Re: How to Configure ISA 2004 for remote access like vnc, pcanywhere
- From: "Chad Gross" <chad.gross@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Dec 2008 18:17:41 -0600
From a high level, you should first understand how ISA works. ISA 2004 &later is a secure firewall - which means that by default it is going to block all traffic in and out. Once rules are built to allow traffic, the traffic explicitly allowed in the firewall rules is allowed, while everything else is continues to be blocked. The fundamental building blocks of ISA firewall rules are protocol definitions (e.g. SMTP, HTTP, FTP, etc.). ISA has several protocols pre-defined, but it isn't uncommon for us to need to define custom protocols to allow certain traffic.
When we're talking about inbound traffic (server publishing rules), ISA can route inbound traffic to a PC/Server on the LAN. ISA will route this traffic to a specific IP address, so your target server (in this case, the PC you want to connect to via PC Anywhere) always needs to have the same IP address. You can either statically assign an IP to the device, or create a DHCP reservation so the PC always gets the same IP from the server. Personally, I prefer DHCP reservations over static IPs, but that's just a personal preference.
SO - from a high level, you need to configure the target machine so it has a persistent IP address on the LAN. Then in ISA we need to create our PCAnywhere Server protocol if it doesn't exist, then create a new Server Publishing Rule to forward PCAnywhere traffic to the target machine.
1) In ISA Management, click on Firewall Policy on the left.
2) In the right-hand toolbox pane, make sure you are on the Toolbox tab, then click on Protocols and expand the User-Defined folder (PCAnywhere server protocol is not defined by default in ISA - so if it exists, it will be under the User-defined folder)
3) Check to see if the PCAnywhere Server protocol exists. If not, at the top of the toobox click New | Protocol
4) When the New Protocol Definition Wizard opens, enter "PCAnywhere Server" (minus quotes) for the protocol definition name, then click Next
5) On the Primary Connection Information page, click the New button
6) In the New/Edit Protocol Connection window, set the protocol details (TCP | Inbound | 5631 to 5631) and click OK
7) Click Next
8) We don't need secondary connections, so click Next again
9) Click Finish
Now we also need to create a protocol definition for the outbound PCAnywhere traffic (response). Repeat the steps above, only in step 4 use "PCAnywhere Outbound" for the protocol name, and in step 6 set the protocol details to TCP | Outbound | 5631 to 5631.
Now that we have defined the two necessary protocols, we need to create the firewall rules to allow the traffic:
First, let's create the outbound rule:
1) In ISA Management, click on Firewall Policy.
2) In the right-hand toolbox pane, click on the Tasks tab.
3) Click on "Create a New Access Rule"
4) When the New Access Rule Wizard opens, enter "Allow PCAnywhere Outbound" (minus quotes) as the rule name and click Next
5) Set the rule action to Allow and click Next
6) From the drop-down, select "Selected Protocols"
7) Click the Add button, then expand the User-Defined folder and select your "PCAnywhere Outbound" protocol and click Add
8) Click Close
9) Click Next
10) On the Access Rule Sources page, click Add
11) Expand Networks, select "Internal" and click Add
12) Click Close
13) Click Next
14) In the Access Rule Destinations page, click Add
15) Expand Networks, select "External" and click Add
16) Click Close
17) On the User Sets page, verify "All Users" is listed then click Next
18) Click Finish
So what we did here was create a rule allowing our outbound PCAnywhere traffic out from the internal network to the internet. Now we need to publish our PCAnywhere server so you can connect to it from the outside:
1) In ISA Management, click on Firewall Policy.
2) In the right-hand toolbox pane, click on the Tasks tab.
3) Click on "Create a New Server Publishing Rule"
4) When the New Server Publishing Rule Wizard opens, enter "<pcname> PCAnywhere Server Rule" and click Next. (obviously replacing <pcname> with the name of the PC you are connecting to. This way, if you need to publish multiple PCAnywhere servers, you'll be able to keep your rules straight).
5) On the Select Server page, enter the internal IP address of the PC / Server you want to connect to via PCAnywhere and click Next
6) On the Selected Protocol page, select the "PCAnywhere Server" protocol we created from the drop-down and click Next
7) On the IP Addresses page, select your external network connection and click Next
8) Click Finish
Now that we've created our protocols and rules, we just need to commit the changes. At the top of the content pane in the ISA Management console, you will see a button to Apply Changes. Click Apply, and you should be good to go.
I'd recommend taking a look at this article: http://www.smallbizserver.net/tabid/266/articleType/ArticleView/articleId/94/ISA-for-Dummies.aspx It was written for ISA 2000, but most of the fundamental concepts still apply.
On a side note, if you're doing a lot of remote support, you might look in to LogMeIn (www.logmein.com). They have a free version of their product that you can install on devices and allow you to access them remotely. All connections are proxied through LogMeIn's servers, which means you don't have to mess with configuring inbound access like you do with PCAnywhere - all connections are outbound, so it's much easier. Since all connections are outbound, it also means that you can have multiple agents installed on a network and not have to mess around with different port numbers for each one, etc.
HTH!
--
Chad A. Gross
http://www.msmvps.com/blogs/cgross
"SBStech08" <computerrob64@xxxxxxxxx> wrote in message news:e3d65c05-abc2-4205-8a9d-ce9207ae0d87@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
As a support tech I use remote control program like vnc and pcanywhere
etc. Since just setting up this SBS 2003 premium, I am trying to get
ISA to allow connections in to a client pc on the network running the
vnc remote support tool. It uses port 5631. The sbs server has 2 nics.
I have tried following the instructions in MSKB 837831, but no luck so
far......Anyone know the proper way to configure this...step by step
please.
TIA
.
- Follow-Ups:
- References:
- How to Configure ISA 2004 for remote access like vnc, pcanywhere
- From: SBStech08
- How to Configure ISA 2004 for remote access like vnc, pcanywhere
- Prev by Date: Re: ISA 2004 Firewall client configuration
- Next by Date: Re: ISA 2004 Firewall client configuration
- Previous by thread: How to Configure ISA 2004 for remote access like vnc, pcanywhere
- Next by thread: Re: How to Configure ISA 2004 for remote access like vnc, pcanywhere
- Index(es):
Relevant Pages
|
