Solved

Cannot Access VPN Client from Main Network

Posted on 2007-04-09
5
236 Views
Last Modified: 2013-11-21
Windows XP VPN client accessing Server 2003 SP2 RRAS.

Client has no problems connecting to remote network, can access all remote resources.

Using Terminal Services on server I require access to VPN client printers.  RDP is set to connect printers, however this does not happen.

Problem:  Cannot access VPN client from remote network, no ping, nothing.

DNS, WINS, DHCP all set up properly and working, remote client is listed in WINS (with a RRAS IP) and shows in the domain as a file server.

Please help ASAP.

Cheers,
Ollie
0
Comment
Question by:Ollien
  • 2
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 280 total points
ID: 18879720
>>"RDP is set to connect printers, however this does not happen."
Probably the drivers for the client printers have not been added to the terminal server. Have a look at the "check list below"

As for pinging the client computers, are you using the IP assigned by RRAS, rather that their local IP? You should be. If that is not working are there any software firewalls such as the windows firewall enabled on the client PC's. They will block pings by default.

To set up printing with remote desktop:
-On the users workstation when they start the remote desktop connection client, click the options button, and then go to the local resources tab. Check the box for printers and save.
-the drivers for the printer have to be installed on the computer to which you are connecting, assuming they are not native to the operating system. Do not install the printer on the computer to which you are connecting but rather; on the "server" computer, open printers and faxes, on the menu bar go to file, server properties, add, and point to the diver .inf file. You will have to download the drivers first to a temporary folder. If you do this remotely, you should log off and back on before trying to print
-if still having problems, again on the computer to which you are connecting, go to printers and faxes, on the menu bar go to file, server properties, ports. Look at the port type. If it is a Dot4, you will need to use the following Microsoft fix: http://support.microsoft.com/default.aspx?scid=kb;en-us;q302361
-if it is an option, often connecting the printer to another local computer and sharing it, then connecting to the share rather than having it attached locally, often resolves the problem. If you are using a VPN client this is not always possible, due to routing issues.
-if you are using a USB printer, though it usually works (some multi-function units do not), Microsoft does not officially support USB printing through remote desktop sessions. Vista is supposed to resolve this, though it doesn't help you now.
-avoid PCL6 drivers with terminal services
-Microsoft has released an updated version of the Remote desktop Connection (ver 6) which should be more compatible with USB printers. Certainly offers more USB options, assuming these are compatible with existing O/S's.
http://www.microsoft.com/downloads/details.aspx?familyid=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=en
0
 
LVL 3

Author Comment

by:Ollien
ID: 18879872
Firstly..... Guess who I blame for not being able to access the client... SYMANTEC!

Unawares to me Norton Internet Security was installed on the client and being a prick of a piece of software.  Only doing what it is told I guess.

Although I haven't tried it yet, installing the drivers for RDP seems to be the a perfectly adequete solution.  I will give an update once this is tested.

For now I'm installing the printers over the network and accessing them that way.

RobWill, thanks so much for you lighting fast reply.  I'm awarding you all the points I have in my account, sorry it's not more!

Cheers,
Ollie
0
 
LVL 3

Author Comment

by:Ollien
ID: 18879967
Now connected to printers via sharing.... working in a loop fashion...
Client > RDP to Server > Prints via sharing to Client.

Once drivers installed, printers did connect via RDP... all bar one.  Not entirely sure why, may try using the updated RDP client sometime in the future.

Cheers again for all the help.

Ollie
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18879997
Very welcome. If the problem one happens to be a USB printer try the Microsoft "fix" in the link provided.

Must say I am not a fan of many of the Symantec products, they can be a bit of a pain in the neck from time to time.

Thnaks Ollie.
Cheers !
--Rob
0
 
LVL 2

Expert Comment

by:couritech
ID: 18880183
Take a look at your client locations modem or router "port forwarding" setup to be sure you are forwarding your RDP requests (port 3389) to the internal clients IP address you are connecting to.

If you are on a DSL or Cable "MODEM" connection at the client VPN side - open your firewall (or) modem interface and check that "port forwarding" rules allow for 3389 to be passed directly to the internal client side PC IP address.

BTW - you cannot ping the client PC directly (pass through pings through the router or modem - unless statically setup for WINS resolution (highly unlikely) will not occur). But you should be able to allow ICMP requests dirextly on the modem or router for a brief time (then disable ICMP again after establishing you know you are at last able to connect to it) to avoid future ping sweep hacks.

Remember that if your local client VPN side router or modem is set to issue and manage DHCP - you must reserve a static address in the interface for the client IP so it does not change the local internal IP every time the client sets up a network connection (and) remember that only one of these devices can fulfill the local DHCP duties in this network setup.

When you connect to the client (if using terminal server) you also have to be sure in the server RRAS setup that there is no client side IP being issued or that it is setup to issue only the same static IP as assigned by the local VPN router.

On the "client side" (router or modem) hardware firewall settings as well as on the "client PC" software firewall settings you must also set up any required "printer - port settings" (at printers manufacturers website you may find a specific port has to be opened to pass traffic in addtion to RDP port 3389) if so,  be sure to then add a second port forwarding rule (at router and modem if required) and point it to your "client" IP address.

If port 3389 is setup and any printer port is setup in forwarding at the router or gateway correctly to pass traffic to the client side IP, and you still cannot connect then make sure the client IP is "statically" assigned in the modem or router DHCP table.

It can't change on every reboot, so it has to be static. Create a MAC address reservation in the hardware firewall if this is the case (and/or) even manually assign a static Ip on the client machine Local Area Connection to match to the same IP reserved address in the router (or modem).

If you have a local "client side" firewall (windows or any other) then they also have to be set up to allow for the forwarding or allowance of RDP port 3389 traffic to resolve at the client PC. If its Windows Firewall go to; Control panel - Windows firewall - exceptions (Tab) - Add Port (3389)... or select Remote Desktop Protocol - Save (then) open the Advanced (Tab) choose Local Area Connection - check the Remote Desktop Connection - save - close.

If you use McAfee, Norton or any other software firewall on the client then the same port rule must be set up according to the manufacturers guidelines to allow RDP traffic or it will refuse the "Inbound" connection.

Next go to Control Panel - System - Remote = check to be sure the "Allow Remote Desktop" is selected and be sure to select a Remote username to allow in then - Save - Close

To be 100% sure you can accept inbound traffic on RDP yo may also verify your RDP port has not been modified! Open regedit on the client PC and go to the following key HKLM\System\CurrentControSet\Control\Terminal Server\Winstations\RDP-Tcp and then check the right window pane for PortNumber (should be 3389) - Close

Be sure to update your client side printers driver from the manufacturers website, then be sure you have shared it in the prnter setup.

If you stillcannot connect then check on this - **Note - If you ever had a copy of Norton firewall or AV installed (and then de-installed it) go to their website and obtain the removal tool and run it (normal uninstall doesn't work 100% on previously reserved printer ports, RDP ports, etc...), get the tool here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039 Reboot after run and then continue RDP setup checks.

Lastly - If you have not already registered your clients address in your terminal server DNS (with a reserved "name to MAC address" and IP) then do so. Make sure your terminal server DHCP setup is set to always provide a static address to that client IP based on its MAC address.  

In RRAS be sure you have approved the forwarding for the printer port (and RDP port if different than 3389) information for the client IP in your basic firewall setup if required by the printers sharing guidelines.

On the client machine IP (local) check your ICMP and RDP setup - open your Control Panel - Network Connections - right click Local Area Connection - select Properties and click the Advanced tab -  Windows Firewall - Advanced - choose the ICMP section and choose Allow incoming echo requests.

Do this for any other software firewall (McAfee, etc) you may have then test your connection from the actua VPN router (using the Local Area Connection DHCP page if provided) and test a router to PC ping to the client IP.

If the VPN router can't ping the PC directly then you must have a firewall blocking the ping request on the client PC.... **Note - If you use Zone Alarm free edition - you often will have to test by disabling the firewall on the client PC first - as it blocks the incoming echo requests and does not allow a ping rule creation to take effect unless you make a full program purchase.
 
If you can ping the local VPN PC from the local VPN router, then go back to the terminal server and check the ping to the VPN router.... if it checks out - and port forwarding is set up correctly to pass traffic directly to the client IP address then try RDP again. You should always be able to connect by RDP and use any printer that is shared - as long as any printer port is also set to pass traffic to that local VPN machine IP address in the router port forwarding table.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now