General discussion

Locked

Can term server be ISA server?

By jonhunt2 ·
Hello all:

I have a client who has a new Windows server 2003 SMB for his database applications. We turned his old server into a terminal server running Windows 2003 Std. We have a Belkin Pre-N wireless router that also acts as our NAT and firewall. (BTW, Belkin does not pass GRE packets so VPN using PPTP is not working.) So, I am trying to configure the VPN with L2TP (which is also causing me problems.)

After reading MS Knowledgebase 885348 http://support.microsoft.com/default.aspx?scid=kb;en-us;885348, it appears I need to make the terminal server also act as the firewall - or ISA server. So my questions are: Can I configure a Terminal Server that has a public IP address to be protected without having an additional firewall? If so, how would I go about that? Is it OK/possible to have an ISA server and a Terminal Server together as one server in the same box?? What would be the recommended way?

Thanks very much for your help.

Jon

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Can term server be ISA se ...

you can have ISA and a terminal server on one box BUT, what happens is you have to create a packet filter to allow external users access. That packet filter essentially opens the port all the time which decreases ISA servers firewall security features. ISA server when installed blocks all traffic until as a minimum, site and content rules and protocol rules are created.

Recommended way? ISA in firewall mode [intergrated means caching http requests for internal clients and you didn't mention anything about that] between the internet and you LAN with terminal services on a seperate box. you publish terminal services in ISA server which will then act as the proxy between external requests and the terminal services server. create a destination set for external clients to the internal destination, create site and content rules and protocol rules specifing terminal services protocol on port 123? [If I remember right]and site and content to provide when, who can access terminal services . IF you need PPTP on ISA you open up ISA management and allow PPTP passthrough BUT publishing services is the secure was to go.

Collapse -

by CG IT In reply to

If you want more detailed information on ISA server, visit isaserver.org for all things ISA both 2000 and 2004.

Collapse -

by jonhunt2 In reply to

Thanks. :)

Collapse -

by jonhunt2 In reply to Can term server be ISA se ...

I can configure packet filtering in RRAS. Will that be enough to protect my LAN, plus allow the L2TP VPN traffic? I don't 'think' I need caching or proxy servers for internal users. I'm basically just trying to setup a secure VPN with the equipment I have :) - 1 2003 SBServer, 1 2003 Std. Term Server, 1 Belkin access point/router.

Thanks again,
Jon

Collapse -

by CG IT In reply to Can term server be ISA se ...

if your running Small Business Server 2003 Premium Edition with ISA server 2000, and you want secure VPN, don't run RRAS on your network. Run the VPN wizard in ISA server for the type of VPN. End point to end point. client to ISA etc. ISA will act as the RRAS server creating and maintaining the tunnel for VPN clients.

Collapse -

by CG IT In reply to

ISA servers basic working princple is that it acts as a middleman where inbound traffic never actually gets past it. ISA retrieves the requested information on the LAN on behalf the the requestor, then gives that information to the requestor. Thats the most secure way ISA works. now you can circumvent that by allowing inbound traffic past ISA via packet filters. Packet filters open up "holes" in ISA server allowing traffic to get past it. The use of packet filters is only recommended for services that run on the same computer as ISA server [because ISA can't fetch info on another computer or publish services that run on the same computer its running on].

Collapse -

by CG IT In reply to

the other thing is that you don't need a router between ISA server and the internet. If you don't have other services running on the box that runs ISA server that requires public access, you publish that service in ISA server. You publish stuff like Email Servers, FTP Sites, Web Sites in ISA and ISA [as I mentioned] acts as the middleman, getting the info from the downstream servers, then passing it along to the who requested it.

Collapse -

by CG IT In reply to

well Windows 2003 standard edition isn't a router so fowarding ports isn't something it does.

Best bet is to get an access router between your network and the internet and even more better is to have an access router that connects to the internet and use its LAN side as the perimeter DMZ that connects to another router [with firewall] that your company network connects to. Public access is limited to the perimeter DMZ network and nothing public gets into the actual company network.

Collapse -

by jonhunt2 In reply to

Thanks for your help. :)

Collapse -

by jonhunt2 In reply to Can term server be ISA se ...

Well, my Terminal Server is only Server 2003 Standard. My other server is 2003 Small Business (I don't know if it's premium - even if it is, the SBS server will not be used as an ISA server since it has the company databases on it.) So, I don't think I have access to ISA server for the Terminal/VPN server that will be connected directly to the Internet. The server that will be connected directly to the Internet is Windows Server 2003 Standard. With RRAS, I can configure the VPN and Terminal Services and filter the incoming packets on the Internet side. Can I also forward ports (for example - to the Exchange server???)

Thanks,
Jon

Back to Networks Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums