Guest Marc Posted July 16, 2008 Posted July 16, 2008 I installed NLB on a 2008 Terminal Server, created the NLB farm, and added this Terminal Server. I opened my firewall the same exact way I have for my 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being ALLOWED at the firewall, but does not connect to the ts farm. From within the same network, I can RDP to the farm's internal IP Address, but not from external IP. Am I missing a setting on the server or somewhere else. Currently there is only 1 2008 Terminal Server in the farm.
Guest Jeff Pitsch Posted July 16, 2008 Posted July 16, 2008 Re: 2008 Terminal Server Farm, using MS NLB The load balancing is not a proxy. you will need to open ports for your terminal servers as well. LB just gets the connection to the server, after that it's direct tot he server. Also this is a highly highly insecure method of granting external access to your terminal servers. you are exposing your internal network to the internet. Software from Provision Networks (yes I'm an employee) or Citrix can alleviate this. It's best to spend a bit of money up front rather than expose your network for no reason whatsoever. Jeff Pitsch Microsoft MVP - Terminal Services "Marc" <Marc@discussions.microsoft.com> wrote in message news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com... > I installed NLB on a 2008 Terminal Server, created the NLB farm, and added > this Terminal Server. I opened my firewall the same exact way I have for > my > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being > ALLOWED > at the firewall, but does not connect to the ts farm. From within the > same > network, I can RDP to the farm's internal IP Address, but not from > external > IP. Am I missing a setting on the server or somewhere else. Currently > there > is only 1 2008 Terminal Server in the farm.
Guest Marc Posted July 17, 2008 Posted July 17, 2008 Re: 2008 Terminal Server Farm, using MS NLB I currently run a 2003 TS Farm setup the exact same way. Port are open to the Ts's also, but that is not needed for MS NLB. I believe my issue maybe with the drivers for the NIC, it doesn't seem to like using 2 IP Address for the NLB NIC with the deafault 2008 drivers. As far as "The load balancing is not a proxy", I understand that, but I still have to allow traffic through 3389. Since when is NAT'ing a server port throught a firewall "highly, highly insecure"? "Jeff Pitsch" wrote: > The load balancing is not a proxy. you will need to open ports for your > terminal servers as well. LB just gets the connection to the server, after > that it's direct tot he server. Also this is a highly highly insecure > method of granting external access to your terminal servers. you are > exposing your internal network to the internet. Software from Provision > Networks (yes I'm an employee) or Citrix can alleviate this. It's best to > spend a bit of money up front rather than expose your network for no reason > whatsoever. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Marc" <Marc@discussions.microsoft.com> wrote in message > news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com... > > I installed NLB on a 2008 Terminal Server, created the NLB farm, and added > > this Terminal Server. I opened my firewall the same exact way I have for > > my > > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being > > ALLOWED > > at the firewall, but does not connect to the ts farm. From within the > > same > > network, I can RDP to the farm's internal IP Address, but not from > > external > > IP. Am I missing a setting on the server or somewhere else. Currently > > there > > is only 1 2008 Terminal Server in the farm. > > >
Guest Jeff Pitsch Posted July 17, 2008 Posted July 17, 2008 Re: 2008 Terminal Server Farm, using MS NLB When you give direct access to your internal network, that is high highly insecure. Why do you think VPN's were created? NAT is not a security measure. scanning and hacking 3389 is extraordinarily easy to do. that is why Microsoft has finally come out with their TS gateway, Citrix has had one for years as well as Provision networks. Those are security measures to protect your network, NAT is not. In other words, these products only give access to the DMZ not your internal network at all. Jeff Pitsch Microsoft MVP - Terminal Services "Marc" <Marc@discussions.microsoft.com> wrote in message news:EBD73C86-1141-439C-ACA1-1A5993F67C89@microsoft.com... >I currently run a 2003 TS Farm setup the exact same way. Port are open to > the Ts's also, but that is not needed for MS NLB. I believe my issue > maybe > with the drivers for the NIC, it doesn't seem to like using 2 IP Address > for > the NLB NIC with the deafault 2008 drivers. As far as "The load balancing > is > not a proxy", I understand that, but I still have to allow traffic through > 3389. Since when is NAT'ing a server port throught a firewall "highly, > highly insecure"? > > "Jeff Pitsch" wrote: > >> The load balancing is not a proxy. you will need to open ports for your >> terminal servers as well. LB just gets the connection to the server, >> after >> that it's direct tot he server. Also this is a highly highly insecure >> method of granting external access to your terminal servers. you are >> exposing your internal network to the internet. Software from Provision >> Networks (yes I'm an employee) or Citrix can alleviate this. It's best >> to >> spend a bit of money up front rather than expose your network for no >> reason >> whatsoever. >> >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> >> "Marc" <Marc@discussions.microsoft.com> wrote in message >> news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com... >> > I installed NLB on a 2008 Terminal Server, created the NLB farm, and >> > added >> > this Terminal Server. I opened my firewall the same exact way I have >> > for >> > my >> > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being >> > ALLOWED >> > at the firewall, but does not connect to the ts farm. From within the >> > same >> > network, I can RDP to the farm's internal IP Address, but not from >> > external >> > IP. Am I missing a setting on the server or somewhere else. Currently >> > there >> > is only 1 2008 Terminal Server in the farm. >> >> >>
Guest Marc Posted July 17, 2008 Posted July 17, 2008 Re: 2008 Terminal Server Farm, using MS NLB Thank you for your knowledge. Anyone else that can actually help me with this issue? "Jeff Pitsch" wrote: > When you give direct access to your internal network, that is high highly > insecure. Why do you think VPN's were created? NAT is not a security > measure. scanning and hacking 3389 is extraordinarily easy to do. that is > why Microsoft has finally come out with their TS gateway, Citrix has had one > for years as well as Provision networks. Those are security measures to > protect your network, NAT is not. In other words, these products only give > access to the DMZ not your internal network at all. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > "Marc" <Marc@discussions.microsoft.com> wrote in message > news:EBD73C86-1141-439C-ACA1-1A5993F67C89@microsoft.com... > >I currently run a 2003 TS Farm setup the exact same way. Port are open to > > the Ts's also, but that is not needed for MS NLB. I believe my issue > > maybe > > with the drivers for the NIC, it doesn't seem to like using 2 IP Address > > for > > the NLB NIC with the deafault 2008 drivers. As far as "The load balancing > > is > > not a proxy", I understand that, but I still have to allow traffic through > > 3389. Since when is NAT'ing a server port throught a firewall "highly, > > highly insecure"? > > > > "Jeff Pitsch" wrote: > > > >> The load balancing is not a proxy. you will need to open ports for your > >> terminal servers as well. LB just gets the connection to the server, > >> after > >> that it's direct tot he server. Also this is a highly highly insecure > >> method of granting external access to your terminal servers. you are > >> exposing your internal network to the internet. Software from Provision > >> Networks (yes I'm an employee) or Citrix can alleviate this. It's best > >> to > >> spend a bit of money up front rather than expose your network for no > >> reason > >> whatsoever. > >> > >> Jeff Pitsch > >> Microsoft MVP - Terminal Services > >> > >> > >> "Marc" <Marc@discussions.microsoft.com> wrote in message > >> news:542EF0C5-E855-44CE-B175-C4038192811E@microsoft.com... > >> > I installed NLB on a 2008 Terminal Server, created the NLB farm, and > >> > added > >> > this Terminal Server. I opened my firewall the same exact way I have > >> > for > >> > my > >> > 2003 Farm, (EXT IP NAT's INT IP). I can see my RDP connection being > >> > ALLOWED > >> > at the firewall, but does not connect to the ts farm. From within the > >> > same > >> > network, I can RDP to the farm's internal IP Address, but not from > >> > external > >> > IP. Am I missing a setting on the server or somewhere else. Currently > >> > there > >> > is only 1 2008 Terminal Server in the farm. > >> > >> > >> > > >
Recommended Posts