Remote desktop SBS2008 network

Posted on 2011-02-23
Last Modified: 2012-05-11
I have just upgraded our server from SBS2003 to SBS2008. I had several workstations accessible with RDP from home computers. Everything worked fine before the upgrade.
Now, I can access the server with RDP but not the individual workstations.
Workstations have a DHCP reservation.
Router uses port translation to connect to individual workstation ie. Port XXX1 -> 3389  _> workstation IP

I have given the users permission via the server user accounts to use RDP to access their workstations.

I have double checked all settings. RDP access on workstations is greyed out BUT checked and add users show that domain name/user has access.

I can access the workstations using RDP from any other computer on the network (internal) using the internal ip and loggin in as the ws user.

I'm sure this must be a firewall issue or group policy issue. Everything is standard install.  

Any Ideas?
Question by:Tecter
  • 5
  • 4
LVL 77

Expert Comment

by:Rob Williams
ID: 34966255
How are you accessing through the remote access web page, VPN, or unique port forwarding?
The safest way is using the remote access web page and that should be automatically configured so long as you enabled under the users settings in the Windows SBS console. If using RDP with VPN or individual router port for wards it may be due to the Windows firewall. By default the firewall only allows access from the local LAN/Subnet. The following outlines that problem for XP, but the concept is similar with Vista and Win7:

Author Comment

ID: 34966285
I think you are right that this is the issue (I am using the router to direct the outside user directly to his workstation (after a port translation.)  However, this had all worked fine until I reconnected the workstations to the new SBS 2008 server.  The remote access item on the workstation firewall is greyed out (controlled by group policies). Do you know how I can change this in group policies on the server?
LVL 77

Expert Comment

by:Rob Williams
ID: 34966311
Perhaps instead of modifying GP or the firewall it would be best to use the new methods and SSL keeping things more secure.
Either use the Remote Access web page which uses SSL or if you want to have your users connect directly, with 2008 you can do that as well, as per the following instructions. That way you are still using SSL and you don't have to modify the firewall or group policies:

SBS 2008 and newer makes use of the TS Gateway service. This allows you to connect directly to a corporate server or PC and bypass RWW altogether, and yet still have the same security as RWW.

To do so the connecting client must have the updated TS/RDP client, version 6.1 or newer, which requires XP SP3, Vista SP1, or Win7/Server 2008. Then start the RDP connection client | click options | advanced | connection settings | and enter the TS gateway address (your SBS server name -probably Under the General tab enter the computer name to which you want to connect and user name (domain\user), and save.

Clicking on the saved connection now allows you to connect directly to the corporate PC, still using SSL, and with only a single logon. The first time the connection is used, there are two pop-ups that have to be approved but if you check 'always' they will not be present next time.

This is new to 2008 and a very useful feature, especially for folk that are always connecting to the same server or PC and don't want to have to have to do multiple logins, approve multiple popups, and select a PC.

The following link outlines RWW with SBS 2008 and shows the client connection configuration half way down the page under "TSGateway Integration".


Author Comment

ID: 34966379
I have intentionally kept the server completely out of the remote access as I concerned me to have it visable in any way from outside the local network.  I do not have an SSL certificate for it and have not opened any ports on the router to the server. It makes me nervous to do this especially with standard known ports (3389 etc.)  It there some way to connect directly through the router to a workstation without going through the server?
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

LVL 77

Expert Comment

by:Rob Williams
ID: 34966461
With either of the methods I mentioned it doesn't require port 3389. It uses SSL to make the connection, and only domain admins can access the server. It is definitely more secure.

Yes you can still use port redirection but you may have to edit the firewall. Exceptions can be edited by non admins, they just can't turn it on an off.
Have you changed the listening port on the client from 3389?

Author Comment

ID: 34966475
Internally the client computers use 3389 but the router does port translation so that from the internet the port is a non standard port.

I have noticed that the remote desktop item in the firewall is ticked as open but is set to local subnet only rather than any computer.
LVL 77

Expert Comment

by:Rob Williams
ID: 34966565
Actually with port redirection, so log as the PC still uses 3389 you shouldn't need firewall modifications. If using a VPN you need to edit scope options, and if you change the listening port you need to change the port rule, but in your case it should work.

As a user name have they tried  domain\user  instead of user?

You seem to be worried about security but alternate methods with the server generated self signed cert or a 3rd party cert for <$50/year is simpler and more secure.

Author Comment

ID: 34966611
I will look into the TS Gateway method you have suggested. But for tonight I need to get the boss's computer working with remote access as he is out of town and wants access now.  

On his workstation, in firewall, exceptions. remote desktop the scope is set to local subnet instead of all computers. The options are greyed out as it is controlled by group policies. Do you know how I can change this setting?  I am quite sure that everything else is OK once this is changed.
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 34966721
You don't need to change it. Because the router is doing port translation the connection is considered local.
However should you want edit the GP policies, it is under:

For Vista and Win7 clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Windows settings | Security settings | Windows Firewall with advanced security | Windows Firewall with advanced security - LDAP....| Inbound rules | Remote desktop

For XP clients see the "Windows SBS client - Windows Vista policy" | Computer configuration | Policies | Administrative templates | Network | Network Connections | Windows firewall | Domain/standard profile | define inbound port exceptions

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now