On the Select Protocol page, click the Ports button. You will see the Ports dialog box as seen in Figure 7 below. Notice that you have several options here:
Publish using the default port defined in the protocol definition – this option will publish the protocol using the default port for the protocol. For RDP the default port is TCP 3389, which is not what we want, so we won’t be selecting that option.
Publish on this port instead of the default port – this is the option we want to use in this example, for better security. For example, if we want to publish the RDP server on TCP port 6688, we put 6688 in the text box next to this option.
Send requests to the default port on the published server – this option will configure the TMG firewall to forward the request to the default port for the protocol to the published server. In the case of RDP, that port would be TCP port 3389. We will use this option in the current example. Note that if you wanted to change the default port used by the RDP service on the server, you could configure the TMG firewall to use an alternate port, which we see in the next option.
Send requests to this port on the published server – if the published server is using an alternate port, you can enter the value of the alternate port in the text box for this option. In this example, the RDP service on the published server is using the default port, so we won’t use this option.
Allow traffic from any allowed source port – in most cases, the client side application is going to use some random port number as the source port for the connection to the published server. If you don’t want to control the traffic based on source port, or if you don’t know how to control the source port for the client side application that connects to your published server, then use this option.
Limit access to traffic from this range of source ports – this is a very high security option. When you enable this option, the client must use a specific source port or range of source ports to connect to the server over the Server Publishing Rule on the TMG firewall that is publishing the server. At one time I thought I read that there was a way to configure the source port of the Microsoft RDP client. But I did a search for this and couldn’t find any information along these lines. If you know how to control the source port on the RDP client, then please send me a note and I’ll amend this article to include this information.
After making the suggested changes, the dialog box should look like Figure 8 below. Click OK.
On the Network Listener IP Addresses page shown in Figure 9, notice all the networks that are available in the Listen for requests from these networks list. You could take advantage of this list by publishing servers on different sections of your intranet. However, in this example, we’re looking at an Internet publishing scenario, so put a checkmark in the External checkbox and then click Addresses.
On the External Network Listener IP Selection page shown in Figure 10, you have three options:
All IP addresses on the Forefront TMG firewall that are in the selected network – if you select this option, all the IP addresses bound to the interface that defines the network you selected will listen for connections for the Server Publishing Rule. In general, you will probably want to be more selective and so you won’t use this option very often.
Default IP addresses for network adapters on this network. If Network Load Balancing is enabled for this network, the default virtual IP address will be used – It’s important to note here that the definition of the default IP address has changed for the TMG firewall. With the ISA firewall, the default IP address was the topmost IP address bound to the NIC. That is no longer true. To find out how the TMG firewall defines the default IP address, check out this article on the TMG firewall team blog.
Specified IP addresses on the Forefront TMG computer in the selected network – This is the option you’ll most likely use. When you select this option, you select a specific IP address on the external interface of the TMG firewall that you want to listen for incoming connections to the published server. Select the IP address you want to use from the Available IP Addresses list and then click Add. It will move that address to the Selected IP Addresses section.
In this example, we’ll select an IP address and then click OK.
You will see the selected IP address on the Network Listener IP Addresses page shown in Figure 11. Click Next.
On the Completing the New Server Publishing Rule Wizard page that you see in Figure 12, click Finish.
Make sure that you click the Apply button to save the changes to the firewall policy before you try to connect to the published RDP server.
The next step is to figure out how to connect to the published RDP server on the alternate port. You can enter the following command in the cmd window:
mstsc /v:<Server>:< Port >
Just replace the <Server> entry with the FQDN or IP address of the destination server and the <Port> entry with the alternate port you configured in the Server Publishing Rule for publishing the remote desktop server.
The TMG firewall’s Server Publishing Rules provide you with a lot of flexibility when it comes to controlling how connections will be made to published servers through the firewall. In this article, we gave an example of this flexibility by publishing an RDP server on an alternate port. This is a trick I’ve used on many occasions and it works great. If you have a Server Publishing Rule trick that you’ve used successfully in the past and would like to share it, let me know! Send me a note at [email protected] and I’ll share it with the rest of the ISAserver.org community. Thanks! –Deb.