Cannot Access VPN Client from Main Network

Windows XP VPN client accessing Server 2003 SP2 RRAS.

Client has no problems connecting to remote network, can access all remote resources.

Using Terminal Services on server I require access to VPN client printers.  RDP is set to connect printers, however this does not happen.

Problem:  Cannot access VPN client from remote network, no ping, nothing.

DNS, WINS, DHCP all set up properly and working, remote client is listed in WINS (with a RRAS IP) and shows in the domain as a file server.

Please help ASAP.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
>>"RDP is set to connect printers, however this does not happen."
Probably the drivers for the client printers have not been added to the terminal server. Have a look at the "check list below"

As for pinging the client computers, are you using the IP assigned by RRAS, rather that their local IP? You should be. If that is not working are there any software firewalls such as the windows firewall enabled on the client PC's. They will block pings by default.

To set up printing with remote desktop:
-On the users workstation when they start the remote desktop connection client, click the options button, and then go to the local resources tab. Check the box for printers and save.
-the drivers for the printer have to be installed on the computer to which you are connecting, assuming they are not native to the operating system. Do not install the printer on the computer to which you are connecting but rather; on the "server" computer, open printers and faxes, on the menu bar go to file, server properties, add, and point to the diver .inf file. You will have to download the drivers first to a temporary folder. If you do this remotely, you should log off and back on before trying to print
-if still having problems, again on the computer to which you are connecting, go to printers and faxes, on the menu bar go to file, server properties, ports. Look at the port type. If it is a Dot4, you will need to use the following Microsoft fix:;en-us;q302361
-if it is an option, often connecting the printer to another local computer and sharing it, then connecting to the share rather than having it attached locally, often resolves the problem. If you are using a VPN client this is not always possible, due to routing issues.
-if you are using a USB printer, though it usually works (some multi-function units do not), Microsoft does not officially support USB printing through remote desktop sessions. Vista is supposed to resolve this, though it doesn't help you now.
-avoid PCL6 drivers with terminal services
-Microsoft has released an updated version of the Remote desktop Connection (ver 6) which should be more compatible with USB printers. Certainly offers more USB options, assuming these are compatible with existing O/S's.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OllienAuthor Commented:
Firstly..... Guess who I blame for not being able to access the client... SYMANTEC!

Unawares to me Norton Internet Security was installed on the client and being a prick of a piece of software.  Only doing what it is told I guess.

Although I haven't tried it yet, installing the drivers for RDP seems to be the a perfectly adequete solution.  I will give an update once this is tested.

For now I'm installing the printers over the network and accessing them that way.

RobWill, thanks so much for you lighting fast reply.  I'm awarding you all the points I have in my account, sorry it's not more!

OllienAuthor Commented:
Now connected to printers via sharing.... working in a loop fashion...
Client > RDP to Server > Prints via sharing to Client.

Once drivers installed, printers did connect via RDP... all bar one.  Not entirely sure why, may try using the updated RDP client sometime in the future.

Cheers again for all the help.

Rob WilliamsCommented:
Very welcome. If the problem one happens to be a USB printer try the Microsoft "fix" in the link provided.

Must say I am not a fan of many of the Symantec products, they can be a bit of a pain in the neck from time to time.

Thnaks Ollie.
Cheers !
Take a look at your client locations modem or router "port forwarding" setup to be sure you are forwarding your RDP requests (port 3389) to the internal clients IP address you are connecting to.

If you are on a DSL or Cable "MODEM" connection at the client VPN side - open your firewall (or) modem interface and check that "port forwarding" rules allow for 3389 to be passed directly to the internal client side PC IP address.

BTW - you cannot ping the client PC directly (pass through pings through the router or modem - unless statically setup for WINS resolution (highly unlikely) will not occur). But you should be able to allow ICMP requests dirextly on the modem or router for a brief time (then disable ICMP again after establishing you know you are at last able to connect to it) to avoid future ping sweep hacks.

Remember that if your local client VPN side router or modem is set to issue and manage DHCP - you must reserve a static address in the interface for the client IP so it does not change the local internal IP every time the client sets up a network connection (and) remember that only one of these devices can fulfill the local DHCP duties in this network setup.

When you connect to the client (if using terminal server) you also have to be sure in the server RRAS setup that there is no client side IP being issued or that it is setup to issue only the same static IP as assigned by the local VPN router.

On the "client side" (router or modem) hardware firewall settings as well as on the "client PC" software firewall settings you must also set up any required "printer - port settings" (at printers manufacturers website you may find a specific port has to be opened to pass traffic in addtion to RDP port 3389) if so,  be sure to then add a second port forwarding rule (at router and modem if required) and point it to your "client" IP address.

If port 3389 is setup and any printer port is setup in forwarding at the router or gateway correctly to pass traffic to the client side IP, and you still cannot connect then make sure the client IP is "statically" assigned in the modem or router DHCP table.

It can't change on every reboot, so it has to be static. Create a MAC address reservation in the hardware firewall if this is the case (and/or) even manually assign a static Ip on the client machine Local Area Connection to match to the same IP reserved address in the router (or modem).

If you have a local "client side" firewall (windows or any other) then they also have to be set up to allow for the forwarding or allowance of RDP port 3389 traffic to resolve at the client PC. If its Windows Firewall go to; Control panel - Windows firewall - exceptions (Tab) - Add Port (3389)... or select Remote Desktop Protocol - Save (then) open the Advanced (Tab) choose Local Area Connection - check the Remote Desktop Connection - save - close.

If you use McAfee, Norton or any other software firewall on the client then the same port rule must be set up according to the manufacturers guidelines to allow RDP traffic or it will refuse the "Inbound" connection.

Next go to Control Panel - System - Remote = check to be sure the "Allow Remote Desktop" is selected and be sure to select a Remote username to allow in then - Save - Close

To be 100% sure you can accept inbound traffic on RDP yo may also verify your RDP port has not been modified! Open regedit on the client PC and go to the following key HKLM\System\CurrentControSet\Control\Terminal Server\Winstations\RDP-Tcp and then check the right window pane for PortNumber (should be 3389) - Close

Be sure to update your client side printers driver from the manufacturers website, then be sure you have shared it in the prnter setup.

If you stillcannot connect then check on this - **Note - If you ever had a copy of Norton firewall or AV installed (and then de-installed it) go to their website and obtain the removal tool and run it (normal uninstall doesn't work 100% on previously reserved printer ports, RDP ports, etc...), get the tool here Reboot after run and then continue RDP setup checks.

Lastly - If you have not already registered your clients address in your terminal server DNS (with a reserved "name to MAC address" and IP) then do so. Make sure your terminal server DHCP setup is set to always provide a static address to that client IP based on its MAC address.  

In RRAS be sure you have approved the forwarding for the printer port (and RDP port if different than 3389) information for the client IP in your basic firewall setup if required by the printers sharing guidelines.

On the client machine IP (local) check your ICMP and RDP setup - open your Control Panel - Network Connections - right click Local Area Connection - select Properties and click the Advanced tab -  Windows Firewall - Advanced - choose the ICMP section and choose Allow incoming echo requests.

Do this for any other software firewall (McAfee, etc) you may have then test your connection from the actua VPN router (using the Local Area Connection DHCP page if provided) and test a router to PC ping to the client IP.

If the VPN router can't ping the PC directly then you must have a firewall blocking the ping request on the client PC.... **Note - If you use Zone Alarm free edition - you often will have to test by disabling the firewall on the client PC first - as it blocks the incoming echo requests and does not allow a ping rule creation to take effect unless you make a full program purchase.
If you can ping the local VPN PC from the local VPN router, then go back to the terminal server and check the ping to the VPN router.... if it checks out - and port forwarding is set up correctly to pass traffic directly to the client IP address then try RDP again. You should always be able to connect by RDP and use any printer that is shared - as long as any printer port is also set to pass traffic to that local VPN machine IP address in the router port forwarding table.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.