Solved

RDP over 2008 R2 RRAS PPTP VPN

Posted on 2011-09-07
21
1,650 Views
Last Modified: 2012-05-12
I just recently started phasing out 2003 for 2008 R2. Unbeknownst to me before migrating, RRAS is far more involved that it used to be in 2003. The issue I've run into is being able to remote desktop into various servers on the network. I can remote in to the server hosting RRAS but nothing else. Once connected to the RRAS server via remote desktop I can then remote into anything else on the network from that session. I would question my RRAS settings if I couldn't connect at all, but this has me scratching my head. I feel like I've exhausted RTFM and FGIY to the point of beating a dead horse.

I don't know if any of this play into the issue, I'm inclined to say no since I can connect to the RRAS server, but the server is NATed behind a firewall and the I'm running the latest version of Microsoft's RDP client on a Mac running Snow Leopard. I've also tried in vain to get a connection established using L2TP over IPSec to see if the elevated security might alleviate the problem, but I can't even seem to get that to work.

TIA guys and gals.
0
Comment
Question by:Allied_Energy
  • 9
  • 8
  • 4
21 Comments
 
LVL 6

Expert Comment

by:markterry
ID: 36498244
I don't know much about the Remote Desktop Gateway, but that may be the best solution in 08. however, I have always just used seperate ports.

See this link for setting up ports:
Set RDP to use different port

Or this appears to show how to setup remote desktop gateway:
Deploying Remote Desktop Gateway
0
 
LVL 6

Expert Comment

by:markterry
ID: 36498273
I may have missed the point of your question.

You are vpn'd so you should just be able to connect directly to the machines. Have you tried using IP rather than DNS names? maybe you are not resolving those correctly? Possibly not using the default gateway of the VPN host?
0
 

Author Comment

by:Allied_Energy
ID: 36498436
Sadly I don't think that the route for me. The RPD client for Mac doesn't have provisions for using RD Gateway Server Settings. I really don't want to start messing with non standard ports either. The machine I need my user to be able to get into is hosting a few applications via TSRemoteApp for various Mac users that need access to otherwise unavailable Windows based applications as well as a handful of users on thin clients.

I really can't understand why I'm unable to remote desktop straight to the various servers on my network as I did under 2003. It's not an issue with RDP on the various hosts; I admin my Windows Domain and various servers from my Mac Pro via remote desktop daily. Once connected to the VPN I can ping all the hosts. When this was being handled by 2003 I could connect either by the hosts FQDN or IP. It really makes me think there's some ridiculously stupid switch that I'm just missing. Man this is frustrating.
0
 

Author Comment

by:Allied_Energy
ID: 36498502
Sorry, I missed your second response while typing my last rant. But no, connecting via IP address is no good. DHCP is assigning the IP and gateway addresses, and everything looks normal there. Just as in 2003, RRAS is using an address for the gateway at the beginning of the reserved IPs that it allocates for RRAS. Could there be a disconnect between the RRAS gateway and NIC addresses on the server? But when I remote desktop into the server hosting RRAS I'm using the NIC IP, not the VPN gateway IP??? Perhaps bridging the interfaces if that's even possible?
0
 
LVL 6

Expert Comment

by:markterry
ID: 36499109
Just for testing purposes, can you determine the IP at the moment of one of the machines you are trying to RDP to, and see if you can RDP using that? if not, then you have some sort of routing issue which is above my level of knowledge. If so, then it is a DNS issue, possibly because of the gateway issue.

In standard ms VPN, and ms vpn clients, the client is set to use by default, the default gateway of the remote network, meaning that it's traffic now goes through the tunnel, as opposed to only traffic it for sure knows goes through the tunnel. in my case, my default gateway is not the VPN server, but a gateway router we have.
0
 
LVL 6

Expert Comment

by:markterry
ID: 36499125
Oh, is the RDP servers on these machines set to allow less secure RDP clients?
rigvht click computer, settings, Remote connections> Allow connections from computers running any version of RDP.
0
 

Author Comment

by:Allied_Energy
ID: 36499265
The machines I'm trying to connect to are all assigned static IPs. I can ping by IP and FQDN will resolve as well.

The server in question is set to allow connections from any version of RDP. I believe I can force Macs into using NLA but it takes a bit of unix tweaking IIRC. I'll do a little research on that one again. I really can't remember off the top of my head. I recall having to a registry hack on my virtual XP installation to get it to support NLA, but Mac escapes me.
0
 

Author Comment

by:Allied_Energy
ID: 36499292
Ok, per Microsoft the newest RDP client for Mac does natively support NLA. I tried changing the remote settings on the server but it made no difference.
0
 
LVL 6

Expert Comment

by:markterry
ID: 36499419
pinging is one than, can you actually connect to a machine via rdp with the IP.
0
 

Author Comment

by:Allied_Energy
ID: 36499460
No, attempting to connect via IP does not work either as mentioned in an earlier post.

It would appear that RRAS is preventing anything from going beyond connecting to the RRAS server. I tried accessing some shared network directories and got stonewalled.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Expert Comment

by:markterry
ID: 36499672
hmmm, if you are alright with using LT2P VPN with the Network Policy and Access Services role in Server 2008, then that is actually quite easy to setup. I have no problems using that method.

Try the steps in this link:
Setup VPN
0
 
LVL 6

Expert Comment

by:markterry
ID: 36499683
sorry, once again, i posted without reading. You have already tried that. I guess you are using the same method with PPTP rather than L2TP.
0
 
LVL 6

Expert Comment

by:markterry
ID: 36499690
If you want to delete and repost that is fine, maybe someone else has an answer. no one answers these things when someone has already responded.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36508251
A common problem when remoting in is the Windows firewall. By default in a 2008 domain group policy will enable the windows firewall on client machines, and depending on policies, servers as well. When remote desktops enabled on a machine it creates an exception, but only for access from the local LAN. Accessing from a remote subnet (VPN) is blocked. Ping on the other hand is allowed from all subnets. It may be the widows firewall on the non-RRAS servers that is blocking access. Other 3rd party firewalls can do the same, this is quite common. If possible check if a firewall is enabled, if so try disabling as a test. Assuming that works you can charge the firewall from local subnet to all manually on each server or using group policy as Pete Long has nicely outlined:
http://www.petenetlive.com/KB/Article/0000193.htm
0
 

Author Comment

by:Allied_Energy
ID: 36511483
I had thought that windows firewall might play into it but the firewall is turned off on the clients in question. I don't think the network is suspect either as both the LAN and VPN IP addresses are on the 192.168.5.0/24 subnet.

I disabled RRAS and then reenabled/reconfigured it thinking I might have missed something. The wizards are straight forward enough. I am running a single NIC on that server but I was in 2003 as well without issue. In addition to VPN I selected LAN Routing in the setup process (which I'm pretty sure I had the first go around as well). I tried it without too and it didn't make a bit of difference. Knowing microsoft there's probably some obscure command I'm going to have to run in Power Shell to make it really work the way people expect it should work. It seems like every new OS they put out takes one step forward ant two back.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36511542
If you can ping the machine to which you want to connect there is no routing or RRAS issue.
0
 

Author Comment

by:Allied_Energy
ID: 36512835
Be that as it may, something is horribly wrong. Considering I can remote desktop perfectly fine over the LAN but only to the RRAS server over the VPN tells me something is amiss on the server side of the equation. I broke down and put a call in to MS tech support. I'll post up the results once I get it resolved. Hopefully it can save someone else a little grief.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36513009
Unless you have manually added inbound and/or outbound filters in RRAS I can't see it being a RRAS server issue. Still sounds like security software on the other machines blocking remote access. Did you configure anything in NPS?
0
 

Author Comment

by:Allied_Energy
ID: 36522614
No, that's what has me baffled. Other than having to do a custom installation due to the solitary NIC, everything else is default. No rules, no filters, no network policy etc..
0
 

Author Comment

by:Allied_Energy
ID: 36525216
So, six hours on the phone with Microsoft looking at net traces, testing ports reconfiguring this and that... Turns out, our lovely Symantec Endpoint Protection was the cause of all the troubles. Thanks Symantec. We ended up running cleanwipe, removing SEP and lo and behold everything works exactly like it should. I hadn't even thought about SEP being suspect. I honestly forgot about it. Now I just need to figure out how to set it up to play nice with RRAS so I can push it back to that server.

Thanks for all the help trying to troubleshoot this.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36525613
As mentioned earlier; "Still sounds like security software " :-)
Symantec will get you every time.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now