1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

2. In the Tasks pane, on the Tasks tab, click Publish Non-Web Server Protocols to open the New Server Publishing Rule Wizard.

3. Complete the New Server Publishing Rule Wizard as outlined in the following table.

   Page	Field or property	Setting or action
   Welcome to the New Server Publishing Wizard	Server publishing rule name	Type a name for the protocol definition. For example, type: Publish RDP Server
   Select Server	Server IP address	Type the IP address of the RDP server that you want to publish.
   Select Protocol	Selected protocol	From the drop-down list, select RDP (Terminal Services) Server. Then click Ports if you want to override the default ports in the protocol definition.
   Ports (appears only if you click Ports on the Select Protocol page)	Firewall Ports	Select one of the following: Publish using the default port defined in the protocol definition. With this option, Forefront TMG accepts incoming client requests on port 3389. Publish on this port instead of the default port. With this option, Forefront TMG accepts incoming client requests on the nonstandard port specified, and then forwards them to the designated port on the published server.
   	Published Server Ports	Select one of the following: Send requests to the default port on the published server. With this option, Forefront TMG accepts requests for the published service on port 3389. Send requests to this port on the published server. With this option, Forefront TMG accepts requests for the published service on a port other than port 3389.
   	Source Ports	Select one of the following: Allow traffic from any allowed source port. With this option, Forefront TMG accepts requests from any port on allowed client computers. Limit access to traffic from this range of source ports. With this option, Forefront TMG accepts requests only from the ports that you specify.
   Network Listener IP Addresses	Listen for requests from these networks	Select the External network. To select specific IP addresses on which Forefront TMG will listen, click Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. In the Available IP Addresses list, select the appropriate IP address, click Add, and then click OK. In an array with multiple array members, select the same virtual IP address for each array member if Network Load Balancing is enabled. Otherwise, select an appropriate IP address for each array member.
   Completing the New Server Publishing Wizard		Review the settings, and then click Finish.

4. If you want Forefront TMG to allow only specific computers on the Internet to connect to the published RDP server, perform the following steps.

   1. In the details pane, select the rule that you just created.
      
      
   2. On the Tasks tab, click Edit Selected Rule.
      
      
   3. On the From tab, click Anywhere, and then click Remove.
      
      
   4. Click Add, click New, and click Computer Set.
      
      
   5. Type a name for your new computer set, add the computers that will be allowed to connect to the RDP server to the computer set.
      
      
   6. Click OK.
      
      
   7. On the Add Network Entities page, select the computer set that you created, click Add, and then click Close.
      
      
   8. Click OK.
      
      

5. In the details pane, click the Apply button to save and update the configuration, and then click OK.

Note:

For more information about server publishing, see Server Publishing Concepts. By default, client requests that are forwarded by Forefront TMG to the published server appear to come from the IP address of the original client. In this case, the default gateway on the RDP server must be set to the IP address of the network adapter on the Forefront TMG computer through which the RDP server connects to it. As an alternative, you can configure your server publishing rule so that forwarded client requests will appear to come from the Forefront TMG computer on the To tab of the server publishing rule's properties. Server publishing rules are typically used when there is a network address translation (NAT) relationship defined by a network rule between the network on which the clients sending requests to the published server are located and the network on which the published server is located. Server publishing rules can also be used when the network rule between the client network and the network where the server is located defines a routing relationship. However, in this case, the clients must send requests directly to the IP address of the published server. Server publishing rules are not supported in a single network adapter configuration.

Concepts