I don’t have any answers offhand, but I am curious about a couple of things – maybe we can make this dialog entertaining enough to elicit some more knowledgeable responses (grin).
On the 4th line, I see a different pattern in the logs…
3389 34703 457 7357 3389 where I assume the 3389 at the beginning and end of that fragment are the inner destination port and the outer destination port.
On the earlier lines, it just shows:”3389 16 – – 3389 ”
Any idea what the significance of those other numbers are?
Also wondering, does the internal workstation see the connection attempt as a timeout, or a connection refusal?
I’m assuming that the logs you’ve shown are from the firewall/ISA server. Are there any relevant logs on the external Terminal Server?