• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2482
  • Last Modified:

Setup Router for Terminal Server

I need to setup our HotBrick LB2 router to receive RDP (terminal services) traffic, and pass it on to our terminal server. Our terminal server's internal static LAN IP is 192.168.254.2. Any help would be appreciated. I tried setting up a virtual server, but things don't seem to be working correctly. Does anyone else know how to do this on a HotBrick LB2 VPN router? Thanks!
0
mckeough
Asked:
mckeough
  • 9
  • 5
  • 2
  • +2
2 Solutions
 
Pete LongConsultantCommented:
you need to forward all incoming port 3389 TCP (thats RDP) traffic to the IP of the terminal server
0
 
mckeoughAuthor Commented:
Do you know how to do this with a HotBrick router?
0
 
Pete LongConsultantCommented:
never used one sorry - Im a cisco man :) I can only help with the TCP port number Im afraid sorry
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
mckeoughAuthor Commented:
OK. Thanks Pete. Anyone else?
0
 
FrabbleCommented:
Seems straight forward looking at the manual ...

Create  a Custom Virtual Server
Server Name: Terminal Services
State: Enabled
Server IP: 192.168.254.2
Protocol Type: TCP
LAN Port Range: 3389 - 3389
WAN Port Range: 3389 - 3389
Interface Binding: WAN1 or WAN2 or both (which ever is active)

Click on Add.

When you say it doesn't seem to be working correctly, does it work for access from the Internet? It won't work for accessing from your LAN network.
0
 
TJworldCommented:
Starting on page 11 of the manual are instructions for setting up a one-to-one NAT on the HotBrick for Terminal Services.

You'll need to set a "Special Service":

Name: RDP
Protocol: TCP
Port: 3389

http://www.hotbrick.com/manual/reference.pdf
0
 
mckeoughAuthor Commented:
That would be awesome if that were the right router. I have an LB2-VPN firewall/router. Thanks though.
0
 
mckeoughAuthor Commented:
Frabble, I guess I should have addressed yours first. Yes! You've got the right manual. I setup a custom server exactly the way you stated. I double-checked my settings after you posted your comment. Still, no luck. Port 3389 should be the only port I have to listen on, right? I shouldn't have to change anything on my Terminal Server, right? I know my server is working because we currently have a DSL connection that we're running on. Also, if i attach directly to the Hotbrick with my laptop, I can ping our terminal server, so I know the unit can "see" inside our network.

I'll have a remote office check to see if they can connect using the new IP since it won't work from inside the LAN. Oh, just so we're clear, you can ping the Hotbrick address from anywhere in the world, so I know anyone on the Internet can see my firewall. Any suggestions? Anyone?
0
 
elconomenoCommented:
try first make a TS connection in the LAN

add IP address of your server in the Custom Virtual Servers section of the router configuration
 test from outside.

0
 
mckeoughAuthor Commented:
OK. Here's an update...

People using our DSL connection are on the server all the time, so I know the server is working. I can make a LAN or WAN connection to it without any problem.

I called Hotbrick tech support, and they took a look at my router config from their offices. They said that I have everything configured correctly.

I made sure that the Hotbrick could see the LAN in its entirety. The results of the tests were good. I can ping any IP on my LAN if I'm sitting behind the firewall. This includes pinging my terminal server with the firewall. I can think of only two things it could be...

1. Perhaps the Hotbrick isn't working correctly, and I need to either upgrade the firmware, or tell Hotbrick they sent me a bad router.

2. My ISP is blocking port 3389 on the T1 gateway. I think this is highly unlikely, but I've caught a couple of their mistakes since they put this in. I guess I'll give them a call and find out.

Any more ideas anyone?

Just so everyone knows - I DID add the IP address of the server to the Custom Virtual Servers ection of the router config. Hotbrick tech-support re-did this config as well. They tried getting through to our server, but no luck. Currently they want me to upgrade the firmware, so I guess that is my next step. If that doesn't work, I'll call my ISP to see if they are blocking port 3389 on my gateway for some reason (I highly doubt this is the case). If that doesn't work, I'll give Hotbrick another call. *sigh...
 
0
 
TJworldCommented:
A trick for you... on the router can you set the internal destination port as well as the IP address?

If you can point it to an internal web server then from outside simply goto http://your.router.com:3389/ and if it works you know port 3389 isn't blocked externally.
0
 
mckeoughAuthor Commented:
I think I figured out what is up (kinda). The problem doesn't lie with our router. The problem must be with the terminal server because I configured a different setup just to confirm that the router was working correctly. What I did was setup a laptop behind the firewall, and put tightVNC on it. VNC uses port 5900. I just added an entry for the IP of the laptop and port 5900 and whammo! I could access the laptop from anywhere in the world as long as I have TightVNC installed. The router works like a champ. This doesn't fix our RDP problem though...

I noticed that the terminal server DOES NOT work I change the default gateway to something else. Our old gateway is (LAN IP) 192.168.254.10. Our new one is  192.168.254.11. If I change the gateway to .11, NEITHER the old connection or the new one works. In other words, I'm pretty sure the terminal server needs to be correctly configured to "listen" to our new router instead of our old one.

Does anyone know what settings I need to change on the server? Does it have something to do with an RDP listener? Haven't setup a terminal server before, so I'm not sure what to look for.
0
 
TJworldCommented:
On your terminal server, on the network interface that is connected to the the same LAN segment as the HotBrick, call up the Network Properties, TCP/IP, Advanced, and make sure your default gateway is set to the LAN address of the HotBrick.

That means that any traffic the TS has to return to the Internet gets sent to the HotBrick.

If that setting is correct, check the routing table in the server.

C:\>ipconfig /all > C:\config.txt
C:\>route print >> C:\config.txt

and let us have a look.

Does the server have any other major services running on it, such as Routing and Remote Access or ISA Server? If it does they will have an impact too.
0
 
mckeoughAuthor Commented:
Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : mckeough02
        Primary DNS Suffix  . . . . . . . : mckeough.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mckeough.com

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : mckeough.com
        Description . . . . . . . . . . . : HP NC7131 Gigabit Server Adapter
        Physical Address. . . . . . . . . : 00-02-A5-43-32-07
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.254.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.10
        DNS Servers . . . . . . . . . . . : 192.168.254.1
        Primary WINS Server . . . . . . . : 192.168.254.1

ROUTE PRINT:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 02 a5 43 32 07 ...... HP NC7131 Gigabit Server Adapter
0x1000004 ...00 02 a5 ed 98 0f ...... HP NC3163 Fast Ethernet NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.254.10   192.168.254.2       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.254.0    255.255.255.0    192.168.254.2   192.168.254.2       1
    192.168.254.2  255.255.255.255        127.0.0.1       127.0.0.1       1
  192.168.254.255  255.255.255.255    192.168.254.2   192.168.254.2       1
        224.0.0.0        224.0.0.0    192.168.254.2   192.168.254.2       1
  255.255.255.255  255.255.255.255    192.168.254.2   192.168.254.2       1
Default Gateway:    192.168.254.10
===========================================================================
Persistent Routes:
  None

These configurations are what is currently running, but I DID change the default gateway (TCP/IP, Advanced...) this morning to the .11 router. I couldn't keep it like that for long though since people would be attempting to sign in through the .10 router.
Yes, it is running Routing and Remote Access as well.

0
 
TJworldCommented:
What first strikes me is you've got the DNS domain name set to one that is valid on the internet.

Is your internal DNS server on 192.168.254.1 also serving the internet?

There's a classic rule in running DNS domains on LANs - *never* have an internal domain name that is live on the Internet.

You have your base domain set to mckeough.com, and in your LAN that has to resolve to the IP of your Domain Controller. But on the Internet that resolves to a public Internet address 69.0.162.77 which when I check turns out to be bigwaterhosting.com.

Usually I make the internal domain (DNS and Windows network Domain) lan.company.com, and have a separate primary zone file for company.com.

This way the IP addresses and namespaces can be kept logically separate.

When the domain name isn't tied to Active Directory the way I do it is to have the company.com zone file serve the Internet addresses, and then I delegate lan.company.com (from within the comapny.com zone) to the same server, and create another primary zone for lan.company.com with the internal IPs.

Depending on how your DNS Server is configured and whether its answering Internet lookups, it should be possible to sort that out.

Does the DNS server have a reverse lookup zone file for 254.168.192.in-addr.arpa ?

I was going to ask if the reverse lookup for your Internet IPs had been delegated to your server but I can see from a name query that it isn't. That tells me you've not got a reverse lookup zone for the Internet.

Is the DNS server configured to do Forwarding or Root Hints lookups on zones it isn't authoritative for?

I think you will need to explain the topology of your LAN so I can fully understand all the ramifications.
0
 
mckeoughAuthor Commented:
OK. Sorry for not getting back with you guys, but I've had some very big projects to deal with lately. However, this T1 issue came crashing down today because our DSL line went down. SBC said it would be about 4 hours before  technicial would even CALL me to see when they could come out. So, out of desperation, and since nobody could use the internet anyway, I threw the switch on the T1. Obviously, we have internet access now. Here's the one I wasn't sure about - our Terminal Server. Well - IT WORKS! :-) Since we were dead in the water anyway, I was able to make the necessary configuration changes in our gateway configurations and our DHCP configurations. Once I changed the default gateways to our T1 and updated the router record in DHCP, everything worked great! At least for today, I get to be the company's hero. Being down 45 minuters is a LOT better than 6 to 8 hours! :-)

Now all we have to do is wait for the host that handles our host records to change our A (host) records to our new IP addresses.

This might answer some of your questions TJWorld. We have enabled web access to our Exchange server so people can get their email from anywhere in the world without having to use anything but a web browser. We also want anyone to be able to get to our terminal server without having to remember an IP number. As I just mentioned, we also run our own Exchange server, so that is why we have some reverse DNS setup. The IP you pulled up is the IP of our web-site, and not our gateway. It has nothing do with our network. Also, no, we're not serving DNS up to the Internet. The only thing we do with DNS and the Web is letting people do Reverse DNS on us for email.

So, the reasons for the post, getting our server working with our new firewall, has been satisfied.

TJWorld, you've been a big participant, and a big help because not only were you working with me on the terminal server/router end of things, but you've told me what I need to do to separate our web site from our domain. I might want to work with you some more on that one. Does EE let people contact certain experts to let them know they have posted something new that they would like help with?

Here's the way I'd like to break the points down:

TJ World - 250 pts. for all the useful information, and being ready to get into this thing and get it fixed. You were also touching on what the real problem was, which was my server, not the router. You uncovered some potential flaws in the way naming was setup in our network, and a few other things.
Frabble - Accepted Answer - 250 pts for telling me exactly how to configure my router for RDP.
PeteLong - Sorry, but I knew about port 3389 already. You've helped me out before though, and I appreciate that.

If anyone has any objections, please let me know within 24 hours as I'd like to close this post now. Please, if you any of you feel the point distribution is unfair, let me know. I've had other posts where the problem was resolved by either me or turned into something different than what it originally looked like. When I went to dole out points, it made people upset. Since the problem was my server, and not the router I'd like to give you a guys to give me some feedback. Otherwise, I'll close the post with the what I stated above. Thanks everyone!
0
 
TJworldCommented:
Not sure how contact works but you can email at experts@tjworld.org - glad you got it sorted.
0
 
mckeoughAuthor Commented:
Sweet. Thanks for your help guys!
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 9
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now