Port 3389 (RDP) to go through another companys proxy/firewall....

[R.O.S.S.I]

Hi all, I'm having a bit of trouble at the moment with our Windows Remote Desktop Services implementation and some proxy issue.

Basically I want it set up so that our remote users who work from another site occasionally (owned by another company) can access their desktop/shared drives etc.

I've successfully set up the RDS system so that people can access through our web portal and it works fine apart from at the other companys office where they say it works but it is bypassing their proxy and going straight out on port 3389.

Now upon speaking to their IT, they are saying that it needs to connect through their proxy for it to be an allowed application on their LAN, rather than connecting straight out on port 3389.

Does anyone know a way to resolve this? Is it some config at their end as I believe the default port for RDP is 3389 so i'm not sure how i'm forcing it to bypass any proxies?

 

[R.O.S.S.I]

Why is it going out on 3389? Shouldnt it be going out on 443?

I'm assuming RDS is working externally ok on https/443, if so do they have the TS gateway address set in their RDP settings?

They connect through our web access which is https://remote.domain.com/rdweb - log in with windows credentials etc it loads a desktop for them etc.

The web aspect of it I assume goes through 443, but the actual RDP will be 3389 which is the default port for RDP.

 

[R.O.S.S.I]

Cool thanks, wonder why he is saying that when he is trying to access it the connection is going out directly on 3389 and is bypassing their proxy?!

 

[R.O.S.S.I]

It works for me when I try and log in from home, works for other users from home. I don't think the issue is it not working, its the issue of it not routing through their proxy.

So basically they're going to the web access page, logging in to it and then noting that it is trying to connect directly to us on 3389. I'm not even sure I set it up to connect on that port - everythings pretty much default.

I have just noticed a port redirection on our router here though which is directing traffic on externalIP:3389 to the internal serverIP:3389 - could this be the problem?
There's also one set up for 443 aswell on the same internal and external ip as the 3389 one.

 

[R.O.S.S.I]

Ok, ive disabled it. Will ask them to give a go!

 

[R.O.S.S.I]

Hmm i've just tried to connect from home now through the web gateway and it wont connect since disabling that port forward

 

[R.O.S.S.I]

No this needs to be done through Windows RDS really, I set it up for this sole purpose, its a more streamlined and easy to use for end users.

 

[R.O.S.S.I]

Ive just gone over most of them but can't really see what the issue is

There is one section in the RD Gateway Manager, under Resource Authorization Policies which talks about Allowed Ports for that policy, and it is set to only allow connections through TCP 3389, the other 2 options are to allow through any port, and to specify ports.

 

[R.O.S.S.I]

Could it be SSL Bridging? Its been turned off so far....

 

[R.O.S.S.I]

Hmmm no, don't think this has changed anything either.

Their IT guy has told me to check out http://www.isaserver.org/tutorials/...ublishing-RD-Web-Access-RD-Gateway-Part1.html
but as we dont use Forefront TMG i'm not sure how much use it is!

Arrrgggghhhh!

 

[R.O.S.S.I]

Hi all, sorry to dig up an old thread, does anyone know of any way in which I could get this to work?

Basically the RDS connection works, he can connect through our web gateway but apparently the traffic isn't being routed through their proxy, it is trying to connect direct on port 3389.

Is there any way you can make Windows Remote Desktop Services proxy aware?! I cant believe that something like this hasnt been factored in and is probably a very simple option I've overlooked.

 

[R.O.S.S.I]

I'm pretty sure that is by design. The web gateway is only a connection broker.

RDS tunnels the rdp protocol through SSL/443 so it shouldn't be going over 3389 directly.

Well this is exactly what I thought, I thought it sent it over SSL/443 for this exact reason?!

Anyone know how I can check this out? His exact words are....

"The problem still exists that it tries to connect directly out on 3389. It needs to connect through the proxy to be an allowed application on our LAN I'm afraid."

Really stuck with what to do! Its doing my bloody head in!

 

[R.O.S.S.I]

The whole system works fine as I can log in from home fine using it. I've had colleagues try from their homes too and had a friend at a local business try it just so I could make sure and the whole setup runs as it should.

Its not an issue with the system working or not. Its how it is making the connection.

I've just took what he says at face value really as its pretty hard to mess up logging on through our web access gateway. I told him he should go to our web gateway address and pop in the specified username and pass to access.

So should I be asking him for some confirmation that shows it is going out on 3389?

 

[R.O.S.S.I]

Yeh thats what I'm thinking really, I've not asked him for a teamviewer session yet but I've just fired over an email asking for some screenies of the issue from his end.

 

[R.O.S.S.I]

I think you mentioned above that you closed 3389 on your router and it stopped working, is this still the case?

Yeh think I did actually. When I take that port forward off i'm unable to make a successful connection through the RDWEB Access page, but I can still connect if I use MSTSC and select to use the RD WEB Gateway server instead.
I might get him to try connecting through mstsc.exe and specify our gateway server in there and see if that works.