Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Remote desktop SBS2008 network

Posted on 2011-02-23
Medium Priority
Last Modified: 2012-05-11
I have just upgraded our server from SBS2003 to SBS2008. I had several workstations accessible with RDP from home computers. Everything worked fine before the upgrade.
Now, I can access the server with RDP but not the individual workstations.
Workstations have a DHCP reservation.
Router uses port translation to connect to individual workstation ie. Port XXX1 -> 3389  _> workstation IP

I have given the users permission via the server user accounts to use RDP to access their workstations.

I have double checked all settings. RDP access on workstations is greyed out BUT checked and add users show that domain name/user has access.

I can access the workstations using RDP from any other computer on the network (internal) using the internal ip and loggin in as the ws user.

I'm sure this must be a firewall issue or group policy issue. Everything is standard install.  

Any Ideas?
Question by:Tecter
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 77

Expert Comment

by:Rob Williams
ID: 34966255
How are you accessing through the remote access web page, VPN, or unique port forwarding?
The safest way is using the https://remote.yourdomain.com remote access web page and that should be automatically configured so long as you enabled under the users settings in the Windows SBS console. If using RDP with VPN or individual router port for wards it may be due to the Windows firewall. By default the firewall only allows access from the local LAN/Subnet. The following outlines that problem for XP, but the concept is similar with Vista and Win7:

Author Comment

ID: 34966285
I think you are right that this is the issue (I am using the router to direct the outside user directly to his workstation (after a port translation.)  However, this had all worked fine until I reconnected the workstations to the new SBS 2008 server.  The remote access item on the workstation firewall is greyed out (controlled by group policies). Do you know how I can change this in group policies on the server?
LVL 77

Expert Comment

by:Rob Williams
ID: 34966311
Perhaps instead of modifying GP or the firewall it would be best to use the new methods and SSL keeping things more secure.
Either use the Remote Access web page which uses SSL or if you want to have your users connect directly, with 2008 you can do that as well, as per the following instructions. That way you are still using SSL and you don't have to modify the firewall or group policies:

SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably remote.yourdomain.com). Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.

The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.


Author Comment

ID: 34966379
I have intentionally kept the server completely out of the remote access as I concerned me to have it visable in any way from outside the local network.  I do not have an SSL certificate for it and have not opened any ports on the router to the server. It makes me nervous to do this especially with standard known ports (3389 etc.)  It there some way to connect directly through the router to a workstation without going through the server?
LVL 77

Expert Comment

by:Rob Williams
ID: 34966461
With either of the methods I mentioned it doesn't require port 3389. It uses SSL to make the connection, and only domain admins can access the server. It is definitely more secure.

Yes you can still use port redirection but you may have to edit the firewall. Exceptions can be edited by non admins, they just can't turn it on an off.
Have you changed the listening port on the client from 3389?

Author Comment

ID: 34966475
Internally the client computers use 3389 but the router does port translation so that from the internet the port is a non standard port.

I have noticed that the remote desktop item in the firewall is ticked as open but is set to local subnet only rather than any computer.
LVL 77

Expert Comment

by:Rob Williams
ID: 34966565
Actually with port redirection, so log as the PC still uses 3389 you shouldn't need firewall modifications. If using a VPN you need to edit scope options, and if you change the listening port you need to change the port rule, but in your case it should work.

As a user name have they tried  domain\user  instead of user?

You seem to be worried about security but alternate methods with the server generated self signed cert or a 3rd party cert for <$50/year is simpler and more secure.

Author Comment

ID: 34966611
I will look into the TS Gateway method you have suggested. But for tonight I need to get the boss's computer working with remote access as he is out of town and wants access now.  

On his workstation, in firewall, exceptions. remote desktop the scope is set to local subnet instead of all computers. The options are greyed out as it is controlled by group policies. Do you know how I can change this setting?  I am quite sure that everything else is OK once this is changed.
LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 34966721
You don't need to change it. Because the router is doing port translation the connection is considered local.
However should you want edit the GP policies, it is under:

For Vista and Win7 clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Windows settings | Security settings | Windows Firewall with advanced security | Windows Firewall with advanced security - LDAP....| Inbound rules | Remote desktop

For XP clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Administrative templates | Network | Network Connections | Windows firewall | Domain/standard profile | define inbound port exceptions

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question