects their XP laptop to my SBS network rarely. I
have
| implemented ISA whitelists etc all working OK. I have created a user
account
| ( for the roamer) and allowed full web access (they are prompted for
| username/password when using internet).
|
| All is OK, however they cannot RDP to external sites. All the other
domain
| PC's can RDP no problem.
|
| I have even tried adding and Allow All/All/All rule.
|
| Any ideas much appreciated
|
| TIA Gary D
|
|
|



.

Relevant Pages

  • RE: Force use of ISA Firewall Client
    ... You see three types of ISA 2004 firewall clients in ISA console, ... the system will use Web Proxy ... protocols, this need Firewall client. ...
    (microsoft.public.windows.server.sbs)
  • RE: Outbound VPN issue
    ... up by the firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Desktop from LAN not working
    ... I'm glad you resolve the RDP issue by disable ISA firewall client. ... Does this issue happen on all clients or only the XP sp3 client? ... Clear the current existing W3C logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 behind PIX problems
    ... Not running firewall client on wkstns nor do I plan to. ... new machine will be the current address of single nic ISA. ... Don't confuse the Nics when ...
    (microsoft.public.isa.configuration)
  • RE: ISA/Client fail over
    ... ISA/Firewall client related at all. ... The default gateway is one of the IP configurations. ... This is not a configuration controlled by the ISA server. ... Firewall client does not support automatically failover. ...
    (microsoft.public.isa)