ISA Firewall Quick Tip: Controlling Access to Published RDP Servers
by Thomas W Shinder MD, MVP

This got me to thinking how I could provide short, procedure specific articles on commonly asked questions. What we need is something that provides instructions on very specific procedures to experienced ISA firewall admins who just need a pointer in the right direction. My solution is the new ISA Firewall Quick Tip series. ISA firewall quick tip articles won’t be the comprehensive conceptual and step by step coverage providing stem to stern guidance. Instead, they’ll be limited to between 500-1500 words and will cover the solution to a very specific question without providing background and context to the configuration.

We’ll inaugurate the ISA Firewall Quick Tip Series with an answer to the question “How do I limit what computers can connect to my published RDP servers”. The answer is by changing a setting in the RDP Server Publishing Rule dialog box after you’ve completed configuration of the rule.

Perform the following steps to create the RDP Server Publishing Rule:

1. In the ISA firewall console, expand the server name and click the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create New Server Publishing Rule link.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server Publishing Rule name text box. In this example we’ll name the rule RDP Server and click Next.
3. On the Select Server page, enter the IP address of the RDP server in the Server IP address text box. In this example the IP address is 10.0.0.2. Click Next.

Figure 1

4. On the Select Protocol page, select the RDP (Terminal Services) Server entry from the Selected protocol list. Click Next.

Figure 2

5. On the IP Addresses page, put a checkmark in the External checkbox. If you have multiple IP addresses bound to the external interface of the ISA firewall, then after putting the checkmark in the External checkbox, then click the Address button and select the specific IP address you want the RDP listener to listen on. Click Next.
6. Click Finish on the Completing the New Server Publishing Rule Wizard page.
7. Click Apply to save the changes and update the firewall policy
8. Click OK in the Apply New Configuration dialog box.

Now double click the new RDP Server Publishing Rule and perform the following steps:

1. In the RDP Server Publishing Rule Properties dialog box, click on the From tab.
2. On the From tab, click the Anywhere entry in the This rule applies to traffic from these sources section and click the Remove button.

Figure 3

3. Click the Add button.
4. In the Add Network Entities dialog box, click the New menu and then click Computer. Note that you can select any of the entries if you like. For example, if you want to allow access to an entire subnet of address, you can choose that option. In this example we want to allow access only to a single computer.

Figure 4

5. In the New Computer Rule Element dialog box, enter a name for the computer in the Name text box and enter the IP address of that computer in the Computer IP Address text box. Enter a description if you like (always a good idea) and click OK.

Figure 5

6. In the Add Network Entities dialog box, click the Computers folder and then double click the name you assigned to the new computer object in step 5. Click Close.

Figure 6

7. Click OK in the RDP Server Publishing Rule Properties dialog box.

That’s all there is to it. Remember, you can create multiple computer objects, or you can create Computer Sets, Networks, or Network Sets and allow access to those computers. Also, notice on the From tab that you can allow access to computer or groups of computers, and then enter exceptions in the Exceptions section. This allows you to allow access to a large number of computers, but create computer sets or other network object and prevent them from connecting to the RDP server. This same technique works for any Server Publishing Rule.