buzz_2_infinity
asked on
RDP and firewall over multiple subnets
Hello everyone.
Just installed a few new servers and have a few teething issues at the moment. We have a Domain Controller, Exchange server and an older 2003 Windows server. We came from a SBS, but this has now been retired.
I can't seem to use remote desktop or file and print sharing from one machine to another on difference subnets. On the same subnet there is no problem at all - RDP or file and print sharing, just when trying to access from a different subnet.
I'm postitive that this is realated to a GPO that is in use on the domain, but can't seem to find the option that will allow RDP and file sharing accross multiple subnets for all PC's in the domain.
If someone could please point me in the right direction it would really be appriciated.
Thank you
Just installed a few new servers and have a few teething issues at the moment. We have a Domain Controller, Exchange server and an older 2003 Windows server. We came from a SBS, but this has now been retired.
I can't seem to use remote desktop or file and print sharing from one machine to another on difference subnets. On the same subnet there is no problem at all - RDP or file and print sharing, just when trying to access from a different subnet.
I'm postitive that this is realated to a GPO that is in use on the domain, but can't seem to find the option that will allow RDP and file sharing accross multiple subnets for all PC's in the domain.
If someone could please point me in the right direction it would really be appriciated.
Thank you
Shouldn't have any problem using RDP over different subnets if routing has been configured properly. We did use RDP over different sites which are on different subnets.
Why are you using different subnet? Telling us may help us to find a solution.
Why are you using different subnet? Telling us may help us to find a solution.
I don't think GPO is your problem here, although it's possible but it's unlikely.
I think your problem are either firewall or routing.
If you simply have 2 machines on 2 different sub net but on same physical lan, they won't talk to each other. You will need a router. And that sound like your problem, since you can't access file sharing either. A simple ping will test this out. If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net. So, I would think you should check those two thing out. But the question is, is there a reason why they have to be on difference sub net? Having those machine on difference subnet isn't ideal, especially if you have no reason to do so.
I think your problem are either firewall or routing.
If you simply have 2 machines on 2 different sub net but on same physical lan, they won't talk to each other. You will need a router. And that sound like your problem, since you can't access file sharing either. A simple ping will test this out. If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net. So, I would think you should check those two thing out. But the question is, is there a reason why they have to be on difference sub net? Having those machine on difference subnet isn't ideal, especially if you have no reason to do so.
I wonder if you still have any SBS group policy's? There is a policy for firewalls that may have been changed prevoius that might be affecting you.
This is the Policy: "Small business Server Windows Firewall"
This GP CAN define what machines can and cannot connect to machines using RDP in your network. including limiting the connection down to a single subnet.
These Policies should have been either removed or changed to work in your environment after you migrated away from SBS. But there may be reasons you kept them.
If its not the GPO then its just down to routing as the prevoius comments have stated. Check your routes. Can you ping between the servers etc? Are ther eother ports open on the server you can connect to? EG: smtp (25) using telnet. If so then the routes are there and you will need to check firewalls.
This is the Policy: "Small business Server Windows Firewall"
This GP CAN define what machines can and cannot connect to machines using RDP in your network. including limiting the connection down to a single subnet.
These Policies should have been either removed or changed to work in your environment after you migrated away from SBS. But there may be reasons you kept them.
If its not the GPO then its just down to routing as the prevoius comments have stated. Check your routes. Can you ping between the servers etc? Are ther eother ports open on the server you can connect to? EG: smtp (25) using telnet. If so then the routes are there and you will need to check firewalls.
ASKER
Hello,
Proper routing is in place. My IP address is 192.168.12.50 and I can ping 192.168.11.3 with no problem at all. People are working from 192.168.12.X and accessing a linux file server on 192.168.11.201 and there is no problem there at all (using Samba). One of the reasons is that we have more than one subnet is to manage the amount of devices that we have on our network, it also keeps things neat and tidy from an organizational point of view.
I do remmber that I did have to change a GPO when we were using SBS, and this resolved our problem when using RDP or file and print sharing accross all subnets. I remmeber that the GPO was set only to allow traffic from the local subnet. I believe by default that it's 192.168.11.0/24 and it needs to be something like 192.168.11.0/16. This would/should allow the windows firewall to allow file and print/RDP over all subnets/vlans in the company. The vlans were set up initially to cut down the amount of network traffic/storms etc.
Again, I'm confident that all routing is set up and working as it should be. Things were working the way they should have been before we took the SBS, just trying to get over this last hurdle now. Does this bit of information help?
Proper routing is in place. My IP address is 192.168.12.50 and I can ping 192.168.11.3 with no problem at all. People are working from 192.168.12.X and accessing a linux file server on 192.168.11.201 and there is no problem there at all (using Samba). One of the reasons is that we have more than one subnet is to manage the amount of devices that we have on our network, it also keeps things neat and tidy from an organizational point of view.
I do remmber that I did have to change a GPO when we were using SBS, and this resolved our problem when using RDP or file and print sharing accross all subnets. I remmeber that the GPO was set only to allow traffic from the local subnet. I believe by default that it's 192.168.11.0/24 and it needs to be something like 192.168.11.0/16. This would/should allow the windows firewall to allow file and print/RDP over all subnets/vlans in the company. The vlans were set up initially to cut down the amount of network traffic/storms etc.
Again, I'm confident that all routing is set up and working as it should be. Things were working the way they should have been before we took the SBS, just trying to get over this last hurdle now. Does this bit of information help?
can you telnet from one server to the other on port 3389? This will prove the routing is in place.
ASKER
Hello Somone0, your quote is exactly describes the problem that I'm having! I believe the windows filewall is blocking RDP and file and print sharing.
If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net
Can you not turn off the firewall to test to see if its this thats causing it ?
ASKER
I can do that, but don't really want to open everything up at the moment.. I just need to get a few ports open accross the network (file and Print and RDP). I just need to get the windows firewall configured in the GPO to allow this.
ASKER
Hello,
I found it over here. If you go to Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile and then edit
"Windows Firewall: Allow inbound file and printer sharing exception" and "Windows Firewall: Allow inbound Remore Desktop exceptions"
with
192.168.0.0/16
and this allowed this File and RDP traffic accross all subnets!
Thanks everyone for the input, we are back up and running now! :)
I found it over here. If you go to Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile and then edit
"Windows Firewall: Allow inbound file and printer sharing exception" and "Windows Firewall: Allow inbound Remore Desktop exceptions"
with
192.168.0.0/16
and this allowed this File and RDP traffic accross all subnets!
Thanks everyone for the input, we are back up and running now! :)
The problem is the windows firewall creates an exception for RDP when you enable access, but only for the local subnet. To resolve you have to edit the firewall scope options to incluse the remote subnet or all. I have an explanation for XP here, but the process is similar for Vista/Win7
http://www.lan-2-wan.com/RD-FW.htm
http://www.lan-2-wan.com/RD-FW.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you RobWill.
That would work, but I just don't want to go around to every PC and do this. The group policy way is a good way to go, as it saves alot of time. Thanks for the second link, this was very similiar to what I've just done.
Thanks!
That would work, but I just don't want to go around to every PC and do this. The group policy way is a good way to go, as it saves alot of time. Thanks for the second link, this was very similiar to what I've just done.
Thanks!
what GP did you find it in? Or only local policies?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ps- On the server in the group policy management console
ASKER
I just edited the Defauly Policy on the DC and then
Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile
That did the trick!
Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile
That did the trick!
You can edit any policy that applies to a computer a OU, but using standard policies makes it easier for an other Admin to troubleshoot.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Have you got the appropriate routing in place? Can you telnet from one server on one subnet to one on the other subnet on port 3389?