I also did not mention that we also installed a new server in the building, an SBS 2008 server that acts as the DHCP and DNS server. Could that somehow be interfering with the RD connections as well? I would think that all we need is a simple passthrough rule on the router (like I specified earlier). And yes, those three clients have static lan IP's.

So you do have a rule on the external side of the firewall that allows incoming destination port 3389 from any source to the external IP?

also - never worked with this particular firewall but do you know if it has logging capability?  If it is logging can you look at the logs to see what messages are being logged during a failed attempt to connect?

also - what are they RDPing to?  The new SBS?

Just some advice, using RDP over the internet is asking for trouble.  Besides the fact that the protocol isn't secure, you are open to any new exploits that may come out for it.

What I use is a cheap linux box with SSH enabled (usually on a high port).  I will do a nat (more specifically a PAT) to this linux box to allow remote SSH connections.  Then you can use a program like PUTTY to do an SSH tunnel to the computers on the inside of your network.

For example, I will tunnel my local port 3392 to something like 172.16.0.10:3389  Then when I connect my remote desktop connection I can just use localhost:3392 and up pops the remote desktop (secured with SSH).  You can read more about PUTTY and tunnels here: http://oldsite.precedence.co.uk/nc/putty.html

I agree with rcflyr, you are exposed with the solution you have been using.  I use a Cisco ASA 5505 that I have configured to terminate VPN connections using the SSL protocol with the Cisco AnyConnect client.  I then RDP through an encrypted SSL tunnel.

I agree with whatever was mentioned above. But that's a completely different issue, and I belive we are not talking about security. After we figure out what's going on, then well focus on the security issues.
Ok, I see that you mentioned you had 3 clients trying to RDP. None of them connect or there is at least one that connects. I believe RDP allows only two remote connections. If you have more than one then you need Terminal Server Setup. What is the error message the end users get?
I believe that the Firewall was setup correctly, but whatever port mapsings you created isn't the issue. The problem is somewhere else.

I am trying to RDP into client machines, not the server.

I had all three of them logged in before. I simply changed the port each PC listens to in the registry.

The only things that have changed are that we installed a new SBS 2008 server and that we installed a new Netgear Prosafe VPN Firewall router.

The server is acting as both DHCP and DNS. The router has a static IP and DHCP disabled.

The error message the clients get is: This computer can't connect to the remote computer.

You said that you are trying to RDP into the Client Machines, right? Tell me from where to where? Basically you are trying to RDP from outside of the network into 3 different Windows XP machines, each running RDP?
Oh, in that case the IP addresses changed on the 3 windows machines. You didn't mentioned that your new SBS 2008 server is the new DHCP. I assume those 3 machines didn't have Static IP addresses back then. Therefore,  then for sure the new DHCP assigned new IP addresses. When you chanage DHCP servers all the previous bindings changed.
the reason it used to work was becaus your XP always got the same IP's and that's because DHCP servers like to assign the same IP everytime it's possible. So even though they are set to DHCP they are almost like Static since you don't have too many laptops and there isn't need to assign that particular IP to another Computer. but now it is a new DHCP server and for sure things changed.

Actually, all three PC's have static IP's. The DHCP scope is 192.168.1.100 to 192.168.1.150. The IP's involved are 1.175/176/177.

Can you do a screen shot of the page where you configured the inbound rules for the RDP?. I have a feeling something got changed.
Also, I would want you to RDP to those machines from local network. That way you can eliminate the fact that there is something wrong with the machines.

I am getting the same error when I try to create RDP connections to computers while inside the LAN.

Is there a policy in SBS 2008 that blocks RDP?

I know that SBS 2008 has that Remote Workplace feature but that doesn't do much if you want a client to connect to their local PC.

Good, now at least we know that the problem is not the configuration of your router and now we can start troubleshooting the workstations.
Here is what you have to try...
Try to connect to the pc that you didn't modify the port it listens on from the registry. I belive it is the one with 3389. For now leave the other two (3390 and 3391) Computers alone. Can you RDP to that pc?
Let me know

Ok, here's some more information for you.

I am at home but I just connected to the server through RDP. I used this address:

xxx.xxx.xxx.xxx:3389        (The x's are my external IP)

It let me login to the server remotely.

Once in the server, I tried connecting to the clients from inside the RDP connection. (So as to test it "locally")

I could not connect to the client PC's via their external IP with the port at the end.

I COULD connect to the client PC's via their internal IP with the port at the end.

I am thinking this is a GPO issue for some reason. Nothing at all has changed on the clients.

Does accessing internal workstations on an SBS 2008 network now require some kind of GPO setting to be enabled? Or is it running through Terminal Services now? It just seems like SBS 2008 wants to control who has access to RD on the workstations from the outside world.

Whatever you just said sound very normal. From the server you should only be able to RDP to the workstations using the internal IP and not the external. From the outside you should be able to RDP using the external ip:3390 and 3391.
One thing I noticed is when you said you did the external IP:3389 it connected you to the server? Is that correct?
Can you print screen the Router configuration page. I wan to see how the ports are configured and how they are forwarded. that's where your problem is.
It has nothing to do with GPO, trust me.

Here are the services I setup for each RD client, then the Inbound Firewall Rule I created for each service (which routes it to the appropriate LAN IP)
services.gif
Rules.gif

Ok so from the 192.168.1.175 machine can you rdp to the 192.168.1.176 using 3391 port?
and then to 192.168.1.176 to port 3392 ? do they work?
Also I didn't see any port forwarding for 3389. how do you access your server from outside when you don't have 3389 in there. Is there a chance you made your server DMZ. If yes then that's your problem right there
and from outside, do you have the right public IP address?

I will have to try from PC to PC when I am on-site.

As for the server, it is not in the DMZ.

I do have the correct external IP address.

OK let me know when you tried from PC to PC

SBS 2008 has the firewall enabled by default through GP in about a thousand places. Thanks again!