Why can't I RDP over VPN to a machine to which I can RDP from the LAN
I've got a user to whom I just gave a new machine. She still has her old machine running.
All machines are Windows 7. VPN is via Cisco AnyConnect client to our ASA.
She can RDP to the new machine from her old machine from within the LAN.
She can RDP to her old machine from the new machine on the LAN.
She can RDP to the old machine from her home machine on the VPN.
She *cannot* RDP to the new machine from her home machine on the VPN. The error is a simple authentication message (see attached screen shot).
She can RDP to another machine on the VPN and then hop from there to the new machine.
I looked at HKEY_LOCAL_MACHINE\SYSTEM\
The Security Packages Key had kerberos msv1_0 schannel wdigest tspkg pku2u, as required.
4-12-2012-11-09-46-AM.png
All machines are Windows 7. VPN is via Cisco AnyConnect client to our ASA.
She can RDP to the new machine from her old machine from within the LAN.
She can RDP to her old machine from the new machine on the LAN.
She can RDP to the old machine from her home machine on the VPN.
She *cannot* RDP to the new machine from her home machine on the VPN. The error is a simple authentication message (see attached screen shot).
She can RDP to another machine on the VPN and then hop from there to the new machine.
I looked at HKEY_LOCAL_MACHINE\SYSTEM\
The Security Packages Key had kerberos msv1_0 schannel wdigest tspkg pku2u, as required.
4-12-2012-11-09-46-AM.png
todd_beedy
VPN policy and certificates loaded on that new computer? Can she accesses all other network resources as before when she is VPN in?
ASKER
Yes. Access over the VPN is unchanged to all other resources. I'd think is was simply not having RDP open on the new machine except that she can get to it from within the LAN. I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?
Because the Windows Firewall is on. Turn the Windows firewall off (all 3 settings) and test.
Once confirmed you can turn it back on and modify the firewall to allow RDP from the VPN address pool.
Once confirmed you can turn it back on and modify the firewall to allow RDP from the VPN address pool.
Also make sure she did not set her "home" network to public when she "plugged in" at home.
ASKER
I thought about that, but the fact that she can see other machines inside the LAN from the VPN connection led me away from thinking it's on her end.
Turn the firewall off on the machine she is connecting TO, not the machine she is connecting FROM.
> I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?
Yes. The firewall.
Yes. The firewall.
When she is connecting on the lan I would assume you are authenticating on the domain so the windows firewall sets that up under the "domain" firewall rules. When she is connecting from outside, she could have selected public.
ASKER
Firewall is OFF on all settings as recommended. User is no longer at home so can't test right away. It will likely be this evening before I'll know more.
Are all systems on the same subnet? Or isit possible that the new system has an ip that is outside the VPN rule or they have an ip overlap where the user's home network matches thrip of the new system.
ASKER
Still testing. The user has been on vacation!
I've requested that this question be deleted for the following reason:
Not enough information to confirm an answer.
Not enough information to confirm an answer.
I provided a valid answer and request the assigned points.
I also provided a valid answer(s) and dialogue with the open poster. I would like to ask the post remain open two more weeks until the OP can respond with specifics. If no posts have been made by that time, I would agree with closing and assigning points as to participants.
ASKER
The user in question returns to work on Monday and we will continue troubleshooting then. All solutions suggested to date have been applied with no success. The user will bring the laptop in question in to work on Monday and we'll see what we can find when we have it in hand.
I'd suggest letting the clock run on this for awhile longer.
I'd suggest letting the clock run on this for awhile longer.
Hello Richard,
any luck yet?
any luck yet?
Experts,
Please make your recommendations here. Your recommendations may include:
1) Delete/refund
2) Delete/no refund
3) Accept one or more Expert posts as the answer
4) PAQ refund if the Asker answered his/her own question
If you recommend #3 or #4, please indicate which post ID(s) should be selected as the answer. To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#a12345678.
Further, if you recommend #3 or #4, please include a sentence or two to help the Moderator understand why that comment/selection of comments is the right answer, as your Moderator will not necessarily be an Expert in this particular subject!
A Moderator will be along in about 4 days to finalize the question. Anyone not posting within that window shall be deemed no longer interested in the outcome.
Link to CSG thread:
https://www.experts-exchange.com/R_5657.html
modus_operandi
EE Admin
Comment: http:#a37965503
recommend to #1 delete and refund as points and responses provided did not result in success for the issue posted.
3) Accept one or more Expert posts as the answer
50/50 split todd_beedy & RPPreacher
50/50 split todd_beedy & RPPreacher
ASKER
No posts to this point have solved the problem. All were tested. I am pursuing a solution, but to date with no success.
I repeat, the problem has NOT been resolved.
I repeat, the problem has NOT been resolved.
The problem is that it is unclear what your issue is. It seems you are able to connect, but the credentials you are using are being reflected as the cause for the failure to connect.
If you are entering the wrong credentials, attaching local resources that cause the remote system to reject. Checking the event log on the desktop for the period when the connection attempts were made are the only way to see why it is being rejected.
If you are entering the wrong credentials, attaching local resources that cause the remote system to reject. Checking the event log on the desktop for the period when the connection attempts were made are the only way to see why it is being rejected.
ASKER
Understood. As soon as I can coerce the user into bringing her laptop to work so I can get at it that's exactly what I'm going to do. I'm trying to get the information, but am fighting user inertia!
Do you have the same VPN access? Are you able to VPN and then RDP to a LAN system?
Is RDP on the LAN from the same system?
i.e. the laptop is on the LAN and then the user RDPs to that system?
ip route table from the remote user might be helpful before and after the VPN connection is established.
ipconfig /all
netstat -rn
Is RDP on the LAN from the same system?
i.e. the laptop is on the LAN and then the user RDPs to that system?
ip route table from the remote user might be helpful before and after the VPN connection is established.
ipconfig /all
netstat -rn
ASKER
Using the same laptop, from the same Internet connection she can VPN to another machine sitting on her desk and plugged into another port on the same switch. If I switch the machines between the two ports the problem follows the machine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've requested that this question be closed as follows:
Accepted answer: 0 points for richardRinJH's comment #37972839
for the following reason:
Final solution has been posted now by the Asker, and there were no Expert suggestions used, so accepting that comment is the only correct disposition.<br /><br />Modalot<br />Community Support Moderator
Accepted answer: 0 points for richardRinJH's comment #37972839
for the following reason:
Final solution has been posted now by the Asker, and there were no Expert suggestions used, so accepting that comment is the only correct disposition.<br /><br />Modalot<br />Community Support Moderator
Expert solutions aided the Asker in troubleshooting and identifying a solution. Our submitted troubleshooting steps contributed to the overall identification of a solution.
ASKER
I don't agree, but limited split OK by me.