Go Premium for a chance to win a PS4. Enter to Win


Remote Desktop Connection to a PC inside of LAN

Posted on 2008-10-06
Medium Priority
Last Modified: 2013-11-21
Im workin with a LAN of 2 servers and about 15 workstations. The server has Remote Desktop Enabled via System Properties, however I'm unable to connect to it via IP that I get from www.whatismyip.com using a Remote Desktop Connection client From Windows XP. The server is Windows 2003 SBS Pack 2. I have disabled the server's Windows firewall as well temporarily disabled the Symantec firewall policy. My ISP manages my DHCP and I request port 3389 to be forwared on the local lan which is the ip of the server Im trying to connect to.  Yet I still have no luck connecting. I have tried other software such as VNC and PCAnywhere for this task, with no luck. What's your advice?
Question by:Anti-Mhz
  • 4
  • 3
  • 2
  • +2

Expert Comment

ID: 22649534
Verify 3389 is open with something like nmap (nmapwin - nmap.org).

Expert Comment

ID: 22649557
Another possibility (and perhaps a safer one than having RD available directly on the public Internet) is to enable RAS on your server (built into SBS); forward port 500 to that server; establish a VPN connection; then open RD.

Expert Comment

ID: 22649629
Do you have more than a single Public IP address available? Outbound traffic could be NAT'd on the whatsmyipaddress address, but 3389 inbound could be open on a different IP address - best check with your ISP.

Can you RDP within the LAN - from a PC on the same subnet to the address?

I would also agree with the comments about RAS, unless you can lock RDP access down to a particular IP address or range.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.


Expert Comment

ID: 22649888
Are there people that need to get to it from outside your network?
If not, then just have them RDP to the private IP of the server.

Expert Comment

ID: 22650869
Sounds silly, but where are you trying to connect from?
Inside or outside the network?

Expert Comment

ID: 22650887
AAlso what firwalls are you using?

Author Comment

ID: 22651803
Since RDP is insecure I will be tryin to run UltraVNC on non standard port. In this case 6005.  I have no issues connecting to the VNC host from inside the network by using a local ip of the system

I have both firewalls, Windows Firewall and Symantec Endpoint Manager Firewall disabled.

The DHCP is done by my isp, Cbeyond, where I forwarded port 6005 to IP and opened port 6005 for both inbound and outbound traffic from and to any source.

I'm new to myself, so Im raising the points and asking a side question. What profile should I use run localhost on my nmap for specific range of TCP ports. I have tried default settings  with Intense scan and I receive

Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-06 11:36 Central Daylight Time

Skipping SYN Stealth Scan against localhost ( because Windows does not support scanning your own machine (localhost) this way.

Initiating Service scan at 11:36

Skipping OS Scan against localhost ( because it doesn't work against your own machine (localhost)

SCRIPT ENGINE: Initiating script scanning.

Host localhost ( appears to be up ... good.

0 ports scanned on localhost (

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Thanks to all who responded.

Expert Comment

ID: 22651996
RDP is secure. It uses 128-bit encryption by default. UltraVNC, however, is not secure by default. You have to enable the encryption in order for it to be set up. If you don't set VNC up to use encryption it sends clear text passwords and unencrypted session information.
If you cannot connect to your server using remote desktop outside of your network, there could be several things going on.
First of all, you have to allow the public IP on whatever firewall you are using so that it will accept incoming RDP connections. 3389 is the default remote desktop port. That is the port that needs to be opened for any incoming connections to that server. And make sure that your server is set to a static IP regardless of whether it is public or private. DO NOT USE DHCP ON SERVERS! Always statically assign the IP addresses.
Second of all, you say your ISP is providing DHCP services for you. Do you mean they are providing your public IP's or are they managing your entire network for you?
If they are managing your network for you, then there should be a static NAT map from whatever public IP you are using for that server to its private address. Either that or you need to configure a second NIC card in that server and set it with a static IP address of the public IP address you are using. Once that is done, it should be connected to your router or switch. But you have to make sure that you have your public IP set up to route properly on your router.
As far as nmap goes, you aren't running nmap on localhost. The point of using nmap was to run a scan on port 3389 using the public IP address of your RDP server to see if port 3389 is open. If you get a bad response that means that your router or firewall between your internet connection and that server is blocking the default remote desktop support.
That said, you need to contact whoever is managing your network equipment and make sure that (A) port 3389 is allowed to pass traffic and (B) that you either have the appropriate NAT translations or network routes in place in order for the public IP address to be accessed from outside your network and (C) make sure that any security software installed on the server is set to allow incoming Remote Desktop Connections.
Hope this helps.

Author Comment

ID: 22654687
I chose VNC over RDP for an easy escape from using a standard port 3389. I also set it to use encryption. Both of my firewalls are off at the moment and even when they are on I do have rules that allow the traffic to pass both ways. The server is using a static IP. My isp is manager my entire network and I came here after a couple of tech support calls. I made sure

a) The ports are forwarded to the static ip of the server
b) The ports are open
c) The local ip of the server has a unique public ip which points to it (I own a block of 5 public ips).

When i whatismyip from the server box it does show the unique public ip thats assigned to it.

I did notice something, IPSEC filter service is turned off on the server. Definition:

Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.

Could this be the issue?

after doing nmap scan on the public ip, here are the short logs:

Not shown: 65533 closed ports


1720/tcp open  H.323/Q.931?

5060/tcp open  sip-proxy    Cisco SIP Gateway (IOS 12.x)

No sign of 6005 which I have opened for VNC. Does that mean VNC is operating in Stealth or that port is actually CLOSED?

Waiting on your comments. Thanks for your insightful response ckozloski


Expert Comment

ID: 22654780
The IPSEC filter on your server should not affect this.
nmap will only tell you what ports have active connections. If a port does not have an active connection it will show as closed.
Can you ping the public IP of your server from the outside?
If you can actually get to the server from outside your network, then you need to start looking at the remote desktop configuration of the server itself. There may be an actual misconfiguration of remote desktop services.
I'm leaning towards that considering you are using VNC on port 6009 which is also a non-standard port and by all rights should be blocked unless you set a specific allow for it in your firewall rules.
The only other thing I would say about using VNC is that it is great for administration but if you have a need for multiple users to work on this server remotely, VNC just won't cut it. It's not designed for that.
I would check out this article, just to make sure you are on the right track with setting up terminal services on your server:

Author Comment

ID: 22659378
Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski

Accepted Solution

ckozloski earned 2000 total points
ID: 22659487
I can tell you why that doesn't work. If you are trying to get to your public IP from inside your network, and you have a firewall device such as a Cisco PIX or ASA, it is going to drop the packets.
What happens is you send a request from, let's just say that is the IP of your PC, and you are trying to get to, let's say this is your server's external IP, the firewall gets this request and sends it to its outside interface. The outside interface turns around and tries to send it back to the inside interface and do the NAT translation from public to private (I'm assuming that you are using NAT). The firewall then thinks that someone has spoofed your IP address and is trying to hack your network so it won't allow the traffic to pass.
Now, if you want to test your public IP's on your network, you have to have them on a routing device behind the firewall so they never reach the filtering stage from the inside. You will also need to actually have a physicial interface with those real IP's on it. You can dual IP your server so that wouldn't be a problem.

Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski

Open in new window


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question