• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1547
  • Last Modified:

Remote Desktop Connection to a PC inside of LAN

Im workin with a LAN of 2 servers and about 15 workstations. The server has Remote Desktop Enabled via System Properties, however I'm unable to connect to it via IP that I get from www.whatismyip.com using a Remote Desktop Connection client From Windows XP. The server is Windows 2003 SBS Pack 2. I have disabled the server's Windows firewall as well temporarily disabled the Symantec firewall policy. My ISP manages my DHCP and I request port 3389 to be forwared on the local lan which is the ip of the server Im trying to connect to.  Yet I still have no luck connecting. I have tried other software such as VNC and PCAnywhere for this task, with no luck. What's your advice?
  • 4
  • 3
  • 2
  • +2
1 Solution
Verify 3389 is open with something like nmap (nmapwin - nmap.org).
Another possibility (and perhaps a safer one than having RD available directly on the public Internet) is to enable RAS on your server (built into SBS); forward port 500 to that server; establish a VPN connection; then open RD.
Do you have more than a single Public IP address available? Outbound traffic could be NAT'd on the whatsmyipaddress address, but 3389 inbound could be open on a different IP address - best check with your ISP.

Can you RDP within the LAN - from a PC on the same subnet to the address?

I would also agree with the comments about RAS, unless you can lock RDP access down to a particular IP address or range.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Are there people that need to get to it from outside your network?
If not, then just have them RDP to the private IP of the server.
Sounds silly, but where are you trying to connect from?
Inside or outside the network?
AAlso what firwalls are you using?
Anti-MhzAuthor Commented:
Since RDP is insecure I will be tryin to run UltraVNC on non standard port. In this case 6005.  I have no issues connecting to the VNC host from inside the network by using a local ip of the system

I have both firewalls, Windows Firewall and Symantec Endpoint Manager Firewall disabled.

The DHCP is done by my isp, Cbeyond, where I forwarded port 6005 to IP and opened port 6005 for both inbound and outbound traffic from and to any source.

I'm new to myself, so Im raising the points and asking a side question. What profile should I use run localhost on my nmap for specific range of TCP ports. I have tried default settings  with Intense scan and I receive

Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-06 11:36 Central Daylight Time

Skipping SYN Stealth Scan against localhost ( because Windows does not support scanning your own machine (localhost) this way.

Initiating Service scan at 11:36

Skipping OS Scan against localhost ( because it doesn't work against your own machine (localhost)

SCRIPT ENGINE: Initiating script scanning.

Host localhost ( appears to be up ... good.

0 ports scanned on localhost (

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Thanks to all who responded.
RDP is secure. It uses 128-bit encryption by default. UltraVNC, however, is not secure by default. You have to enable the encryption in order for it to be set up. If you don't set VNC up to use encryption it sends clear text passwords and unencrypted session information.
If you cannot connect to your server using remote desktop outside of your network, there could be several things going on.
First of all, you have to allow the public IP on whatever firewall you are using so that it will accept incoming RDP connections. 3389 is the default remote desktop port. That is the port that needs to be opened for any incoming connections to that server. And make sure that your server is set to a static IP regardless of whether it is public or private. DO NOT USE DHCP ON SERVERS! Always statically assign the IP addresses.
Second of all, you say your ISP is providing DHCP services for you. Do you mean they are providing your public IP's or are they managing your entire network for you?
If they are managing your network for you, then there should be a static NAT map from whatever public IP you are using for that server to its private address. Either that or you need to configure a second NIC card in that server and set it with a static IP address of the public IP address you are using. Once that is done, it should be connected to your router or switch. But you have to make sure that you have your public IP set up to route properly on your router.
As far as nmap goes, you aren't running nmap on localhost. The point of using nmap was to run a scan on port 3389 using the public IP address of your RDP server to see if port 3389 is open. If you get a bad response that means that your router or firewall between your internet connection and that server is blocking the default remote desktop support.
That said, you need to contact whoever is managing your network equipment and make sure that (A) port 3389 is allowed to pass traffic and (B) that you either have the appropriate NAT translations or network routes in place in order for the public IP address to be accessed from outside your network and (C) make sure that any security software installed on the server is set to allow incoming Remote Desktop Connections.
Hope this helps.
Anti-MhzAuthor Commented:
I chose VNC over RDP for an easy escape from using a standard port 3389. I also set it to use encryption. Both of my firewalls are off at the moment and even when they are on I do have rules that allow the traffic to pass both ways. The server is using a static IP. My isp is manager my entire network and I came here after a couple of tech support calls. I made sure

a) The ports are forwarded to the static ip of the server
b) The ports are open
c) The local ip of the server has a unique public ip which points to it (I own a block of 5 public ips).

When i whatismyip from the server box it does show the unique public ip thats assigned to it.

I did notice something, IPSEC filter service is turned off on the server. Definition:

Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.

Could this be the issue?

after doing nmap scan on the public ip, here are the short logs:

Not shown: 65533 closed ports


1720/tcp open  H.323/Q.931?

5060/tcp open  sip-proxy    Cisco SIP Gateway (IOS 12.x)

No sign of 6005 which I have opened for VNC. Does that mean VNC is operating in Stealth or that port is actually CLOSED?

Waiting on your comments. Thanks for your insightful response ckozloski

The IPSEC filter on your server should not affect this.
nmap will only tell you what ports have active connections. If a port does not have an active connection it will show as closed.
Can you ping the public IP of your server from the outside?
If you can actually get to the server from outside your network, then you need to start looking at the remote desktop configuration of the server itself. There may be an actual misconfiguration of remote desktop services.
I'm leaning towards that considering you are using VNC on port 6009 which is also a non-standard port and by all rights should be blocked unless you set a specific allow for it in your firewall rules.
The only other thing I would say about using VNC is that it is great for administration but if you have a need for multiple users to work on this server remotely, VNC just won't cut it. It's not designed for that.
I would check out this article, just to make sure you are on the right track with setting up terminal services on your server:
Anti-MhzAuthor Commented:
Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski
I can tell you why that doesn't work. If you are trying to get to your public IP from inside your network, and you have a firewall device such as a Cisco PIX or ASA, it is going to drop the packets.
What happens is you send a request from, let's just say that is the IP of your PC, and you are trying to get to, let's say this is your server's external IP, the firewall gets this request and sends it to its outside interface. The outside interface turns around and tries to send it back to the inside interface and do the NAT translation from public to private (I'm assuming that you are using NAT). The firewall then thinks that someone has spoofed your IP address and is trying to hack your network so it won't allow the traffic to pass.
Now, if you want to test your public IP's on your network, you have to have them on a routing device behind the firewall so they never reach the filtering stage from the inside. You will also need to actually have a physicial interface with those real IP's on it. You can dual IP your server so that wouldn't be a problem.

Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem  using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski

Open in new window


Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now