Anti-Mhz
asked on
Remote Desktop Connection to a PC inside of LAN
Im workin with a LAN of 2 servers and about 15 workstations. The server has Remote Desktop Enabled via System Properties, however I'm unable to connect to it via IP that I get from www.whatismyip.com using a Remote Desktop Connection client From Windows XP. The server is Windows 2003 SBS Pack 2. I have disabled the server's Windows firewall as well temporarily disabled the Symantec firewall policy. My ISP manages my DHCP and I request port 3389 to be forwared on the local lan 10.0.1.100 which is the ip of the server Im trying to connect to. Yet I still have no luck connecting. I have tried other software such as VNC and PCAnywhere for this task, with no luck. What's your advice?
Verify 3389 is open with something like nmap (nmapwin - nmap.org).
Another possibility (and perhaps a safer one than having RD available directly on the public Internet) is to enable RAS on your server (built into SBS); forward port 500 to that server; establish a VPN connection; then open RD.
Do you have more than a single Public IP address available? Outbound traffic could be NAT'd on the whatsmyipaddress address, but 3389 inbound could be open on a different IP address - best check with your ISP.
Can you RDP within the LAN - from a PC on the same subnet to the 10.0.1.100 address?
I would also agree with the comments about RAS, unless you can lock RDP access down to a particular IP address or range.
Can you RDP within the LAN - from a PC on the same subnet to the 10.0.1.100 address?
I would also agree with the comments about RAS, unless you can lock RDP access down to a particular IP address or range.
Are there people that need to get to it from outside your network?
If not, then just have them RDP to the private IP of the server.
If not, then just have them RDP to the private IP of the server.
Sounds silly, but where are you trying to connect from?
Inside or outside the network?
Inside or outside the network?
AAlso what firwalls are you using?
ASKER
Since RDP is insecure I will be tryin to run UltraVNC on non standard port. In this case 6005. I have no issues connecting to the VNC host from inside the network by using a local ip of the system 10.0.1.105:6005
I have both firewalls, Windows Firewall and Symantec Endpoint Manager Firewall disabled.
The DHCP is done by my isp, Cbeyond, where I forwarded port 6005 to IP 10.0.1.105 and opened port 6005 for both inbound and outbound traffic from and to any source.
I'm new to myself, so Im raising the points and asking a side question. What profile should I use run localhost on my nmap for specific range of TCP ports. I have tried default settings with Intense scan and I receive
Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-06 11:36 Central Daylight Time
Skipping SYN Stealth Scan against localhost (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.
Initiating Service scan at 11:36
Skipping OS Scan against localhost (127.0.0.1) because it doesn't work against your own machine (localhost)
SCRIPT ENGINE: Initiating script scanning.
Host localhost (127.0.0.1) appears to be up ... good.
0 ports scanned on localhost (127.0.0.1)
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
Thanks to all who responded.
I have both firewalls, Windows Firewall and Symantec Endpoint Manager Firewall disabled.
The DHCP is done by my isp, Cbeyond, where I forwarded port 6005 to IP 10.0.1.105 and opened port 6005 for both inbound and outbound traffic from and to any source.
I'm new to myself, so Im raising the points and asking a side question. What profile should I use run localhost on my nmap for specific range of TCP ports. I have tried default settings with Intense scan and I receive
Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-06 11:36 Central Daylight Time
Skipping SYN Stealth Scan against localhost (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.
Initiating Service scan at 11:36
Skipping OS Scan against localhost (127.0.0.1) because it doesn't work against your own machine (localhost)
SCRIPT ENGINE: Initiating script scanning.
Host localhost (127.0.0.1) appears to be up ... good.
0 ports scanned on localhost (127.0.0.1)
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
Thanks to all who responded.
RDP is secure. It uses 128-bit encryption by default. UltraVNC, however, is not secure by default. You have to enable the encryption in order for it to be set up. If you don't set VNC up to use encryption it sends clear text passwords and unencrypted session information.
If you cannot connect to your server using remote desktop outside of your network, there could be several things going on.
First of all, you have to allow the public IP on whatever firewall you are using so that it will accept incoming RDP connections. 3389 is the default remote desktop port. That is the port that needs to be opened for any incoming connections to that server. And make sure that your server is set to a static IP regardless of whether it is public or private. DO NOT USE DHCP ON SERVERS! Always statically assign the IP addresses.
Second of all, you say your ISP is providing DHCP services for you. Do you mean they are providing your public IP's or are they managing your entire network for you?
If they are managing your network for you, then there should be a static NAT map from whatever public IP you are using for that server to its private address. Either that or you need to configure a second NIC card in that server and set it with a static IP address of the public IP address you are using. Once that is done, it should be connected to your router or switch. But you have to make sure that you have your public IP set up to route properly on your router.
As far as nmap goes, you aren't running nmap on localhost. The point of using nmap was to run a scan on port 3389 using the public IP address of your RDP server to see if port 3389 is open. If you get a bad response that means that your router or firewall between your internet connection and that server is blocking the default remote desktop support.
That said, you need to contact whoever is managing your network equipment and make sure that (A) port 3389 is allowed to pass traffic and (B) that you either have the appropriate NAT translations or network routes in place in order for the public IP address to be accessed from outside your network and (C) make sure that any security software installed on the server is set to allow incoming Remote Desktop Connections.
Hope this helps.
If you cannot connect to your server using remote desktop outside of your network, there could be several things going on.
First of all, you have to allow the public IP on whatever firewall you are using so that it will accept incoming RDP connections. 3389 is the default remote desktop port. That is the port that needs to be opened for any incoming connections to that server. And make sure that your server is set to a static IP regardless of whether it is public or private. DO NOT USE DHCP ON SERVERS! Always statically assign the IP addresses.
Second of all, you say your ISP is providing DHCP services for you. Do you mean they are providing your public IP's or are they managing your entire network for you?
If they are managing your network for you, then there should be a static NAT map from whatever public IP you are using for that server to its private address. Either that or you need to configure a second NIC card in that server and set it with a static IP address of the public IP address you are using. Once that is done, it should be connected to your router or switch. But you have to make sure that you have your public IP set up to route properly on your router.
As far as nmap goes, you aren't running nmap on localhost. The point of using nmap was to run a scan on port 3389 using the public IP address of your RDP server to see if port 3389 is open. If you get a bad response that means that your router or firewall between your internet connection and that server is blocking the default remote desktop support.
That said, you need to contact whoever is managing your network equipment and make sure that (A) port 3389 is allowed to pass traffic and (B) that you either have the appropriate NAT translations or network routes in place in order for the public IP address to be accessed from outside your network and (C) make sure that any security software installed on the server is set to allow incoming Remote Desktop Connections.
Hope this helps.
ASKER
I chose VNC over RDP for an easy escape from using a standard port 3389. I also set it to use encryption. Both of my firewalls are off at the moment and even when they are on I do have rules that allow the traffic to pass both ways. The server is using a static IP. My isp is manager my entire network and I came here after a couple of tech support calls. I made sure
a) The ports are forwarded to the static ip of the server
b) The ports are open
c) The local ip of the server has a unique public ip which points to it (I own a block of 5 public ips).
When i whatismyip from the server box it does show the unique public ip thats assigned to it.
I did notice something, IPSEC filter service is turned off on the server. Definition:
Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.
Could this be the issue?
after doing nmap scan on the public ip, here are the short logs:
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1720/tcp open H.323/Q.931?
5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x)
No sign of 6005 which I have opened for VNC. Does that mean VNC is operating in Stealth or that port is actually CLOSED?
Waiting on your comments. Thanks for your insightful response ckozloski
a) The ports are forwarded to the static ip of the server
b) The ports are open
c) The local ip of the server has a unique public ip which points to it (I own a block of 5 public ips).
When i whatismyip from the server box it does show the unique public ip thats assigned to it.
I did notice something, IPSEC filter service is turned off on the server. Definition:
Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.
Could this be the issue?
after doing nmap scan on the public ip, here are the short logs:
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1720/tcp open H.323/Q.931?
5060/tcp open sip-proxy Cisco SIP Gateway (IOS 12.x)
No sign of 6005 which I have opened for VNC. Does that mean VNC is operating in Stealth or that port is actually CLOSED?
Waiting on your comments. Thanks for your insightful response ckozloski
The IPSEC filter on your server should not affect this.
nmap will only tell you what ports have active connections. If a port does not have an active connection it will show as closed.
Can you ping the public IP of your server from the outside?
If you can actually get to the server from outside your network, then you need to start looking at the remote desktop configuration of the server itself. There may be an actual misconfiguration of remote desktop services.
I'm leaning towards that considering you are using VNC on port 6009 which is also a non-standard port and by all rights should be blocked unless you set a specific allow for it in your firewall rules.
The only other thing I would say about using VNC is that it is great for administration but if you have a need for multiple users to work on this server remotely, VNC just won't cut it. It's not designed for that.
I would check out this article, just to make sure you are on the right track with setting up terminal services on your server:
http://www.windowsnetworki
nmap will only tell you what ports have active connections. If a port does not have an active connection it will show as closed.
Can you ping the public IP of your server from the outside?
If you can actually get to the server from outside your network, then you need to start looking at the remote desktop configuration of the server itself. There may be an actual misconfiguration of remote desktop services.
I'm leaning towards that considering you are using VNC on port 6009 which is also a non-standard port and by all rights should be blocked unless you set a specific allow for it in your firewall rules.
The only other thing I would say about using VNC is that it is great for administration but if you have a need for multiple users to work on this server remotely, VNC just won't cut it. It's not designed for that.
I would check out this article, just to make sure you are on the right track with setting up terminal services on your server:
http://www.windowsnetworki
ASKER
Oddest thing. I found out I can't RPD to another pc on my network using external ip. Yet there is no problem using that external ip outside of the network. I guess i dont understand my network topology all the way. Thanks to all that helped, especially ckozloski
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.