• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2947
  • Last Modified:

Remote Desktop Access On Multiple Network Card

Hi can someone help
I have Windows 2008 Server,which has 3 Network cards.
All three have Static IP Addresses
One Card has local range 192.168. range
Two cards has external IP address 217 range
Remote port 3389 is open on both exteranl IP address.
Server is running DHCP server with 192.168 range
Server is also running DNS server
Router is a BT router and have local ip addres

My Questions are:
1. is it safe to use Remote Desktop application to access server remotly ?
2. can all three or perhaps two netwrok card be configured for remote access or will only one work at time
3. If I give public ip address to all three network card i.e. 217 range then I can access the server remotely by using the first network card which an external network card on the server other two are internal. but that means I have to chnage the DHCP range to 217 othewise it doesnt work if I gave the external ip address to the server and local range to DHCP ?
4. if I enable DHCP on the router with local IP address range then assing all three network card public ip address then DHCP and server works fine, but I like to use my server as a DHCP server than using router DHCP.
5. can someone advise what is the best way forward for remote desktop access on a multiple network cards server.
6. finally would it be adviseable to use server to access all remote client i.e if I access the server remotly and then access all client computers using windows 2008 terminal server remotApps or should I give individual desktop an externa IP
0
CJ
Asked:
CJ
  • 12
  • 9
1 Solution
 
GuruChiuCommented:

1. is it safe to use Remote Desktop application to access server remotly ?

If you have Win2k8 firewall turned on and only open for TCP 3389, it is reasonably safe. However I still prefer a real firewall due to frequent security holes exists for Windows servers. On the other hand I do respect users who have limited budget and need to get by.
A bigger concern is you are putting terminal server with other potentially important server like DNS. Even your server is perfectly secure, people can still try to connect to it by guessing user ID and password.

2. can all three or perhaps two netwrok card be configured for remote access or will only one work at time.
The main problem is standard (without 3rd party software) Windows 2k8 only use a single default gateway. You can use any one of your NIC to reach this gateway. May be you can let us know more about your application (why you want both NIC) and there may be better solutions.

3. If I give public ip address to all three network card i.e. 217 range then I can access the server remotely by using the first network card which an external network card on the server other two are internal. but that means I have to chnage the DHCP range to 217 othewise it doesnt work if I gave the external ip address to the server and local range to DHCP ?
Pls see answer for #2.

4. if I enable DHCP on the router with local IP address range then assing all three network card public ip address then DHCP and server works fine, but I like to use my server as a DHCP server than using router DHCP.
Pls show how the router connect to your network in relationship to the server.

5. can someone advise what is the best way forward for remote desktop access on a multiple network cards server.
What exactly you mean by "forward for remote desktop access"?

6. finally would it be adviseable to use server to access all remote client i.e if I access the server remotly and then access all client computers using windows 2008 terminal server remotApps or should I give individual desktop an externa IP
I personally do not like jumping off a RDC client with another RDC session. It works but the performance is poor, and there are some UI issues. On the other hand, I strongly against assigning public IP for each PC that need remote access. A better way to do it is VPN.
0
 
CJIT Consultant Author Commented:
First of all many thanks for your detailed reply.

1. Yes I have Sophos Anitvirus running on the server and I have only open port 3389 from the router.
     You said about terminal server being on the same server as main server, DHCP, DNS is not scure, What is the best solution to it, do you recomend having terminal server insttaled on an other server or enable some extra security features ?

2. The pupose of having three network card was One for local are network with local access, One for Exchange server which is installed on the same server, one for web server which is insttaled on the same server. please note this firm has very little budget for IT. after 10 years we manage to get a new server. the old server I may use as web server but it is very old and very slow spec. this why we have everything on one server. the other purpose of having three cards were so that I can setup user to logon remotly to server and access all resources so that they can work from home as they are working in the office. i have put another post on the net asking if anyone knows how to setup remot login for user

4. its BT Router which is connected to server, its has local static IP address 192.168 range. the firewall and NAT is enabled from the router.

5. What I meant here was that should I only enable port 3389 on only one network card and should I use internatl network card and then use NAT for public IP address or should I use one of the external card with public ip address. firewall and NAT are confirgured in the router instead of the server. what i meant by the best way forward was what would be the most simple and secure way of accessing the server remotly and which card should i use and what ip method

6. How would we setup VPN for each client wouldnt we still need individual public ip address for each. can you please guide me on this.

once again many thanks
0
 
GuruChiuCommented:
1. My recommedation is to use real firewall, e.g. Cisco ASA5505 which is reasonably priced to protect your server and internal network, as well as provide other services like VPN. This way external hacker is not able to connect to the server directly.
You should also investigate virtualization technology to run multiple servers on same hardware. This way you can separate your Exchange server from terminal server, just an example to further enhance your security without additional software/hardware investment. Microsoft hyper-V is included in some favor of Server 2008, or VMWare ESXi is free. With virtualization, you can also give each VM (virtual machine) a different IP address, either same or different NIC.

2. Pls see my answer for #1 & #6. You really do not need 3 NIC. You probably should use two, one for private network and the other for public network.

4. Does your server public interface(s) - those with 217.x IP address, connect to this BT router?

5. You either port forward using external firewall to this server, or no need to use port forwarding if this server is all you get.

6. If you have external firewall, typical firewall support VPN. If not, Windows server support PPTP VPN. With VPN, external users cannot see your inside machines directly. This will provide the security you need. If users want to connect, they need to VPN in first, which provide a layer of security. After they VPN in, they can then connect to each machine using its private IP address, without worrying about giving each individual machine its own public IP address.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
CJIT Consultant Author Commented:
Many Thanks very usefull information.

just few more advices please if you dont mind.

do you know any link or webiste which will have good article how to setup VPN server and VPN on clients, I tried some but not very usefull some even also recomend investing in SSL certificate etc.
like I said the firm has basically no budjet to spend this year, they have already bought new server and have upgraded all workstation to windows 7 ultimate and office 2007. Main man has asked me to configure remote access for each users without him investing anymore money. we have 15 users or 15 workstation all running windows 7.
I need to setup the best possible cheapest way remote login for users so that they can work from home or any remote locations.

In answer to number 4 yes all three network card are connected to router. the way whole network is connected to router is via 3com 1gb switch. all workstation and server are contacted to switch and then one wire is going from switch to router which then gives access to all those computer connetced to switch.

the only external firewall is the router firewall and then firewall.

tell me one more thing just for knowledge when i enable port in router firewall setting such as 3389 does that then automatically enables the port on windows 2008 64bit server or port has to be enabled manualy on the server.

Now to conclude the remote access to server, I should only use one external network card which has public IP address. the other network card I should use for LAN and third one is just there should disable it and use it in future if needed to be.
0
 
GuruChiuCommented:
If you prefer to have no additional software/hardware investment, setting up PPTP VPN using Windows server is probably the best way for you. Just search for how to setup PPTP VPN server in Microsoft knowledgebase or just google it should give you the answer you look for.

I will suggest separate internal LAN from public network. i.e. the server still keep two NIC, one connect to internal and the other connect to public. Your ISP router should only connect to the public network.

No, you have to manualy enabled 3389 on the server.
0
 
CJIT Consultant Author Commented:
Many Thanks

I will do a serach and if any problems can I can come back to you.

I dont know if you can help. I have another question open which relates to network scanner problem. if you can then I will paste the question and some suggestion here

Regards
0
 
CJIT Consultant Author Commented:
Hi Below is question and some suggestion see if you can help

Title:
Network Printer Scanning
Question: Hi
I have Xerox work station attached to network which has local IP address and port 139.
I have 3 network adapter on the server running windows 2008 server 64 bit
one network card has internal ip address and the other two external ip address.
if i disable the other two network card which has external ip address the scanner works fine and stores all sacn files on the local server folder called sacn.
if i enabl the othe two network cards then scanner doesnt send the scanned files on to the server folder
i have done netstat command and the result shows port 139 is open on all the 3 network cards
can somenone help. does anyone know what is causing the probelm. i have checked scanner TCP/IP settings and made sure that the ip address, subnet mask, and port are all pointing to the server and DNS address is correct too
do you think I may need to disable port 139 on other two network card if yes then do you know how to do it

gtdriver94:
The ports are part of the tcp/ip stack on the machine, not the network interfaces.

The fact that you have 2 external IPs on this machine raises many questions about routing and access control. I hope that you are running routing services on this server and that the firewall is protecting the two external interfaces. Port 139 SHOULD NOT be accessible from the external interfaces. BAD.

My first thought is a DNS issue. If your scanner is trying to connect to the server by NAME, having those external interfaces might cause the server NAME to resolve to an external address. I would try having the scanner connect to the server by internal IP

Me
Many Thanks for your reply.
I did not enable the port 139 on external IP address network card, can you guide me how I can disable the port on these two cards which has external ip address

No the scanner has an ip address pointing to DNS in the scanner settings. the Xerox company came and setup the scanner lets say they gave the ip address 192.168.1.5 and the server address is 192,168.1.1

like I said if I disable the two network card which has public ip address then the scanner works fine. but if i enable them then scanner doesnt work

wait for your reply

gtdriver94:
Like I said the ports are part of the machine's TCP/IP. The only way to stop that port on certain interfaces is by using the firewall. So in the properties of the network card, in the firewall settings, be sure port 139 is not allowed.

Please respond with the scanner settings:
IP Address:
Subnet:
DNS Server:
Gateway:
Server(Save To) IP Address:

ME

CJ_London_2010:
Dear GTDriver94

Many thanks for your reply.

I have tried looking into each network card properties and i cannot find any tab or link where I can set the firewall settings, can you please guide me where and how I need to look,

Scanner Settings TCP/IP:
Host Name: Xerox7232
IP Address resolution: STATIC
IP Address: 192.168.100.110
Sunet: 255.255.255.0
Gateway: 192.168.100.101
Domain Name: cjtan.local
Prefered DNS: 192.168.100.100
Alternative DNS: 192.168.100.101
LPD PORT: 515
TCP: 9100
HTTP PORT: 80
SECURE HTTP PORT: 443

NETWORK SCANNING SETTINGS:
File Repository Setup:
Default File Destination:
Firend Names: SCANS
Protocol: SMB
Host Name/IP Name & Port: 192.168.100.100:139

I hope the above information helps. please do let me know where in network card properties firewall settings can be configured

Regards


0
 
GuruChiuCommented:
I looked at your other question and look like you are in good hand w/ gtdriver94. One issue that gtdriver94 was wrong is you can selectively disable port 139 per interface. You should enable port 139 on the LAN side (192.168.x.x) but disable port 139 on the public side (127.x.x.x). On the public side, you should only enable ports that you will need (3389 as well as 1723 if you want to use PPTP VPN).

Yes, you are welcome to come back to me. After this question is closed, I may not monitor it any more. Feel free to email me directly ktchiu@cland.com.
0
 
CJIT Consultant Author Commented:
just one last thing how do I disable port 139 on public side, where do I do it, I nearly spent whole day but couldnt find anyhere on the server to disable it on th public ip address as in firewall settings there is no option to select ports for individual ip adress

Many thanks
0
 
GuruChiuCommented:
Method 1, which I normally do for interface that connect to internet:
In network property, select the NIC you want, uncheck client for Microsoft network. This will turn off port 139 as well as other NetBios service which you don't want public to have.

Method 2
In the Windows firewall panel, click on the advance tab. Select the interface you want and check/uncheck port 139. If you do not see it already there, it is unchecked. To check it, click on the add button.
0
 
CJIT Consultant Author Commented:
Many Thanks I will try and if any problems I will get back to you on the email you have provided.
0
 
CJIT Consultant Author Commented:
Hi
I did Method 1 for both external cards but for some reasons when run CMD to to check ports it still shows port listening to 139

method 2 I couldnt do because when go to advance tab in there all three cards are listed and tick on them but no option to tick or untick the ports 139. i can only do the tick or untick in exception but that then applies to all three cards, is there any other ways

Many thanks

Regards
0
 
GuruChiuCommented:
Pls post the output of the cmd you use to check port listening.

Is it possible to screen capture what you see after you click on the advance tab?
0
 
CJIT Consultant Author Commented:
Hi Here is the screen shot of Advance tab as you requested from Windows firewall its attached as word 2003 file format
ScreenshotOfAdvance.dot
0
 
GuruChiuCommented:
I see where the confusion is. Attached is what I see at the similar tab. As you can see, there is a setting button next to the interface that you select and allow you to configure customer port. I don't know why that option is not available to you. Are you login with administrator right?
WinAdvFW.png
0
 
CJIT Consultant Author Commented:
Yes I sethis

Very strange I dont know why. I am log in as Administrator, I am running Windows 2008 Standard 64bit. I dont know what version is yours, It could be the different version. is there any other way around.

What I did in method 2 was to take tick of the clients network but port still showed open I then open the properties of tcp/ip4 and in their advanvce tab and under wins tab I ticked on Disable NetBios over TCP/IP and i did cmd and it doesnt show any more but problem with the scanner is still there any suggestions
0
 
CJIT Consultant Author Commented:
Hi GuruChiu

I have windows 2008 Standard 32bit server installed home as well, I checked again my screen is different to yours its the same as office server. I think it may be because I only have standard version what do you say.

can you think of any otherway around it ?

I will wait for your reply

Many thanks CJ
0
 
CJIT Consultant Author Commented:
Hi

I have yet another problem with Terminal Service Manager it seems you are the only one with Knowledge I posted my question but only one suggestion and I replied but since then no reply

The main problem I am having is I cannot add computers to terminal service manager. I have enabled all ports as well as all services are runing but still no luck.

suggestion from Jason was to turn off the firewall or enable the port/service for firewall I have done both but no luck

below is the details of the question I asked

Terminal Service Manager in Windows 2008 Standard 64bit ServerQuestion:
Hi
I have Terminal server running on windows 2008 Standard 64bit server.
its all activated and works fine.
the only problem I am having is using Terminal Service Manager.
I have created agroup under my domain server and I can access and send message to server but everytime I tried to add computer the follwoing two error messages comes.
First Error Message
"The specified computer cannot be reached. Make sure that the computer is accessible and varify computer name"

Second Error Message
"The RPC server is unavailable"

I can access the PC's remotely. I have enables remote access, but I cannot connect or add any of the computers to the group. I keep getting above messages on some I get error 1 and on some I get error2.

the reason I want to use this service is because so that I can send messages to all 20 users at a time.

can you please help

Regards

Tags:

   
Zones:
Miscellaneous Networking, Computer Servers, Network Management
Author:
CJ_London_2010, Premium Service Member
 Posted:
05/01/10 05:03 PM
 Time Zone:
Pacific Standard Time (GMT-08:00)
 Request Attention
Delete Question  [x] Additional Options  
 Didn't find what you were looking for? Try some of these options:View Related SolutionsSearch KnowledgebaseAsk New QuestionNeed Help?  
   

 Please take a moment to respond  
    Did this comment work for you?  Yes  Partially  No Was the comment complete?  Yes  Partially  No Was the comment easy to understand?  Yes  Partially  No Overall, how would you rate this comment?  Excellent  Good  Average    
   

 05/01/10 05:27 PM, ID: 26186787  

Was this comment helpful? Yes
No jasonbird:Hi CJ
Check the windows firewall, unlike Windows2003 server, windows2008 server automatically enables the windows firewall service, and even though you have selected to enable Terminal Server this is not then authorised in the firewall. You can either tick the RDP protocol in the firewall to enable it, or just switch windows firewall off. This is probably why you can't connect to the RDP service.
Hope this helps
J    

 Please take a moment to respond  
    Did this comment work for you?  Yes  Partially  No Was the comment complete?  Yes  Partially  No Was the comment easy to understand?  Yes  Partially  No Overall, how would you rate this comment?  Excellent  Good  Average    
   

 06/01/10 03:36 PM, ID: 26195855  

Was this comment helpful? Yes
No CJ_London_2010:Hi Jason

Many Thanks, I did try but no luck. still erroe 1 with all of them when i try to connect.
But if i try to connect them via remtoe apps through terminal service I can connect to all.

is there anything else i need to do

Regards

Now I get error message1 from any PC i try to connect

I will apreciate your help
0
 
GuruChiuCommented:
Looks like Windows 2008 move things around. I am looking around on my Windows 2008 server and see where this can be done. Will get back to you on this.

I have looked at your other question. At this moment I have no clue other than check the firewall setting on both.
0
 
GuruChiuCommented:
Windows 2008 move it to mmc.
Start > computer > right mouse click > manage
System manager > configuration > Windows firewall and advanace security
0
 
CJIT Consultant Author Commented:
Many Thanks.

I did find the windows firewall there but cannot see any tab or link where i can manage three newtork cards for ports. if you find it please let me know and if you can post screenshot it will be great.

once again many thanks for your help. I realy aprecait

Regards
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now