Forefront TMG 2010 RDP Connections without non-standard ports

firewall rdp windows-firewall microsoft-ftmg-2010 microsoft-forefront-2010
5,201

Solution 1

From my reading, it looks like the Forefront TMG will not allow the passing of RDP connections through the firewall without configuring a non-standard port for each IP address of the internal servers and clients.

Well, from my reading of your question it looks like you dont know how to use RDP, at least the current iteration ;) I happily connect to whatever server I want behind my TMG without configuring a port per server.

TMG supports what has been standard in windows - a gateway server.

That pretty much means that your remote desktop client connects to the gateway server (using HTTP, btw.), then the calls get forwarded from there to the final server internally.

This is a standard setting in the remote desktop client where you can enter the gateway host address (url) which most administrators do not know because of not bothering to read the documentation.

http://technet.microsoft.com/en-us/library/cc731264%28v=ws.10%29.aspx

explains what a Terminal Services Gateway is and how it works in general.

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html

has some explanations how to set things up for TMG. This one creates a web site for connecting.

it reaslly is quite easy to set up. And using HTTP as carrier protocol for RDP has the serios advantage of being able to work quite often when normal TCP forwarding is disabled or limited by firewall rules ;)

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part2.html

talks of publishing TS Gateways directly ;)

Solution 2

That is not correct, no.

Well, that's how it's set up by default, but it's not carved in stone or anything.

The default Protocol definition for RDP does only listen on port 3389, but can be changed. See screenshot. Simply navigate to your Firewall Policy, then Toolbox (on the right hand frame), then Protocols. You can create a new Protocol for your custom RDP port(s), and assign whatever port range you want to it.

The easier solution, (which I see TomTom just posted) is to set up a TS/RDP gateway, so you don't have to worry about messing around with ports, or NATing an external address for all the machines that need to be connected to over RDP.

Default:

Default RDP settings

Custom port range I set up through the new protocol wizard:

Custom "RDP" port range settings

Share:
5,201

Related videos on Youtube

emhohensee
Author by

emhohensee

I'm a Systems Engineer at Red Hat

Updated on September 18, 2022

Comments

  • emhohensee
    emhohensee over 1 year

    From my reading, it looks like the Forefront TMG will not allow the passing of RDP connections through the firewall without configuring a non-standard port for each IP address of the internal servers and clients. The firewall will only listen for RDP traffic to a certain IP address on a certain port. Is this correct?

    If this is the case, does anyone have a suggestion as to how to easily allow external connections over RDP to clients without using VPN? I work in an academic environment and almost everyone in the domain (admins, professors, and researchers) need access to their boxes remotely. All of our IPs are static and routable.

  • emhohensee
    emhohensee over 11 years
    Assigning ports to IP addresses one to one is how it is presented in the MS Forefront TMG Administrator's Companion. It doesn't make any mention of a TS Gateway but this looks perfect. Thank you.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Allowing a program through windows firewall
Create firewall rule to open port per application programmatically in c#
Which IP should I allow in Firewall for AnyDesk?
Does disabling the 'Windows Firewall' service actually work?
I have blocked port 80 and 443 on Windows 10 via making a new Firewall rule but I still can browse. How to I block HTTP traffic via firewall?
Windows firewall - block all incoming connections enable/disable - CREATE SCRIPT
Allowing port access on Windows
Can not use telnet localhost
netsh advfirewall open TCP ports 80 and 443 for outgoing traffic
Win 7 firewall blocking Filezilla Server from responding to clients