July 9, 2008 08:20am pdt

1. RobWill 276,428
2. batry_boy 232,484
3. lrmoore 118,788
4. arnold 107,903
5. mwecompu... 65,324
6. dpk_wal 52,425
7. mkielar 41,600
8. ebjers 39,050
9. MrHusy 38,470
10. Cyclops3590 32,200
11. Voltz-dk 28,470
12. TechSoEasy 28,114
13. trinak96 26,165
14. keith_al... 21,046
15. stuknhawaii 20,075

1. RobWill 1,429,321
2. lrmoore 919,531
3. batry_boy 407,194
4. grblades 214,434
5. rsivanandan 145,141
6. calvinetter 112,055
7. arnold 109,903
8. dpk_wal 105,425
9. TechSoEasy 101,193
10. mwecompu... 83,124
11. tim_holman 75,964
12. keith_al... 75,885
13. MrHusy 71,744
14. ewtaylor 68,324
15. Cyclops3590 68,145

05.16.2008 at 07:19PM PDT, ID: 23410132

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.2

VPN/Remote Desktop Connection problem

Zones: Virtual Private Networking (VPN), Miscellaneous Networking, Remote Desktop/Terminal Services

Tags: Watchguard, Firebox edge, 10

I am working with 2 seemingly identical laptops with XP Pro, trying to establish a VPN/Remote Desktop Connection to a terminal services system (Windows Server 2003) in our office. One works fine. The second one connects (I'm using Watchguard Mobile VPN software 10.04 software on both). When I open the Remote Desktop Connection (RDC), however, and enter my credentials, the second system will not connect.

It says "This computer can't connect to the remote computer."

The RDC screen is different. On the working one, it has the domain listed. On the second system, it just asks for computer name and then username and password. I put in domain\username and the correct password, but it doesn't work.

I don't recall doing anything different when I installed VPN client on the first system. It worked right away, with no problem. I am at a loss as to why the second system doesn't work. Can anyone help?

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: ncnyshirl

Solution Provided By: dpk_wal

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.17.2008 at 07:38AM PDT, ID: 21589487

fhmc:

can the 2nd computer ping the terminal server by name and/or IP address?

05.17.2008 at 09:56AM PDT, ID: 21590028

Rank: Master

dpk_wal:

Also, is there a chance that the 2nd XP computer has same IP subnet as behind WG firewall. Please update.

Thank you.

05.17.2008 at 05:29PM PDT, ID: 21591188

ncnyshirl:

I'll try the pinging when I get home later tonight. If I understand it correctly, I go to a cmd prompt and type ping and the public IP address.

I don't entirely understand the other question (remember I'm a beginner at this!). When I do an ipconfig /all on the server (actually, any system behind the firewall), it gives the subnet mask. Is this what you mean by IP subnet? If not, how do I determine the IP Subnet?

Thanks so much!
Shirley

05.17.2008 at 07:00PM PDT, ID: 21591331

Rank: Master

dpk_wal:

For the first question yes.

For the second question, please give output of ipconfig/all from the machine before VPN and ipconfig/all of the machine you want to RDP to; please do remember to remove MAC address and two octets of public IP address.

Thank you.

05.18.2008 at 11:32AM PDT, ID: 21593541

ncnyshirl:

I can ping the server from the system I want to VPN from.

I'll have to get the ipconfig of the server tomorrow. Is the MAC address the physical address? Does removing two octets of the public ip address mean that, instead of 111.222.3.4, I'd give you just the .3.4?

Thanks,
Shirley

05.18.2008 at 11:35AM PDT, ID: 21593550

Rank: Master

dpk_wal:

If you can ping the server then my question is no longer valid; this means that the traffic is flowing from the VPN client to the other end; can you check if you can RDP to the machine using IP address.

Thank you.

05.18.2008 at 09:13PM PDT, ID: 21595188

ncnyshirl:

I can ping the main server from the VPN client, when the VPN connection is not active.
If I connect, using VPN, I cannot ping, using either the public or private IP address.

I tried to use Remote Desktop Connection to connect. It does, but I get a message: RD can't verify the identity of the computer you want to connect to. This problem can occur when
1. The remote computer is running a version of Windows that is earlier than Windows Vista
2. The remote computer is configured to support only the RDP security layer.

Then it asks if I want to connect anyway. I say yes and it does connect successfully.

Does this tell you anything?
Thanks,
Shirley

05.19.2008 at 06:57AM PDT, ID: 21597795

Rank: Master

dpk_wal:

>> I can ping the main server from the VPN client, when the VPN connection is not active.

Are you pinging the internal IP or external IP? You should be pinging the internal IP only.

Can you disable firewall on the vista box for some time and see if that changes anything. Does the VPN client indicate that tunnel is up.

As you are not able to ping when VPN is active, can you paste the internal IP address of the machine from where you are trying to connect and the destination machine IP [internal].

Thank you.

05.19.2008 at 09:24AM PDT, ID: 21599175

ncnyshirl:

When the VPN connection is not active, I can only ping the public IP address. When the VPN is active, I can't ping the server at all.

I'll try disabling the firewall (it's XP Pro) tonight when I get home.

>>can you paste the internal IP address of the machine from where you are trying to connect and the destination machine IP [internal].<<

Do you mean that you want me to give you the internal IP addresses of the client and the Terminal Services machine? I just want to make sure before I put that information on this forum. I guess it's OK.

Thanks,
Shirley

05.19.2008 at 10:08AM PDT, ID: 21599603

Rank: Master

dpk_wal:

Internal IP address should not be much of worry as they are private and can be used by anyone; caution should be exercised when publishing public IP addresses. I would request terminal server and your client private IP addresses.

Thank you.

05.19.2008 at 08:08PM PDT, ID: 21603333

ncnyshirl:

I'm sorry to be so cautious about this, but I want to make sure I'm not giving you (and the world) the public IP address. In an earlier message you said to give you the contents of the ipconfig /all, but to eliminate the first two octets of the public IP address.

When I do ipconfig /all it gives only one IP address. Is this the public address? I always thought that it was the private one. The public one is the one given to us by our ISP, correct?

Once I'm sure of that, I'll be happy to put the addresses here. I've been doing some research on my own and at least now I know what the octets are!

I tried connecting with the Firewall off but it made no difference.

Thanks,
Shirley

05.19.2008 at 09:49PM PDT, ID: 21603560

Rank: Master

dpk_wal:

Private IP addresses are in the range:
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

If your IP addresses fall in above range feel free to post them as they are private IP or non-routable IPs known to everyone on the internet. If the IPs do not fall in the above ranges, than remove two middle octets, for eg: 65.x.x.1

Thank you.

05.20.2008 at 08:08AM PDT, ID: 21606865

ncnyshirl:

The address of the client is 192.168.1.3
The terminal services server is 192.168.1.11

Thanks.
Shirley

05.20.2008 at 09:03AM PDT, ID: 21607533

Rank: Master

dpk_wal:

This is what I thought the problem is...my first post; you have same subnets on both ends of the VPN tunnel and in this case the traffic would not get routed over the VPN tunnel.

By IP subnet I mean: 192.168.1.0/24 [so valid IP range: 192.168.1.1-254; 255 being broadcast IP]

You would need to change the IP subnet at one of the ends; you would be connecting to internet through a mode/router at home which would be doing NAT; here change the network to say 192.168.100.x

On the machine do ipconfig /release and later ipconfig /renew; if you are using DHCP; if using static IP then manually you would need to change to the subnet you configure on the modem/router.

Please let know if you need more details.

Thank you.

Accepted Solution

05.20.2008 at 09:48AM PDT, ID: 21607990

ncnyshirl:

I'll "play around" with this tonight at home. I'm not sure if I'll be able to make the change on the home router, but I'll look at it. It's a Verizon FIOS router.

I do know how to change the IP address on the client.

Thanks for your help (and your patience).
Shirley

05.20.2008 at 10:50AM PDT, ID: 21608490

Rank: Master

dpk_wal:

You are welcome, please implement and update; if you wish we can change the IP subnet on WG instead.

Thank you.

05.21.2008 at 11:45AM PDT, ID: 21617817

ncnyshirl:

I'm thinking that I'd like to change the IP subnet on WG instead. Is there a down side? Can you tell me how, or is there a paper somewhere that documents how to change the subnet? I'll look on the WG website and see if I find anything.

Thanks,
Shirley

05.21.2008 at 07:27PM PDT, ID: 21620463

Rank: Master

dpk_wal:

If you are using Edge as DHCP then changing IP subnet would be fairly simple; otherwise, you you would need to change the new IP subnet on Edge and on all the machines with static IP address.

To change the IP address of the trusted network:
1. Connect to the System Status page, type https:// in the browser address bar, followed by the
IP address of the Firebox X Edge trusted interface.
2. From the navigation bar, select Network > Trusted.
3. Type the new IP address of the Firebox X Edges trusted interface in the IP Address text field.
4. Type the new subnet mask.
5. Select Enable DHCP Server on the Trusted Network check box if you wish Edge to act as DHCP server for your network.
If you enabled DHCP then follow below steps otherwise skip to step 9.
6.. Type the first and last available IP addresses for the trusted network. Do not include the IP
address of the Firebox X Edge.
7. Use the Days/Hours/Minutes value control boxes to set the length of time for each DHCP lease
the Edge gives.
8. If needed, type the WINS Server Address, DNS Server Primary Address,
DNS Server Secondary Address, and DNS Domain Suffix in the correct text boxes.
9. Click Submit.

You would also need to edit all the pre-configured policy/services and change the internal host ip to the new subnet.

Thank you.

05.22.2008 at 07:53AM PDT, ID: 21624332

ncnyshirl:

I'll need some time for this, but I'll let you know how it goes as soon as I can. Thanks for such detailed instructions!

Shirley

05.22.2008 at 08:52AM PDT, ID: 21624962

Rank: Master

dpk_wal:

You are welcome; please implement and update per your convenience.

Thank you.

05.25.2008 at 08:31PM PDT, ID: 21644518

ncnyshirl:

It's working now. I went back to changing the subnet IP on my home router. I had to get some help from Verizon, but was successful.

I learned a lot from this. Thank you again for all your help.

Shirley

05.26.2008 at 02:00AM PDT, ID: 21645390

Rank: Master

dpk_wal:

You are welcome! :)

20080236-EE-VQP-29 / EE_QW_2_20070628