Solved

Remote desktop SBS2008 network

Posted on 2011-02-23
9
1,109 Views
Last Modified: 2012-05-11
I have just upgraded our server from SBS2003 to SBS2008. I had several workstations accessible with RDP from home computers. Everything worked fine before the upgrade.
Now, I can access the server with RDP but not the individual workstations.
Workstations have a DHCP reservation.
Router uses port translation to connect to individual workstation ie. Port XXX1 -> 3389  _> workstation IP

I have given the users permission via the server user accounts to use RDP to access their workstations.

I have double checked all settings. RDP access on workstations is greyed out BUT checked and add users show that domain name/user has access.

I can access the workstations using RDP from any other computer on the network (internal) using the internal ip and loggin in as the ws user.

I'm sure this must be a firewall issue or group policy issue. Everything is standard install.  

Any Ideas?
0
Comment
Question by:Tecter
  • 5
  • 4
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
How are you accessing through the remote access web page, VPN, or unique port forwarding?
The safest way is using the https://remote.yourdomain.com remote access web page and that should be automatically configured so long as you enabled under the users settings in the Windows SBS console. If using RDP with VPN or individual router port for wards it may be due to the Windows firewall. By default the firewall only allows access from the local LAN/Subnet. The following outlines that problem for XP, but the concept is similar with Vista and Win7:
http://www.lan-2-wan.com/RD-FW.htm
0
 

Author Comment

by:Tecter
Comment Utility
I think you are right that this is the issue (I am using the router to direct the outside user directly to his workstation (after a port translation.)  However, this had all worked fine until I reconnected the workstations to the new SBS 2008 server.  The remote access item on the workstation firewall is greyed out (controlled by group policies). Do you know how I can change this in group policies on the server?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Perhaps instead of modifying GP or the firewall it would be best to use the new methods and SSL keeping things more secure.
Either use the Remote Access web page which uses SSL or if you want to have your users connect directly, with 2008 you can do that as well, as per the following instructions. That way you are still using SSL and you don't have to modify the firewall or group policies:


SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably remote.yourdomain.com). Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.


The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".
http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx

0
 

Author Comment

by:Tecter
Comment Utility
I have intentionally kept the server completely out of the remote access as I concerned me to have it visable in any way from outside the local network.  I do not have an SSL certificate for it and have not opened any ports on the router to the server. It makes me nervous to do this especially with standard known ports (3389 etc.)  It there some way to connect directly through the router to a workstation without going through the server?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
With either of the methods I mentioned it doesn't require port 3389. It uses SSL to make the connection, and only domain admins can access the server. It is definitely more secure.

Yes you can still use port redirection but you may have to edit the firewall. Exceptions can be edited by non admins, they just can't turn it on an off.
Have you changed the listening port on the client from 3389?
0
 

Author Comment

by:Tecter
Comment Utility
Internally the client computers use 3389 but the router does port translation so that from the internet the port is a non standard port.

I have noticed that the remote desktop item in the firewall is ticked as open but is set to local subnet only rather than any computer.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Actually with port redirection, so log as the PC still uses 3389 you shouldn't need firewall modifications. If using a VPN you need to edit scope options, and if you change the listening port you need to change the port rule, but in your case it should work.

As a user name have they tried  domain\user  instead of user?


You seem to be worried about security but alternate methods with the server generated self signed cert or a 3rd party cert for <$50/year is simpler and more secure.
0
 

Author Comment

by:Tecter
Comment Utility
I will look into the TS Gateway method you have suggested. But for tonight I need to get the boss's computer working with remote access as he is out of town and wants access now.  

On his workstation, in firewall, exceptions. remote desktop the scope is set to local subnet instead of all computers. The options are greyed out as it is controlled by group policies. Do you know how I can change this setting?  I am quite sure that everything else is OK once this is changed.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
You don't need to change it. Because the router is doing port translation the connection is considered local.
However should you want edit the GP policies, it is under:

For Vista and Win7 clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Windows settings | Security settings | Windows Firewall with advanced security | Windows Firewall with advanced security - LDAP....| Inbound rules | Remote desktop

For XP clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Administrative templates | Network | Network Connections | Windows firewall | Domain/standard profile | define inbound port exceptions
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now