How to Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server (294720)

MORE INFORMATION

If you have Terminal Services installed on a multi-homed ISA Server (installed by default on Small Business Server (SBS) 2000 and Back Office Server (BOS) 2000; installed optionally on Windows 2000 Server), that Terminal Server listens on all network interfaces by default.

This will cause any request for a Terminal Server that hits the external interface of the ISA server to be answered by the Terminal Services running on the ISA server.

In order to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server, perform the following steps.

Step One: Create a Protocol Definition

To create a protocol definition, perform the following steps.

1. Click Start, point to Programs, click Microsoft ISA Server, and then click to open the ISA Management MMC.
2. Click to expand Servers and Arrays, click to expand your array, and then expand Policy Elements.
3. Right click Protocol Definitions, click New, and then click Definition.
4. Give this definition a name, for example, "Inbound Terminal Server", and then click Next.
5. In the Port field, type 3389, in Protocol type, click to select TCP, in the Direction field, click to select Inbound, and then click Next.
6. Under Secondary Connections, click No, click Next, and then click Finish.

Step Two: Publish the Terminal Server

To publish the Terminal Server, perform the following steps.

1. In the ISA Management console, click Publishing, right click Server Publishing Rules, and then click New Rule.
2. Give this rule a name, for example, "Inbound Terminal Server publishing", and then click Next.
3. In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer behind the ISA server on the LAN, type that computer's IP address.
4. In the External IP address on ISA Server field, type the external IP address on the ISA server that this publishing rule will use, and then click Next.
5. Under Protocol Settings, in the Apply the rule to this protocol field, click to Inbound Terminal Server protocol definition you created earlier, and then click Next.
6. Click the Client Type this request should apply to (for example, Any Request), click Next, and then click Finish.
7. Repeat this step for each internal server you wish to publish, using a unique internal and external IP address for each rule.
8. If the Terminal Server is on the same segment as the internal interface of the ISA server, then the default gateway on the Terminal Server must point to the internal interface of the ISA server. If the Terminal Server is on a remote segment from the internal interface of the ISA server, then the ISA server must be an edge router to the Internet. If the ISA server is not an edge router (i.e. all traffic to the Internet flows through ISA server), then you will need to add specific routes to the routers so that the Terminal Server can route packets back to the ISA Server and on to the Internet.

Step Three: Bind Terminal Services on the ISA Server to the Internal Adapter on the Server

To bind Terminal Services on the ISA Server to the internal adapter on the server, perform the following steps:

1. Click Start, point to Programs, click Administrative Tools, and then click Terminal Services Configuration.
2. Click the Connections folder, and then click the RDP-TCP connection.
3. Right click this connection and click Properties.
4. Click the Network Adapter tab and click to select the Internal network adapter in the Network Adapter check box.

NOTES

• By default, Terminal Services binds to All network adapters configured with this protocol. Therefore, you will need to set it specifically to the internal adapter.
• You may have to restart the server before the Terminal Services binding changes take effect.
• If you have only one IP address available on the external Interface of the ISA server, you can still access multiple Terminal Servers on your LAN using the Terminal Services Client (but not the TSAC). You will need to change the port the Terminal Server listens on, then create Protocol Rules and Publishing Rules for that server on that port.

For additional information about how to change the listening port of a Terminal Server, click the article number below to view the article in the Microsoft Knowledge Base: When you use the TSAC (Web Based) you have to go to the Web server that is running the TSAC Package at the following Web site, and then enter the IP address or DNS name of the Terminal Server
where ServerName is the NetBIOS name of your Web server.