Remote desktop SBS2008 network

I have just upgraded our server from SBS2003 to SBS2008. I had several workstations accessible with RDP from home computers. Everything worked fine before the upgrade.
Now, I can access the server with RDP but not the individual workstations.
Workstations have a DHCP reservation.
Router uses port translation to connect to individual workstation ie. Port XXX1 -> 3389  _> workstation IP

I have given the users permission via the server user accounts to use RDP to access their workstations.

I have double checked all settings. RDP access on workstations is greyed out BUT checked and add users show that domain name/user has access.

I can access the workstations using RDP from any other computer on the network (internal) using the internal ip and loggin in as the ws user.

I'm sure this must be a firewall issue or group policy issue. Everything is standard install.  

Any Ideas?
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
You don't need to change it. Because the router is doing port translation the connection is considered local.
However should you want edit the GP policies, it is under:

For Vista and Win7 clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Windows settings | Security settings | Windows Firewall with advanced security | Windows Firewall with advanced security - LDAP....| Inbound rules | Remote desktop

For XP clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Administrative templates | Network | Network Connections | Windows firewall | Domain/standard profile | define inbound port exceptions
Rob WilliamsCommented:
How are you accessing through the remote access web page, VPN, or unique port forwarding?
The safest way is using the remote access web page and that should be automatically configured so long as you enabled under the users settings in the Windows SBS console. If using RDP with VPN or individual router port for wards it may be due to the Windows firewall. By default the firewall only allows access from the local LAN/Subnet. The following outlines that problem for XP, but the concept is similar with Vista and Win7:
TecterAuthor Commented:
I think you are right that this is the issue (I am using the router to direct the outside user directly to his workstation (after a port translation.)  However, this had all worked fine until I reconnected the workstations to the new SBS 2008 server.  The remote access item on the workstation firewall is greyed out (controlled by group policies). Do you know how I can change this in group policies on the server?
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Rob WilliamsCommented:
Perhaps instead of modifying GP or the firewall it would be best to use the new methods and SSL keeping things more secure.
Either use the Remote Access web page which uses SSL or if you want to have your users connect directly, with 2008 you can do that as well, as per the following instructions. That way you are still using SSL and you don't have to modify the firewall or group policies:

SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.

The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".

TecterAuthor Commented:
I have intentionally kept the server completely out of the remote access as I concerned me to have it visable in any way from outside the local network.  I do not have an SSL certificate for it and have not opened any ports on the router to the server. It makes me nervous to do this especially with standard known ports (3389 etc.)  It there some way to connect directly through the router to a workstation without going through the server?
Rob WilliamsCommented:
With either of the methods I mentioned it doesn't require port 3389. It uses SSL to make the connection, and only domain admins can access the server. It is definitely more secure.

Yes you can still use port redirection but you may have to edit the firewall. Exceptions can be edited by non admins, they just can't turn it on an off.
Have you changed the listening port on the client from 3389?
TecterAuthor Commented:
Internally the client computers use 3389 but the router does port translation so that from the internet the port is a non standard port.

I have noticed that the remote desktop item in the firewall is ticked as open but is set to local subnet only rather than any computer.
Rob WilliamsCommented:
Actually with port redirection, so log as the PC still uses 3389 you shouldn't need firewall modifications. If using a VPN you need to edit scope options, and if you change the listening port you need to change the port rule, but in your case it should work.

As a user name have they tried  domain\user  instead of user?

You seem to be worried about security but alternate methods with the server generated self signed cert or a 3rd party cert for <$50/year is simpler and more secure.
TecterAuthor Commented:
I will look into the TS Gateway method you have suggested. But for tonight I need to get the boss's computer working with remote access as he is out of town and wants access now.  

On his workstation, in firewall, exceptions. remote desktop the scope is set to local subnet instead of all computers. The options are greyed out as it is controlled by group policies. Do you know how I can change this setting?  I am quite sure that everything else is OK once this is changed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.