?
Solved

Access Remote Desktop through Cisco VPN

Posted on 2009-12-23
8
Medium Priority
?
409 Views
Last Modified: 2012-05-08
Here is the deal. In our network, we are using a Cisco 2610-DC border router, which is then routed through a Cisco PIX 515E firewall which then goes on to the rest of our network. Before I began working here, the firewall and such was set up so that it allowed access via the Cisco VPN client.VPN has worked fine since then but, an issue has been raised currently that users need to be able to access remote desktop once they are connected via VPN. But, when trying to do so, users are receiving the message that they do not have Allow Log in through Terminal Services right. I went into AD and went to the user in question and went to their properties and under the Terminal Services Profile tab, and the only checkbox was to "Deny this user permissions to log on to any Terminal Server" which was not checked. I have added the users to the Remote Users group within Active Directory, but still no dice...I was not sure if this was a setting that needed to be adjusted with the firewall, or if it was a setting within Active Directory that needed to be fixed, so that is why this question is under both groups. I am still learning about VPN, so please be pretty conscious of that in your explanation but, any help would be greatly appreciated!!!
0
Comment
Question by:agruber85
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:nealerocks
ID: 26112299
You probably need to give the Remote Users Group permissions to log on to the computer they are trying to access remotely. This issue is to do with permissions, i dont think it is related to the VPN.
0
 

Author Comment

by:agruber85
ID: 26112319
How would I go about doing this? Would I have to make the server a 'member' of the remote desktop user group?
0
 

Author Comment

by:agruber85
ID: 26112352
Also, after going into AD, under Computers, and going to a certain computer's properties, under the Dial-In tab, there is an option for Remote Access Permission. Currently it is selected to comply with the Remote Access Policy.
First, where can I edit this policy? and second, if i just change this setting to Allow Access, would that fix my problem?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 16

Expert Comment

by:btassure
ID: 26112409
The policies and group to which you are referring are designed for use with either RAS (VPN directly to a windows server) or IAS (Microsoft's Radius implementation for authentication).

You need to go to the PCs in question (or create a policy) and add either each user or a group of which those users are members to the "Remote Desktop Users" group on the local machine (that's why it's easier to do it with a policy.

We have ours set so that in Computer Config, Windows Settings, Restricted Groups you add a group called "Remote Desktop Users", then add members to it such as either each user or a group you have created for this purpose. Then apply the policy to the OU that you need the PCs to be in.

Otherwise there is a built in group called "Remote Desktop Users" on the domain but adding people to that makes them RDP users for the ENTIRE domain unless you then restrict them. It's much quicker and easier than a policy but much broader as well. Either will work though.
0
 

Author Comment

by:agruber85
ID: 26113244
Well, I had actually already added the users to the builtin Remote Desktop Users group and when they again tried to use remote desktop while connecting via VPN, it again failed with the same message. Is there some other setting that needs to be changed to allow VPN users to access these computers through remote desktop?
0
 
LVL 12

Expert Comment

by:nealerocks
ID: 26113487
What operating system are you trying to connect to?
You probably also need to go to the system properties \ remote and allow remote connections.
0
 

Author Comment

by:agruber85
ID: 26113582
Server 2003 and Server 2008. Both of the servers are configured to allow remote users in general already. I just went to each computer and found the tabs that allow an admin to add specific users to the list of people that are allowed remote access. Since the users in question are not administrators, all that I have to do is to add them to this list, and they should be able to connect right? hehe, it seems like that was a pretty easy fix and it was exactly what btassure was telling me to do...?
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 2000 total points
ID: 26113943
That is right, you could add the remote desktop users group rather than the individucal users though.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question