Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

RDP and firewall over multiple subnets

Posted on 2011-03-07
20
Medium Priority
?
2,777 Views
Last Modified: 2012-05-11
Hello everyone.

Just installed a few new servers and have a few teething issues at the moment.  We have a Domain Controller, Exchange server and an older 2003 Windows server.  We came from a SBS, but this has now been retired.

I can't seem to use remote desktop or file and print sharing from one machine to another on difference subnets.  On the same subnet there is no problem at all - RDP or file and print sharing, just when trying to access from a different subnet.

I'm postitive that this is realated to a GPO that is in use on the domain, but can't seem to find the option that will allow RDP and file sharing accross multiple subnets for all PC's in the domain.

If someone could please point me in the right direction it would really be appriciated.

Thank you
0
Comment
Question by:buzz_2_infinity
  • 6
  • 5
  • 3
  • +4
20 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35055170
GPO will not define subnets.

Have you got the appropriate routing in place? Can you telnet from one server on one subnet to one on the other subnet on port 3389?
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 35055213
Shouldn't have any problem using RDP over different subnets if routing has been configured properly. We did use RDP over different sites which are on different subnets.

Why are you using different subnet? Telling us may help us to find a solution.
0
 
LVL 2

Expert Comment

by:someone0
ID: 35055316
I don't think GPO is your problem here, although it's possible but it's unlikely.
I think your problem are either firewall or routing.
If you simply have 2 machines on 2 different sub net but on same physical lan, they won't talk to each other.  You will need a router.  And that sound like your problem, since you can't access file sharing either.  A simple ping will test this out.  If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net.  So, I would think you should check those two thing out.  But the question is, is there a reason why they have to be on difference sub net?  Having those machine on difference subnet isn't ideal, especially if you have no reason to do so.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 4

Expert Comment

by:timhodkin
ID: 35055332
I wonder if you still have any SBS group policy's? There is a policy for firewalls that may have been changed prevoius that might be affecting you.

This is the Policy: "Small business Server Windows Firewall"
This GP CAN define what machines can and cannot connect to machines using RDP in your network. including limiting the connection down to a single subnet.

These Policies should have been either removed or changed to work in your environment after you migrated away from SBS. But there may be reasons you kept them.

If its not the GPO then its just down to routing as the prevoius comments have stated. Check your routes. Can you ping between the servers etc? Are ther eother ports open on the server you can connect to? EG: smtp (25) using telnet. If so then the routes are there and you will need to check firewalls.
0
 

Author Comment

by:buzz_2_infinity
ID: 35055571
Hello,

Proper routing is in place.  My IP address is 192.168.12.50 and I can ping 192.168.11.3 with no problem at all.  People are working from 192.168.12.X and accessing a linux file server on 192.168.11.201 and there is no problem there at all (using Samba).  One of the reasons is that we have more than one subnet is to manage the amount of devices that we have on our network, it also keeps things neat and tidy from an organizational point of view.

I do remmber that I did have to change a GPO when we were using SBS, and this resolved our problem when using RDP or file and print sharing accross all subnets.  I remmeber that the GPO was set only to allow traffic from the local subnet.  I believe by default that it's 192.168.11.0/24 and it needs to be something like 192.168.11.0/16.  This would/should allow the windows firewall to allow file and print/RDP over all subnets/vlans in the company.  The vlans were set up initially to cut down the amount of network traffic/storms etc.

Again, I'm confident that all routing is set up and working as it should be.  Things were working the way they should have been before we took the SBS, just trying to get over this last hurdle now.  Does this bit of information help?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35055647
can you telnet from one server to the other on port 3389?  This will prove the routing is in place.
0
 

Author Comment

by:buzz_2_infinity
ID: 35055652
Hello Somone0, your quote is exactly describes the problem that I'm having!  I believe the windows filewall is blocking RDP and file and print sharing.

If you do have a router, it's possible you have a firewall that block it, even a built-in Windows firewall will block it since it would assume it's not in the same sub net
0
 
LVL 4

Expert Comment

by:timhodkin
ID: 35055942
Can you not turn off the firewall to test to see if its this thats causing it ?
0
 

Author Comment

by:buzz_2_infinity
ID: 35055951
I can do that, but don't really want to open everything up at the moment.. I just need to get a few ports open accross the network (file and Print and RDP).  I just need to get the windows firewall configured in the GPO to allow this.
0
 

Author Comment

by:buzz_2_infinity
ID: 35056620
Hello,

I found it over here.  If you go to Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile and then edit

"Windows Firewall: Allow inbound file and printer sharing exception" and "Windows Firewall: Allow inbound Remore Desktop exceptions"

with

192.168.0.0/16

and this allowed this File and RDP traffic accross all subnets!

Thanks everyone for the input, we are back up and running now! :)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35056942
The problem is the windows firewall creates an exception for RDP when you enable access, but only for the local subnet. To resolve you have to edit the firewall scope options to incluse the remote subnet or all. I have an explanation for XP here, but the process is similar for Vista/Win7
http://www.lan-2-wan.com/RD-FW.htm
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 35056967
Pete Long outlines making the change using group policy rather than individual machines:
http://www.petenetlive.com/KB/Article/0000193.htm
0
 

Author Comment

by:buzz_2_infinity
ID: 35056989
Thank you RobWill.

That would work, but I just don't want to go around to every PC and do this.  The group policy way is a good way to go, as it saves alot of time.  Thanks for the second link, this was very similiar to what I've just done.

Thanks!
0
 
LVL 4

Expert Comment

by:timhodkin
ID: 35062790
what GP did you find it in? Or only local policies?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 2000 total points
ID: 35063275
With SBS 2008 you would usually edit
Windows SBS Client - Windows Vista Policy (or for Win7)
0r
Windows SBS Client - Windows XP Policy
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35063276
ps- On the server in the group policy management console
0
 

Author Comment

by:buzz_2_infinity
ID: 35063288
I just edited the Defauly Policy on the DC and then

Computer config -> Admin Templates ->Network Communications -> Windows Firewall -> Domain Profile

That did the trick!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35063371
You can edit any policy that applies to a computer a OU, but using standard policies makes it easier for an other Admin to troubleshoot.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35473378
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question