Microsoft KB Archive/828053

= ISA Server prevents connection to a remote desktop when you connect through Remote Web Workplace on a Windows Small Business Server 2003-based computer =

Article ID: 828053

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





SYMPTOMS
When you try to connect to server desktops through the Connect to Server Desktops link on a Remote Web Workplace that is hosted by Microsoft Windows Small Business Server 2003, you may receive one of the following error messages:

Error message 1
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.

Error message 2
The client could not establish a connection to the remote computer. The most likely causes for this error are:
 * Remote connections might not be enabled at the remote computer.
 * The maximum number of connections might be exceeded at the remote computer.
 * A network error might have occurred while establishing the connection.
 * The Remote Web Workplace designated port might be blocked by a firewall.

Error message 3
The remote connection has timed out. Please try connecting to the remote computer again.



CAUSE
This problem may occur in one of the following scenarios:

Scenario one

 * You connect to a Remote Web Workplace on a Windows Small Business Server 2003-based computer from a computer that is running Internet Security and Acceleration (ISA) Server as a firewall.
 * You click the Connect to Server Desktops link on the Remote Web Workplace to access server desktops in your network.

This problem occurs in scenario one because ISA Server blocks outbound traffic over port 4125. When you try to connect to server desktops through the Connect to Server Desktops link on the Remote Web Workplace, the connection uses TCP port 4125.

Scenario two

 * You connect to a Remote Web Workplace on a Windows Small Business Server 2003-based computer from a computer that has Firewall Client software installed.
 * The client computer is behind an ISA Server firewall.
 * You click the Connect to Server Desktops link on the Remote Web Workplace to access server desktops in your network.

The problem occurs in scenario two because the ISA Server blocks outbound traffic over port 4125. When you try to connect to server desktops through the Connect to Server Desktops link on the Remote Web Workplace, the connection uses TCP port 4125.

Scenario three

 * You connect to a Remote Web Workplace on a Windows Small Business Server 2003-based computer from a secure network address translation (NAT) client computer that is not running Firewall Client software.
 * The client computer is behind an ISA Server firewall.
 * You click the Connect to Server Desktops link on the Remote Web Workplace to access server desktops in your network.

The problem occurs in scenario three because ISA Server blocks outbound traffic over port 4125. When you try to connect to server desktops through the Connect to Server Desktops link on the Remote Web Workplace, the connection uses TCP port 4125.



RESOLUTION
To resolve this problem, use the resolution that is appropriate for your scenario.

Resolution for scenario one: Create an IP packet filter on your ISA Server
If you want to connect to the Remote Web Workplace from a computer that is running ISA Server, you cannot install Firewall Client on the ISA Server. Therefore, you must configure an IP packet filter for port 4125 on the ISA Server. To configure an IP packet filter on your ISA Server, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
 * 2) In the ISA Management console tree, expand Servers and Arrays, expand  , and then expand Access Policy.
 * 3) Right-click IP Packet Filters, point to New, and then click Filter.
 * 4) In the IP Packet filter name box, type the name that you want to give the packet filter, and then click Next.
 * 5) On the Filter Mode page, click Allow packet transmission, and then click Next.
 * 6) On the Filter Type page, click Custom, and then click Next.
 * 7) On the Filter Settings page, in the IP Protocol list, click TCP.
 * 8) In the Direction list, click Outbound.
 * 9) In the Local port list, click All ports.
 * 10) In the Remote port list, click Fixed port.
 * 11) In the Port number box, type 4125, and then click Next.
 * 12) On the Local Computer page, click Default IP addresses for each external interface on the ISA Server computer, and then click Next.
 * 13) On the Remote Computers page, click All remote computers, and then click Next.
 * 14) Click Finish.

Resolution for scenario two: Set a protocol rule on your ISA Server
If you connect to the Remote Web Workplace from a computer that is internal to the ISA Server, and you have Firewall Client software installed on your computer, you must configure a protocol rule on your ISA Server. To create a protocol rule, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
 * 2) In the ISA Management console tree, expand Servers and Arrays, expand  , and then expand Access Policy.
 * 3) Right-click Protocol Rules, point to New, and then click Rule.
 * 4) In the Protocol Rule Name box, type the name that you want to give to the rule, and then click Next.
 * 5) On the Rule Action page, click Allow, and then click Next.
 * 6) On the Protocols page, in the Apply this rule to list, click All IP traffic, and then click Next.
 * 7) On the Schedule page, in the Use this schedule list, click the schedule option you want to use, and then click Next.
 * 8) On the Client Type page, click Specific users and groups, and then click Next.
 * 9) On the Users and Groups page, click Add.
 * 10) In the Enter the object names to select box, type the names of the users or the groups that you want to use this protocol rule, click OK, and then click Next.
 * 11) Click Finish.

Resolution for scenario three: Define a protocol rule and then set a protocol definition for port 4125
Client computers that do not have Firewall Client software are secure network address translation (SecureNAT) clients. If you connect to the Remote Web Workplace from a computer that is internal to the ISA Server, and you do not have Firewall Client software installed on your computer, you must define a protocol rule and then configure a protocol definition for port 4125 outbound on your ISA Server. To create a protocol definition and then define a protocol rule, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
 * 2) In the ISA Management console tree, expand Servers and Arrays, expand  , and then expand Policy Elements.
 * 3) Right-click Protocol Definitions, point to New, and then click Definition.
 * 4) In the Protocol definition name box, type the name that you want to give to the protocol definition, and then click Next.
 * 5) On the Primary Connection Information page, in the Port number box, type 4125.
 * 6) In the Protocol type list, click TCP.
 * 7) In the Direction list, click Outbound, and then click Next.
 * 8) On the Secondary Connections page, click No, and then click Next.
 * 9) Click Finish.
 * 10) In the ISA Management console tree, expand Servers and Arrays, expand  , and then expand Access Policy.
 * 11) Right-click Protocol Rules, point to New, and then click Rule.
 * 12) In the Protocol Rule Name box, type the name that you want to give the rule, and then click Next.
 * 13) On the Rule Action page, click Allow, and then click Next.
 * 14) On the Protocols page, in the Apply this rule to list, click All IP traffic, and then click Next.
 * 15) On the Schedule page, in the Use this schedule list, click the schedule option that you want to use, and then click Next.
 * 16) On the Client Type page, click Any request, and then click Next.
 * 17) Click Finish.

Keywords: kbbug kbprb KB828053

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.