Solved

RDP and firewall over multiple subnets

Posted on 2011-03-07
20
2,335 Views
Last Modified: 2012-05-11
Hello everyone.

Just installed a few new servers and have a few teething issues at the moment.  We have a Domain Controller, Exchange server and an older 2003 Windows server.  We came from a SBS, but this has now been retired.

I can't seem to use remote desktop or file and print sharing from one machine to another on difference subnets.  On the same subnet there is no problem at all - RDP or file and print sharing, just when trying to access from a different subnet.

I'm postitive that this is realated to a GPO that is in use on the domain, but can't seem to find the option that will allow RDP and file sharing accross multiple subnets for all PC's in the domain.

If someone could please point me in the right direction it would really be appriciated.

Thank you
0
Comment
Question by:buzz_2_infinity
  • 6
  • 5
  • 3
  • +4
20 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35055170
GPO will not define subnets.

Have you got the appropriate routing in place? Can you telnet from one server on one subnet to one on the other subnet on port 3389?
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 35055213
Shouldn't have any problem using RDP over different subnets if routing has been configured properly. We did use RDP over different sites which are on different subnets.

Why are you using different subnet? Telling us may help us to find a solution.
0
 
LVL 2

Expert Comment

by:someone0
ID: 35055316
I don't think GPO is your problem here, although it's possible but it's unlikely.
I think your problem are either firewall or routing.
If you simply have 2 machines on 2 different sub net but on same physical lan, they won't talk to each other.  You will need a router.  And that sound like your problem, since you can't access file sharing either.  A simple ping will test this out.  If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net.  So, I would think you should check those two thing out.  But the question is, is there a reason why they have to be on difference sub net?  Having those machine on difference subnet isn't ideal, especially if you have no reason to do so.
0
 
LVL 4

Expert Comment

by:timhodkin
ID: 35055332
I wonder if you still have any SBS group policy's? There is a policy for firewalls that may have been changed prevoius that might be affecting you.

This is the Policy: "Small business Server Windows Firewall"
This GP CAN define what machines can and cannot connect to machines using RDP in your network. including limiting the connection down to a single subnet.

These Policies should have been either removed or changed to work in your environment after you migrated away from SBS. But there may be reasons you kept them.

If its not the GPO then its just down to routing as the prevoius comments have stated. Check your routes. Can you ping between the servers etc? Are ther eother ports open on the server you can connect to? EG: smtp (25) using telnet. If so then the routes are there and you will need to check firewalls.
0
 

Author Comment

by:buzz_2_infinity
ID: 35055571
Hello,

Proper routing is in place.  My IP address is 192.168.12.50 and I can ping 192.168.11.3 with no problem at all.  People are working from 192.168.12.X and accessing a linux file server on 192.168.11.201 and there is no problem there at all (using Samba).  One of the reasons is that we have more than one subnet is to manage the amount of devices that we have on our network, it also keeps things neat and tidy from an organizational point of view.

I do remmber that I did have to change a GPO when we were using SBS, and this resolved our problem when using RDP or file and print sharing accross all subnets.  I remmeber that the GPO was set only to allow traffic from the local subnet.  I believe by default that it's 192.168.11.0/24 and it needs to be something like 192.168.11.0/16.  This would/should allow the windows firewall to allow file and print/RDP over all subnets/vlans in the company.  The vlans were set up initially to cut down the amount of network traffic/storms etc.

Again, I'm confident that all routing is set up and working as it should be.  Things were working the way they should have been before we took the SBS, just trying to get over this last hurdle now.  Does this bit of information help?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35055647
can you telnet from one server to the other on port 3389?  This will prove the routing is in place.
0
 

Author Comment

by:buzz_2_infinity
ID: 35055652
Hello Somone0, your quote is exactly describes the problem that I'm having!  I believe the windows filewall is blocking RDP and file and print sharing.

If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net
0
 
LVL 4

Expert Comment

by:timhodkin
ID: 35055942
Can you not turn off the firewall to test to see if its this thats causing it ?
0
 

Author Comment

by:buzz_2_infinity
ID: 35055951
I can do that, but don't really want to open everything up at the moment.. I just need to get a few ports open accross the network (file and Print and RDP).  I just need to get the windows firewall configured in the GPO to allow this.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:buzz_2_infinity
ID: 35056620
Hello,

I found it over here.  If you go to Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile and then edit

"Windows Firewall: Allow inbound file and printer sharing exception" and "Windows Firewall: Allow inbound Remore Desktop exceptions"

with

192.168.0.0/16

and this allowed this File and RDP traffic accross all subnets!

Thanks everyone for the input, we are back up and running now! :)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35056942
The problem is the windows firewall creates an exception for RDP when you enable access, but only for the local subnet. To resolve you have to edit the firewall scope options to incluse the remote subnet or all. I have an explanation for XP here, but the process is similar for Vista/Win7
http://www.lan-2-wan.com/RD-FW.htm
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 35056967
Pete Long outlines making the change using group policy rather than individual machines:
http://www.petenetlive.com/KB/Article/0000193.htm
0
 

Author Comment

by:buzz_2_infinity
ID: 35056989
Thank you RobWill.

That would work, but I just don't want to go around to every PC and do this.  The group policy way is a good way to go, as it saves alot of time.  Thanks for the second link, this was very similiar to what I've just done.

Thanks!
0
 
LVL 4

Expert Comment

by:timhodkin
ID: 35062790
what GP did you find it in? Or only local policies?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 500 total points
ID: 35063275
With SBS 2008 you would usually edit
Windows SBS Client - Windows Vista Policy (or for Win7)
0r
Windows SBS Client - Windows XP Policy
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35063276
ps- On the server in the group policy management console
0
 

Author Comment

by:buzz_2_infinity
ID: 35063288
I just edited the Defauly Policy on the DC and then

Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile

That did the trick!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35063371
You can edit any policy that applies to a computer a OU, but using standard policies makes it easier for an other Admin to troubleshoot.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35473378
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now