Solved

Remote Desktop Connection to a PC inside of LAN

Posted on 2008-10-06
12
1,499 Views
Last Modified: 2013-11-21
Im workin with a LAN of 2 servers and about 15 workstations. The server has Remote Desktop Enabled via System Properties, however I'm unable to connect to it via IP that I get from www.whatismyip.com using a Remote Desktop Connection client From Windows XP. The server is Windows 2003 SBS Pack 2. I have disabled the server's Windows firewall as well temporarily disabled the Symantec firewall policy. My ISP manages my DHCP and I request port 3389 to be forwared on the local lan  10.0.1.100 which is the ip of the server Im trying to connect to.  Yet I still have no luck connecting. I have tried other software such as VNC and PCAnywhere for this task, with no luck. What's your advice?
0
Comment
Question by:Anti-Mhz
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 6

Expert Comment

by:powercram
ID: 22649534
Verify 3389 is open with something like nmap (nmapwin - nmap.org).
0
 
LVL 6

Expert Comment

by:powercram
ID: 22649557
Another possibility (and perhaps a safer one than having RD available directly on the public Internet) is to enable RAS on your server (built into SBS); forward port 500 to that server; establish a VPN connection; then open RD.
0
 
LVL 3

Expert Comment

by:tismetoo
ID: 22649629
Do you have more than a single Public IP address available? Outbound traffic could be NAT'd on the whatsmyipaddress address, but 3389 inbound could be open on a different IP address - best check with your ISP.

Can you RDP within the LAN - from a PC on the same subnet to the 10.0.1.100 address?

I would also agree with the comments about RAS, unless you can lock RDP access down to a particular IP address or range.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22649888
Are there people that need to get to it from outside your network?
If not, then just have them RDP to the private IP of the server.
0
 
LVL 3

Expert Comment

by:Dicanio37
ID: 22650869
Sounds silly, but where are you trying to connect from?
Inside or outside the network?
0
 
LVL 3

Expert Comment

by:Dicanio37
ID: 22650887
AAlso what firwalls are you using?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22651803
Since RDP is insecure I will be tryin to run UltraVNC on non standard port. In this case 6005.  I have no issues connecting to the VNC host from inside the network by using a local ip of the system 10.0.1.105:6005

I have both firewalls, Windows Firewall and Symantec Endpoint Manager Firewall disabled.

The DHCP is done by my isp, Cbeyond, where I forwarded port 6005 to IP 10.0.1.105 and opened port 6005 for both inbound and outbound traffic from and to any source.

I'm new to myself, so Im raising the points and asking a side question. What profile should I use run localhost on my nmap for specific range of TCP ports. I have tried default settings  with Intense scan and I receive



Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-06 11:36 Central Daylight Time

Skipping SYN Stealth Scan against localhost (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.

Initiating Service scan at 11:36

Skipping OS Scan against localhost (127.0.0.1) because it doesn't work against your own machine (localhost)

SCRIPT ENGINE: Initiating script scanning.

Host localhost (127.0.0.1) appears to be up ... good.

0 ports scanned on localhost (127.0.0.1)



Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)



Thanks to all who responded.
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22651996
RDP is secure. It uses 128-bit encryption by default. UltraVNC, however, is not secure by default. You have to enable the encryption in order for it to be set up. If you don't set VNC up to use encryption it sends clear text passwords and unencrypted session information.
If you cannot connect to your server using remote desktop outside of your network, there could be several things going on.
First of all, you have to allow the public IP on whatever firewall you are using so that it will accept incoming RDP connections. 3389 is the default remote desktop port. That is the port that needs to be opened for any incoming connections to that server. And make sure that your server is set to a static IP regardless of whether it is public or private. DO NOT USE DHCP ON SERVERS! Always statically assign the IP addresses.
Second of all, you say your ISP is providing DHCP services for you. Do you mean they are providing your public IP's or are they managing your entire network for you?
If they are managing your network for you, then there should be a static NAT map from whatever public IP you are using for that server to its private address. Either that or you need to configure a second NIC card in that server and set it with a static IP address of the public IP address you are using. Once that is done, it should be connected to your router or switch. But you have to make sure that you have your public IP set up to route properly on your router.
As far as nmap goes, you aren't running nmap on localhost. The point of using nmap was to run a scan on port 3389 using the public IP address of your RDP server to see if port 3389 is open. If you get a bad response that means that your router or firewall between your internet connection and that server is blocking the default remote desktop support.
That said, you need to contact whoever is managing your network equipment and make sure that (A) port 3389 is allowed to pass traffic and (B) that you either have the appropriate NAT translations or network routes in place in order for the public IP address to be accessed from outside your network and (C) make sure that any security software installed on the server is set to allow incoming Remote Desktop Connections.
Hope this helps.
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22654687
I chose VNC over RDP for an easy escape from using a standard port 3389. I also set it to use encryption. Both of my firewalls are off at the moment and even when they are on I do have rules that allow the traffic to pass both ways. The server is using a static IP. My isp is manager my entire network and I came here after a couple of tech support calls. I made sure

a) The ports are forwarded to the static ip of the server
b) The ports are open
c) The local ip of the server has a unique public ip which points to it (I own a block of 5 public ips).


When i whatismyip from the server box it does show the unique public ip thats assigned to it.


I did notice something, IPSEC filter service is turned off on the server. Definition:

Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.

Could this be the issue?

after doing nmap scan on the public ip, here are the short logs:

Not shown: 65533 closed ports

PORT     STATE SERVICE      VERSION

1720/tcp open  H.323/Q.931?

5060/tcp open  sip-proxy    Cisco SIP Gateway (IOS 12.x)

No sign of 6005 which I have opened for VNC. Does that mean VNC is operating in Stealth or that port is actually CLOSED?

Waiting on your comments. Thanks for your insightful response ckozloski

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22654780
The IPSEC filter on your server should not affect this.
nmap will only tell you what ports have active connections. If a port does not have an active connection it will show as closed.
Can you ping the public IP of your server from the outside?
If you can actually get to the server from outside your network, then you need to start looking at the remote desktop configuration of the server itself. There may be an actual misconfiguration of remote desktop services.
I'm leaning towards that considering you are using VNC on port 6009 which is also a non-standard port and by all rights should be blocked unless you set a specific allow for it in your firewall rules.
The only other thing I would say about using VNC is that it is great for administration but if you have a need for multiple users to work on this server remotely, VNC just won't cut it. It's not designed for that.
I would check out this article, just to make sure you are on the right track with setting up terminal services on your server:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part1.html
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22659378
Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski
0
 
LVL 4

Accepted Solution

by:
ckozloski earned 500 total points
ID: 22659487
I can tell you why that doesn't work. If you are trying to get to your public IP from inside your network, and you have a firewall device such as a Cisco PIX or ASA, it is going to drop the packets.
What happens is you send a request from 192.168.1.20, let's just say that is the IP of your PC, and you are trying to get to 68.22.13.40, let's say this is your server's external IP, the firewall gets this request and sends it to its outside interface. The outside interface turns around and tries to send it back to the inside interface and do the NAT translation from public to private (I'm assuming that you are using NAT). The firewall then thinks that someone has spoofed your IP address and is trying to hack your network so it won't allow the traffic to pass.
Now, if you want to test your public IP's on your network, you have to have them on a routing device behind the firewall so they never reach the filtering stage from the inside. You will also need to actually have a physicial interface with those real IP's on it. You can dual IP your server so that wouldn't be a problem.

Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski

Open in new window

0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now