Terminal Server (RDP) won't let me connect over Cisco VPN Client
Posted on 2011-09-06
I'm stumped, my main network guy is stumped, and everyone else I ask scratches their head and can get nowhere. Let's see how the experts deal with it.
First the setup:
Office A: 10.1.109.0/24 subnet. Has 2 servers, one at 10.1.109.50 and one at 10.1.109.51 running terminal services. Cisco router with IPSEC/GRE tunnel to router in Office B. This router also can accept Cisco VPN clients into an IP pool of 10.1.110.0/24 with unrestricted access (10.1.110.0 behaves exactly like 10.1.109.0) Static Public IP (we'll call it A.A.A.A)
Office B: My office which sits on a 10.1.104.0/24 subnet. Again, has an established IPSEC/GRE tunnel to Office B. Static Public IP (we'll call B.B.B.B)
Office C: Non Cisco router, no vpn tunnels setup. 10.1.100.0/24 subnet and DHCP public IP.
Now for the problem. From Office B, I can remote desktop into the terminal service servers (both of them) with no problem. From Office A, I can remote desktop to the servers just fine as well (duh, it's a local RDP from office A).
Office C needs to be able to connect to the terminal servers as well. For that, I USED to have a port foward on the Office A router allowing direct access to the terminal server from public ip A.A.A.A with port number 45000. However, for security purposes, I wanted to switch over to connecting via a cisco VPN client to Router A from Office C so that I could then connect like I do at all other offices from Office C.
SO, I removed the port forward, added the VPN client inormation to the Cisco IOS, and established the connection.
I have telnet, http, and of course rdp (3389) ports open and active on both servers. Also, there are plenty of other network equipment to use to test the vpn client.
If I am NOT connected to the VPN Client, Office B can connect to any and all (remember the hardware tunnel from B to A?) . However, if, I AM connected in Office B to Office A through the VPN Client, EVERYTHING EXCEPT the RDP works (the vpn client is set to remove all internet access except via the vpn client tunnel while it is connected). The RDP session never even asks for authentication. The routing tables on the PC, server, and router all look great. Telnet, http, etc. to the private IPs works over the vpn client. But RDP does NOT.
If I am in Office C and I am NOT connected nothing works (as expected). But if I connect through the vpn client, everything works except RDP. SO once again, I check routing tables, remove firewalls, look at the error logs. No clues to be found. RDP just refuses to work over the Cisco VPN client connection, but works well if it is is directly done via the public ip address (when it is setup) or via private LAN ip address.
And to give you the rest of the story, I did try removing any and all firewalls (on the gateway router) but without any additional success. There never has been a firewall on the servers to my knowledge and even the ICS service is disabled, so I don't think it's a firewall issue at all.
(Both servers are windows server 2003 R2 running terminal services with full licensed per user... and we only use like 5% of the users we have licensed for!)