Solved

RDP to Windows 2003 member server

Posted on 2010-08-24
21
869 Views
Last Modified: 2012-05-10
Hi Exoerts
What am I missing?
SBS 2008 SP2 installed. Fully patched windows and HP drivers / firmware / PSP. 172.16.1.10
Windows 2003 SP2 member server joined to domain. Fully Patched. 172.16.1.11
Need to be able to RDP to 172.16.1.11 from the outside to run stock control system.
Can RDP to 172.16.1.11 when inside the LAN. When VPN'ing into the network from outside get error message that is attached and cannot RDP to 2003 member server

VPN further notes
1st way of VPN: PPTP VPN from a laptop from any internet connection to the SBS 2008 server with port 1723 forwarded on the firewall. VPN works fine and allows mapped drives and off line sync
2nd way of VPN: Satelitte site has a 'site to site' VPN set up. Their network is 172.16.3.x. Sync, mapped drives and emails work fine as Windows 7 firewall configured to trust and allow UDP and TCP 135 - 139 to the 172,16.1.x network

I can't figure out why I cannot RDP to 172.16.1.11 from the outside when I can on the inside.
Any pointers (and I'm guessing that I am missing something simplistic) would be very gratefully recieved
Rob

 RDP error message
0
Comment
Question by:RobKanj
  • 8
  • 7
  • 2
  • +4
21 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33517730
Start by pinging - can you ping the server in question when connecting via VPN?  If not, your problem probably has NOTHING TO DO with RDP.
0
 
LVL 5

Expert Comment

by:piji
ID: 33517753
This error message is for windows 2008 not 2003. maybe you point to wrong IP. Just make sure you do RDP to right server.
0
 
LVL 3

Expert Comment

by:darthcontra
ID: 33517812
Starting basic, but double check the gateway address on the server iin question.
I agree that ping would be the proper starting point.

Also something I have seen in the past, what happens if you wait to rdp until the vpn has been connected for a bit (say 10 minutes).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33517999
One possibility. When Remote desktop is enabled on a PC or server a firewall exception is created to allow access from the LAN. External/remote networks are generally blocked by default. You need to check the scope options of the firewall RDP exception. There is a good explanation for XP/2003 in the following link. 2008 has a more detailed firewall configuration but the concept is the same, or disable the firewall completely just as a test to see if this is the problem.
http://www.lan-2-wan.com/RD-FW.htm

Also as asked by another: when the VPN is connected, can you ping the server in question. If not it is possible your VPN is not configured to route all 172.16.1.x traffic via the VPN/PPP adapter on the client, rather only 172.16.1.10.
If you use the SBS wizards and connection manager client this is configured automatically:
http://www.lan-2-wan.com/SBS-VPN-instr.htm
If the client was manually configured you need to make sure "use default gateway" is checked under: control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General. Also LAN routing must be enabled in RRAS on the SBS. To do so open RRAS | right click on the server name and choose properties | under the general tab.
0
 
LVL 11

Expert Comment

by:farjadarshad
ID: 33518076
Firstly ping your server and check whether you are getting the response or not. 2nd thing Did you check your firewall or on VPN server that if it allows RDP and its port which is 3389.

On second though you can also use RealVNC for taking the remote desktop of that server which you can get from here http://www.filehippo.com/download_realvnc/
0
 

Author Comment

by:RobKanj
ID: 33520266
Thank you Lee, Rob, Farja, Darth and Piji - Really appreciate your quick comebacks.

I VPN'ned from my laptop to the SBS server using my PPTP connection and I could ping the member server (172.16.1.11). I cannot RDP to it and I get the same error message.
I then dialled in to the satelittle site and logged into one of the windows 7 deskotps. Because the site to site VPN is in place I do not have to initiate a VPN. Again I can ping 172.16.1.11 - results below:
ping -a 172.16.1.11
Pinging appendix.library.local [172.16.1.11] with 32 bytes of data:
Reply from 172.16.1.11: bytes=32 time=42ms TTL=127
Reply from 172.16.1.11: bytes=32 time=44ms TTL=127
Reply from 172.16.1.11: bytes=32 time=44ms TTL=127
Reply from 172.16.1.11: bytes=32 time=43ms TTL=127
....but cannot RDP to the member server.

From both VPN connections I can RDP to the SBS server (172.16.1.10)
Finally at the satellite site, I created a new rule within windows 7 firewall to allow port 3389 to 172.16.1.11. Rebooted and still cannot RDP to it.
As I cannot RDP to the 172.16.1.11 I am going to go to site later this evening so If there is anything that needs to be done / checked on the member server itself...I can do.

Thanks again and looking forward to more thought processes
Regards
Rob

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33520342
The firewall changes have to be made on the server to which you are trying to connect, not the connecting workstation. Sounds like the Windows firewall to me. This can also be the same if you have any other 3rd party software firewalls installed.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33521202
I'm afraid your 2008 server is the issue. As the VPN is managed on the SBS 2008, this is in charge of filtering the packets. Check your settings for routing and make sure rdp traffic is allowed. By default, remote web workplace is setup ot rdp to any member servers and it may be reserving the connection for that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33521553
>>"As the VPN is managed on the SBS 2008" There is also a site to site VPN which would allow all traffic between sites, i.e. no filtering. The rdp host server firewall is more likely doing the filtering.

Also not a routing issue since ping works.
0
 

Author Comment

by:RobKanj
ID: 33524650
Hi Rob / Totally
Thanks for your comments and pointers. I still don't know where I am going wrong.
Tackling Rob's advise. I have logged in to the member server and have ensured that the users who need to login to the server are part of the Remote Desktop Users Group.
As it is a windows 2003 server I ahve right clicked on the NIC - change firewall settings and I can see that as its part of a SBS 2008 domain the firewall rules have been pushed and grayed out...please see screenshot 1.jpg and 2.jpg
When I try to add a further RDP 3389 rule to allow incoming connection from 172.16.3.x (as the satellite site is on 172.16.3.x) it will not accept it because it says that the RDP rule exists already.
I understand Rob's point on it not being a routing issue as PING works but nevertheless I created a inbound firewall rule on the SBS 2008 firewall to allow RDP but of course it still does not work...please see screenshot 3.jpg
Help?
Many thanks
Rob
 

 

1.jpg
2.jpg
3.jpg
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 77

Accepted Solution

by:
Rob Williams earned 450 total points
ID: 33524932
I assume image "rdp firewall 2 " is from the member server to which you want to connect? If so the problem is likely "my network (subnet) only" is checked.
If you are logged in as an admin you can usually edit and/or add exceptions though you may not be able to turn off the firewall due to group policy.
If you cannot edit, first make sure the member server is in the MyBusiness | Computers | SBS servers OU in active directory and not the sbs computers OU. It is put in the latter by default when you join the domain and thus the GPO's applied to PC's is used.

If you still cannot edit try creating a new Firewall GPO that allows the exception. I don't recommend editing existing policies. Once your create the policy you want to it computer configuration | policies | administrative templates | Network | Network connections | Windows firewall | (I would do both standard and domain) | allow program exceptions and allow port exceptions. Or you could create the exception with "define inbound port exceptions"

Alternatively could the user not use Remote Web workplace to connect. This is actually more secure than using the VPN. VPN's allow unlimited access between an unknown client PC and the corporate network which can be very risky with hackers and viruses.

The other option which also uses SSL is to use the TS gateway service. SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably remote.yourdomain.com). Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.

The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".
http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx

0
 

Author Comment

by:RobKanj
ID: 33549840
Hi RobWill
Sorry for the delay....something else has gone wrong that needed urgent attention....back to your very helpful suggestions.
Yes RDP Firewall 2 was a screenshot from the member server and as I posted on EE I started to think about Group Policy. The subnet is grayed out on the member server firewall and as the member server is getting its firewall policies from SBS 2008 that got me thinking on GP.
Regarding RWW...the DNS A record remote.xxxxx.co.uk is in place that matches the external IP of the client. Additionally the reverse DNS is in place by the ISP pointing to remote.xxxxxx.co.uk. The only thing I have  not done yet is purchase a 3rd party certificate (I normally purchase Thwate sigle sign on) and configure it on the SBS 2008 box.
Also the windows 2003 member server does not have any TS licenses. I was assuming that I would install the TS component in Add / Remove Programs and then purchase some CAL's?
Will update once I have an update and thank for your detailed breakdown of options...appreciated
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33550098
Hi Rob.
Let us know how you make out.

Just to add a couple of options;
Though a certificate is preferred you can also have the SBS create a self-signed certificate and then copy and install to remote PC's. If PC's are members of the domain it is installed automatically.

You do need terminal server CAL's but there is a 120 day grace period from the time you install Terminal services. You can connect as many users as you like during that period of time, until you get your required licenses.
--Rob
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 50 total points
ID: 33552583
Has the terminal server got a default gateway set? Can it access the internet? Set the default gateway on the member server to the server handling the vpn. Any return traffic from the member server may need to be routed through the vpn.
The issue here is the fact it works internally and not externally.
 
0
 

Author Comment

by:RobKanj
ID: 33592821
Dear Rob / Totally
I have not forgotten - I have a major issue on my hands with this SBS 2008 server and another clients exact same server (hardware and s/w build) rebooting indiscrimantly everyday when everyone is logged in or not - so have been desperaely troubleshooting as data is getting corrupted etc etc
Rgds
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33592868
What make server? I heard of simlilar issue with HP server and USB attached drives causing random reboots.
0
 

Author Comment

by:RobKanj
ID: 33593161
Dear Rob
Its 02:46 BST so I wil be posting a detailed seperate request later to EE but for now 2 x clients have the following
2 x HP ML350 G6 in RAID 1 for OS and RAID 5 for data
Both have Windows 2008 SBS SP2 fully patched includi ng exchange 2007 and SQL 2005 SP3 Patches
Both use BES Express for BB enterprise
Both servers started to reboot about 14 days ago. It has become increasngly common everyday. Reboots with a USB attached or not.
I thought I had cracked it with by finding a HP tech page stating that firmware BIOS 15th May to D22 version servers were required due to memory instability on the DIMMS (Both clients have 8Gb) so I installed all the HP PSP firmware and software updates to no avail.
HP ASR is switched this forcing the reboots. I will find out tomorrow how to switch it off so I can see how and why the server hangs
Also i have ro use the resource kit to analyse the minidump created in system32 and see if that gives me any clues.
Its a bad one.
I have a client who has a HP DL380 with exactly the same config minus the BES Express and his server is fine with USB drives attached and detached
I don't want to break rules so will post again as a new post
Thanks for prompting me in posting tonight
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33596349
Sounds very frustrating. Looked into the issue I was familiar with but it only  applies to Hyper-V installs.

Any driver updates lately on those machines?
0
 

Author Comment

by:RobKanj
ID: 33629950
Dear Rob and Tonto
The killer solution was provided by Rob:

"If you cannot edit, first make sure the member server is in the MyBusiness | Computers | SBS servers OU in active directory and not the sbs computers OU. It is put in the latter by default when you join the domain and thus the GPO's applied to PC's is used"
RDP is fine now.

Tonto - I am still awarding you points for your efforts and thought process - thank you both so much

Regards
Rob

0
 

Author Closing Comment

by:RobKanj
ID: 33629963
Appreciated the persistence.
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33643125
Thanks RobKanj. Glad to hear you were able to resolve..
Cheers!
--Rob
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now