Solved

RDP to Windows 2003 member server

Posted on 2010-08-24
21
896 Views
Last Modified: 2012-05-10
Hi Exoerts
What am I missing?
SBS 2008 SP2 installed. Fully patched windows and HP drivers / firmware / PSP. 172.16.1.10
Windows 2003 SP2 member server joined to domain. Fully Patched. 172.16.1.11
Need to be able to RDP to 172.16.1.11 from the outside to run stock control system.
Can RDP to 172.16.1.11 when inside the LAN. When VPN'ing into the network from outside get error message that is attached and cannot RDP to 2003 member server

VPN further notes
1st way of VPN: PPTP VPN from a laptop from any internet connection to the SBS 2008 server with port 1723 forwarded on the firewall. VPN works fine and allows mapped drives and off line sync
2nd way of VPN: Satelitte site has a 'site to site' VPN set up. Their network is 172.16.3.x. Sync, mapped drives and emails work fine as Windows 7 firewall configured to trust and allow UDP and TCP 135 - 139 to the 172,16.1.x network

I can't figure out why I cannot RDP to 172.16.1.11 from the outside when I can on the inside.
Any pointers (and I'm guessing that I am missing something simplistic) would be very gratefully recieved
Rob

 RDP error message
0
Comment
Question by:RobKanj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +4
21 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33517730
Start by pinging - can you ping the server in question when connecting via VPN?  If not, your problem probably has NOTHING TO DO with RDP.
0
 
LVL 5

Expert Comment

by:piji
ID: 33517753
This error message is for windows 2008 not 2003. maybe you point to wrong IP. Just make sure you do RDP to right server.
0
 
LVL 3

Expert Comment

by:darthcontra
ID: 33517812
Starting basic, but double check the gateway address on the server iin question.
I agree that ping would be the proper starting point.

Also something I have seen in the past, what happens if you wait to rdp until the vpn has been connected for a bit (say 10 minutes).
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 33517999
One possibility. When Remote desktop is enabled on a PC or server a firewall exception is created to allow access from the LAN. External/remote networks are generally blocked by default. You need to check the scope options of the firewall RDP exception. There is a good explanation for XP/2003 in the following link. 2008 has a more detailed firewall configuration but the concept is the same, or disable the firewall completely just as a test to see if this is the problem.
http://www.lan-2-wan.com/RD-FW.htm

Also as asked by another: when the VPN is connected, can you ping the server in question. If not it is possible your VPN is not configured to route all 172.16.1.x traffic via the VPN/PPP adapter on the client, rather only 172.16.1.10.
If you use the SBS wizards and connection manager client this is configured automatically:
http://www.lan-2-wan.com/SBS-VPN-instr.htm
If the client was manually configured you need to make sure "use default gateway" is checked under: control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General. Also LAN routing must be enabled in RRAS on the SBS. To do so open RRAS | right click on the server name and choose properties | under the general tab.
0
 
LVL 11

Expert Comment

by:farjadarshad
ID: 33518076
Firstly ping your server and check whether you are getting the response or not. 2nd thing Did you check your firewall or on VPN server that if it allows RDP and its port which is 3389.

On second though you can also use RealVNC for taking the remote desktop of that server which you can get from here http://www.filehippo.com/download_realvnc/ 
0
 

Author Comment

by:RobKanj
ID: 33520266
Thank you Lee, Rob, Farja, Darth and Piji - Really appreciate your quick comebacks.

I VPN'ned from my laptop to the SBS server using my PPTP connection and I could ping the member server (172.16.1.11). I cannot RDP to it and I get the same error message.
I then dialled in to the satelittle site and logged into one of the windows 7 deskotps. Because the site to site VPN is in place I do not have to initiate a VPN. Again I can ping 172.16.1.11 - results below:
ping -a 172.16.1.11
Pinging appendix.library.local [172.16.1.11] with 32 bytes of data:
Reply from 172.16.1.11: bytes=32 time=42ms TTL=127
Reply from 172.16.1.11: bytes=32 time=44ms TTL=127
Reply from 172.16.1.11: bytes=32 time=44ms TTL=127
Reply from 172.16.1.11: bytes=32 time=43ms TTL=127
....but cannot RDP to the member server.

From both VPN connections I can RDP to the SBS server (172.16.1.10)
Finally at the satellite site, I created a new rule within windows 7 firewall to allow port 3389 to 172.16.1.11. Rebooted and still cannot RDP to it.
As I cannot RDP to the 172.16.1.11 I am going to go to site later this evening so If there is anything that needs to be done / checked on the member server itself...I can do.

Thanks again and looking forward to more thought processes
Regards
Rob

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33520342
The firewall changes have to be made on the server to which you are trying to connect, not the connecting workstation. Sounds like the Windows firewall to me. This can also be the same if you have any other 3rd party software firewalls installed.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33521202
I'm afraid your 2008 server is the issue. As the VPN is managed on the SBS 2008, this is in charge of filtering the packets. Check your settings for routing and make sure rdp traffic is allowed. By default, remote web workplace is setup ot rdp to any member servers and it may be reserving the connection for that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33521553
>>"As the VPN is managed on the SBS 2008" There is also a site to site VPN which would allow all traffic between sites, i.e. no filtering. The rdp host server firewall is more likely doing the filtering.

Also not a routing issue since ping works.
0
 

Author Comment

by:RobKanj
ID: 33524650
Hi Rob / Totally
Thanks for your comments and pointers. I still don't know where I am going wrong.
Tackling Rob's advise. I have logged in to the member server and have ensured that the users who need to login to the server are part of the Remote Desktop Users Group.
As it is a windows 2003 server I ahve right clicked on the NIC - change firewall settings and I can see that as its part of a SBS 2008 domain the firewall rules have been pushed and grayed out...please see screenshot 1.jpg and 2.jpg
When I try to add a further RDP 3389 rule to allow incoming connection from 172.16.3.x (as the satellite site is on 172.16.3.x) it will not accept it because it says that the RDP rule exists already.
I understand Rob's point on it not being a routing issue as PING works but nevertheless I created a inbound firewall rule on the SBS 2008 firewall to allow RDP but of course it still does not work...please see screenshot 3.jpg
Help?
Many thanks
Rob
 

 

1.jpg
2.jpg
3.jpg
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 450 total points
ID: 33524932
I assume image "rdp firewall 2 " is from the member server to which you want to connect? If so the problem is likely "my network (subnet) only" is checked.
If you are logged in as an admin you can usually edit and/or add exceptions though you may not be able to turn off the firewall due to group policy.
If you cannot edit, first make sure the member server is in the MyBusiness | Computers | SBS servers OU in active directory and not the sbs computers OU. It is put in the latter by default when you join the domain and thus the GPO's applied to PC's is used.

If you still cannot edit try creating a new Firewall GPO that allows the exception. I don't recommend editing existing policies. Once your create the policy you want to it computer configuration | policies | administrative templates | Network | Network connections | Windows firewall | (I would do both standard and domain) | allow program exceptions and allow port exceptions. Or you could create the exception with "define inbound port exceptions"

Alternatively could the user not use Remote Web workplace to connect. This is actually more secure than using the VPN. VPN's allow unlimited access between an unknown client PC and the corporate network which can be very risky with hackers and viruses.

The other option which also uses SSL is to use the TS gateway service. SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably remote.yourdomain.com). Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.

The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".
http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx

0
 

Author Comment

by:RobKanj
ID: 33549840
Hi RobWill
Sorry for the delay....something else has gone wrong that needed urgent attention....back to your very helpful suggestions.
Yes RDP Firewall 2 was a screenshot from the member server and as I posted on EE I started to think about Group Policy. The subnet is grayed out on the member server firewall and as the member server is getting its firewall policies from SBS 2008 that got me thinking on GP.
Regarding RWW...the DNS A record remote.xxxxx.co.uk is in place that matches the external IP of the client. Additionally the reverse DNS is in place by the ISP pointing to remote.xxxxxx.co.uk. The only thing I have  not done yet is purchase a 3rd party certificate (I normally purchase Thwate sigle sign on) and configure it on the SBS 2008 box.
Also the windows 2003 member server does not have any TS licenses. I was assuming that I would install the TS component in Add / Remove Programs and then purchase some CAL's?
Will update once I have an update and thank for your detailed breakdown of options...appreciated
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33550098
Hi Rob.
Let us know how you make out.

Just to add a couple of options;
Though a certificate is preferred you can also have the SBS create a self-signed certificate and then copy and install to remote PC's. If PC's are members of the domain it is installed automatically.

You do need terminal server CAL's but there is a 120 day grace period from the time you install Terminal services. You can connect as many users as you like during that period of time, until you get your required licenses.
--Rob
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 50 total points
ID: 33552583
Has the terminal server got a default gateway set? Can it access the internet? Set the default gateway on the member server to the server handling the vpn. Any return traffic from the member server may need to be routed through the vpn.
The issue here is the fact it works internally and not externally.
 
0
 

Author Comment

by:RobKanj
ID: 33592821
Dear Rob / Totally
I have not forgotten - I have a major issue on my hands with this SBS 2008 server and another clients exact same server (hardware and s/w build) rebooting indiscrimantly everyday when everyone is logged in or not - so have been desperaely troubleshooting as data is getting corrupted etc etc
Rgds
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33592868
What make server? I heard of simlilar issue with HP server and USB attached drives causing random reboots.
0
 

Author Comment

by:RobKanj
ID: 33593161
Dear Rob
Its 02:46 BST so I wil be posting a detailed seperate request later to EE but for now 2 x clients have the following
2 x HP ML350 G6 in RAID 1 for OS and RAID 5 for data
Both have Windows 2008 SBS SP2 fully patched includi ng exchange 2007 and SQL 2005 SP3 Patches
Both use BES Express for BB enterprise
Both servers started to reboot about 14 days ago. It has become increasngly common everyday. Reboots with a USB attached or not.
I thought I had cracked it with by finding a HP tech page stating that firmware BIOS 15th May to D22 version servers were required due to memory instability on the DIMMS (Both clients have 8Gb) so I installed all the HP PSP firmware and software updates to no avail.
HP ASR is switched this forcing the reboots. I will find out tomorrow how to switch it off so I can see how and why the server hangs
Also i have ro use the resource kit to analyse the minidump created in system32 and see if that gives me any clues.
Its a bad one.
I have a client who has a HP DL380 with exactly the same config minus the BES Express and his server is fine with USB drives attached and detached
I don't want to break rules so will post again as a new post
Thanks for prompting me in posting tonight
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33596349
Sounds very frustrating. Looked into the issue I was familiar with but it only  applies to Hyper-V installs.

Any driver updates lately on those machines?
0
 

Author Comment

by:RobKanj
ID: 33629950
Dear Rob and Tonto
The killer solution was provided by Rob:

"If you cannot edit, first make sure the member server is in the MyBusiness | Computers | SBS servers OU in active directory and not the sbs computers OU. It is put in the latter by default when you join the domain and thus the GPO's applied to PC's is used"
RDP is fine now.

Tonto - I am still awarding you points for your efforts and thought process - thank you both so much

Regards
Rob

0
 

Author Closing Comment

by:RobKanj
ID: 33629963
Appreciated the persistence.
Regards
Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33643125
Thanks RobKanj. Glad to hear you were able to resolve..
Cheers!
--Rob
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question