Hello all-

I am trying to get RDP to work through a PPTP VPN connection. The PPTP connetions and i can ping the gateway of the remote network, the RAS server, and any machine in the remote Network. The VNC works just as well. However, for some reason i can't remote to any other machine besides the RAS server itself. I tried RDPing to the VPN computer from the remote network and vise versa with no results. It seems like there is a policy or firewall blocking the connection. For diagnostics sakes, I disable all AV and firewalls on all test machines.

Any Thoughts?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you telnet a remote workstation?

telnet remotepc/ip 3389?
eftshdAuthor Commented:
I am not able to.
Hypercat (Deb)Commented:
Can you RDP to these machines from inside the network? The machines have to have remote connections enabled and your AD user account or group needs to be added to the local Remote Desktop Users group on the workstation.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

eftshdAuthor Commented:
Yes, the test computers are here in the office with me and I am testing both on the network and off the network (via mifi) and they work just fine when directly conncted on the network.
Hypercat (Deb)Commented:
I don't know about the mifi device - does it have some kind of firewall on it?
eftshdAuthor Commented:
Without a vpn tunnel, RDP works fine on the device. Then when tunnel connects, VNC and ICMP work but not RDP. It sounds like a configuration issue on the server but I can't seem to find a setting that has that information in it.
What is the RDP servers OS? Maybe the RDP connection has some IP(-range) restriction on it?
eftshdAuthor Commented:
The source and destination machines are Windows XP and the server os is Server 2003 std r2.
Hypercat (Deb)Commented:
This seems simplistic, but I just thought I'd ask.  Are you trying to RDP using the computer name? If so, it may be a simple DNS/name resolution issue. Have you tried using the FQDN (i.e., computer.domain.com) and/or the IP address to see if RDP will work that way?
eftshdAuthor Commented:
I have learned that no question is too simple when you get these seemingly complicate issues. However, in this case, I was using the IPs to rule out any DNS issues.
If the LANs at both ends use the same subnet, there can sometimes be confusing as to whether an IP is local or remote, when using a VPN.

For instance if the LANs at both ends use 192.168.1.x as the subnet, the RDP client may thin that, say is local, not on the remote LAN.

As an experiment, try changing the subnet of the local LAN to something different, say 192.168.5.x
Syed Mutahir AliTechnology ConsultantCommented:
A ) Are you testing this from within the same LAN ?
B ) - Are you dialing the vpn from home or any other location then the VPN Server itself ?

If "B" - then follow strung's advise and check what he has requested

If "A" - then some routers or gateway devices don't support NAT Loopback.

--can you rule out mifi---(i am not sure what that is) but reading about it, it seems that it creates a mobile wifi hotspot which is in reality connected to the same LAN you are on, thus the issue of either nat loopback or double nat.

If you can test from a remote location, it should work fine.

also from a remote location, on the xp or vista, or windows 7, edit the hosts file in "c:\windows\system32\etc\hosts\" and create a mapping for e.g. 192.168.1.x netbios name of the machine on your company LAN.
eftshdAuthor Commented:
Thanks guys for the comments, I will circle back with them on Monday and do some testing. I will post back and award points as necessary.

I always appreciate the help.
Jim P.Commented:
We have many of our customers that say they will only allow us to connect from a certain IP range. To find your external use http://ipchicken.com.  

Then make sure the remote user will allow you to connect from that IP.
There is a setting in RRAS to only allow connections to the RRAS server itself, isn't there?

Has this ever worked?  Can you ping IP addresses of other computers around the network?
If the VPN tunnel is a clear source of the problem, then I would suggest you provide more details on the tunnel itself. What kind of VPN is it? Is split-tunneling enabled? If it's a Cisco VPN client, have you gone to the settings in the VPN client and checked the box to allow local LAN access?
Also, when you're using the IPs - are all the IPs in your local network, or are you trying to connect to remote servers while connected to VPN?

If it's the second option, then your computer is sending the request through the VPN, and it is probably being routed through a server on the other end of that VPN tunnel. That said, if that server doesn't like RDP or has special security rules that you cannot change, then you are almost out of luck.

I was in a similar situation, but I had another computer on my local network that didn't connect to the VPN. I set up stunnel on it and then changed my RDP to connect to that particular port on stunnel, and had stunnel forward the request over to the real destination.

There was one case where stunnel was trying to connect to a destination app that didn't support SSL, so I ended up loading stunnel onto that remote server, and had it RECEIVE the SSL connection and then forward the connection to the local app, like this:

1. Client #1 connects to Client #2's stunnel
2. Client #2's stunnel connects to Remote Server #1's stunnel
3. Remote Server #1's stunnel connects to Remote Server #1's app

It does work, but it's not exactly a "simple" setup (although stunnel doesn't have a lot of configuration - it's just requires that you have an extra computer w/ internet access that doesn't connect to the VPN).
eftshdAuthor Commented:
The type of tunnel is a PPTP connection using windows routing and remote access. This has worked many time over for hundreds of other clients that we have. As stated above, I can ping to everything to and from the tunnel. I am also able to VNC to and from anything in the network. I tested the VPN connection from my hotel to rule out the mifi issue and It is displaying the same symptoms. As far as policies are concerned, i am only using the default ones and have not changed anything (this is what we have done with our other clients). The only thing that I have not been able to test is setting a separate subnet for the remote users. I am also going to try changing the RDP port on the destination computer to see if it is just not passing 3389. I am going to try that on Monday and report back. Thanks for all of the suggestions thus far.
Just because you can ping and use VNC doesn't mean that the VPN gateway is set up to allow everything. It's not about changing the policy on your own machine - when you connect to a VPN, you're essentially allowing the VPN to take control of the packets coming to and from your NIC (with limited exceptions). This means that if you can VNC to another server, then your remote gateway is allowing it. If you can't RDP to any other machines (besides something on your local network), then that probably means that the RDP packets are being stopped by the remote gateway. Changing the port MIGHT work if the remote gateway is simply blocking a specific port.
eftshdAuthor Commented:
Ah! Thank you for the clarification.
What are you using as your firewall/NAT device - a router or Windows NAT?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eftshdAuthor Commented:
We are using a cisco 851 with the SECURITY-K9 ios
eftshdAuthor Commented:

Thank you for your assistance. I was actually able to figure this out. It turns out that under routing and remote access there was an extra protocol installed called basic nat/firewall. After being able to get to another client site and comparing notes on configuration settings, that was the only difference and after I removed it, everything started working as expected. All is good!
eftshdAuthor Commented:
SnowWolfs comment jogged my thinking. Originally, i was thinking about a firewall in the sense of the server it self instead of the routing and remote access configuration. As soon as I saw that and compared the items with the another client, I was able to resolve the issue but removing this protocol from the setup.
Where do I find the Remote Acess Configuration parameters to check this solution on my machine?
eftshdAuthor Commented:
Start -> Administrative Tools on server 2003
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.