edwalt's - Things I Wish I'd known about SBS 2003....
What..........your "Internal" RDP connections are not working?
Uhh-Oooh, everyone knows that if ISA's in the network and somethings not working correctly the problem has to be with ISA 2004....right? Not necessarily...
While Troubleshooting we find.....
The clients and server in the 192.168.15.x subnet can connect to the Terminal Server without issues.
When viewing the ISA 2004 Logging console without client filtering enabled, you can see the clients from the 192.168.20.x subnet requesting a connection, then the connection is closed. There are no denies or anything leading you to believe that there is an issue with the connection. The connection appears to complete.
If you filter logging on the Terminal Servers IP, you then see the request from the 20.x client, but then a denied is being returned from the ISA/SBS server. What...The ISA server...why is it involved? Afterall this is "internal" traffic! So why am I receiving the denies? Is it an ISA rule? Do the users have the correct permissions? Why do I only see the denies when I filter on the Terminal Servers IP? Is there something wrong with the "networks" that are configured in ISA. Do I need a special rule to do this?
While your thinking about this, here's the topology again: May need to draw it out.... :)
There are 2 subnets; the 192.168.15.x and 192.168.20.6.
The 192.168.20.x network:
So whats the problem?
When a client from the 192.168.20.x subnet attempts a connection to the TS server <15.x>, the request is routed through the router directly to the TS Server, this step is fine. It is on the return where the issue comes into play. Since the request is originating from a different subnet, how would the TS Server route the request back to the client? First step would be to query its own routing table. If the needed routing information was not there, where would it go next.... it's Default Gateway. In this case what would be the TS Servers Default Gateway? The ISA/SBS server. ISA does not have the ability to route an internal request from one "internal" subnet to a second "internal" subnet. So the the return routing would fail.
So whats the fix?
You have to route the "20.x" return request back to the internal "15.x" router before it reaches the ISA/SBS server, afterall thats where it needs to go anyway... right? So how would I do that? The easiest way is to add a route to the server in questions routing table. This way if the TS server needed to query its routing table it would find an entry pertaining to this particular subnet <20.x>. It would then know to push the return request back to the internal router instead of trying to route it back through the default Gateway/ISA server.
So what would the entry look like?
Route Add 192.168.20.0 MASK 255.255.255.0 192.168.15.5 -p
So After I add the route, how does this work again? In a nutshell....
There are numerous other ways that this network could be reconfigured to do the same thing. I will leave that to your descretion.
So was the issue with ISA 2004 or was it with the routing configuration of the network??
FYI - this configuration did work with ISA 2000...........
Nothing new to add to this thoughtful post on ISA 2004, Internal Servers and Subnets. Definitely a worthwhile...
Great article :-)
This describes exactly our situation, with only one difference: we have 2 remote sites, so 3 subnets. Otherwise SBS server and TS Server in one subnet. On the remote site there are clients who need to connect to the TS and there are other remote clients (Mac clients) who need direct acces to Exchange (for email) on the SBS.
"There are numerous other ways that this network could be reconfigured to do the same thing. I will leave that to your descretion."
I hope someone can direct me in the right direction for the "numerous other ways", because I'm now in the middle of someone who knows a lot about Cisco routers and VPN and someone who knows a lot about SBS, but the problem is the combination of those two....
I haven't gotten much done these days. So it goes. What can I say? I've just been letting everything pass me by. Basically not much going on lately, but it's not important. I've basically been doing nothing worth mentioning.
Thanks for the good information. Maybe I can use it one of these days when I run into a problem like this. Lord only knows that if there is something that can go wrong with a server, it will probably happen to me. Thanks.
This was already addressed in http://support.microsoft.com/kb/888042.
this KB is ~3 years old.
G6Qplx r u crazzy? I told u! I can't read!
SeGb1X r u crazzy? I told u! I can't read!
oRcH4H r u crazzy? I told u! I can't read, man!
FuUKlv r u crazzy? I told u! I can't read!
JNSxWC r u crazzy? I told u! I can't read!
fWKvPw r u crazzy? I told u! I can't read!
tshut4 r u crazzy? I told u! I can't read!
jb3MQi r u crazzy? I told u! I can't read!
tG1gaa r u crazzy? I told u! I can't read!
gdyXgD r u crazzy? I told u! I can't read!