Solved

Windows XP RDP - Can not get RDP to work on a new system...

Posted on 2011-09-23
23
429 Views
Last Modified: 2012-05-12
Hello Experts,

I have inherited a network infrastructure where the previous IT person left NO documentation on the setup and configuration, so I am finding myself reverse engineering the configuration to sort new installs out and such.

Today, I need to configure one of our in-house workstation for RDP so that the user can Remote Connect from home.  We have 5 other users who are doing this and the setup seemed pretty straight forward, BUT I am missing something.  I have reduced my testing to internal connections and once I can get that to work, I will tackle the RDP from the outside world.

We are using NAT and we have a NetGear Router.  I have matched the VPN settings in the NetGear Router to match that of the other systems:
  IP Address: 192.168.1.212
  Service Port: 57212
  RDP Command: 192.168.1.212:57212

Currently, I can use the new system to RDP internally to other stations, but for some reason, I can not RDP to it, internally.

Suggestions?

Rojosho
0
Comment
Question by:rojosho
  • 11
  • 5
  • 4
  • +3
23 Comments
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Did you enable RDP access into that server and make sure the firewall is allowing it through?


To enable Remote Desktop Connections in Windows XP:

    Click on the Start button.
    Right-click on "My Computer" and select Properties.
    Click on the "Remote" tab.
    Under "Remote Desktop" (the bottom section), check the box labeled "Allow users to connect remotely to this computer".


If you are running Windows XP Service Pack 2, you will also need to make sure Remote Desktop isn't being blocked by the Windows Firewall:

    Go to the Start button, to "Control Panel".
    Open the "Windows Firewall" control panel. If you don't see Windows Firewall listed, make sure that you're looking at the control panels in "Classic View".
    On the "Exceptions" tab, make sure "Remote Desktop" is checked.
    On the "Advanced" tab, select "Local Area Connection" and press the Settings button.
    In the new window that opens ("Advanced Settings"), make sure that Remote Desktop is checked.
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Hello Papertrip,

First, thank you for your very fast reply.

Update:
1. The system in question is running Windows XP Pro /SP-3, sorry, I should have noted that.
2. I double checked all of your suggestions and the one that was missing was the very last one, 'Advance' and having Remote Desktop 'checked' == it was not.
  . I checked this option, saved, rebooted and tested.
  . No change in the symptom... I can RDP out to other systems within the Firewall, but I can not RDP from one of the other systems into this one.

I also checked the Event Logs on both systems (The target and the destination systems) and in both cases, there are no entries indicating a problem with TS.

Also, we are not using a TS Server here, we are using the basic RDP that comes with Windows XP.

Rojosho

0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Papertrip,

Sorry, I forgot to mention... I disable the AV, which is Avast.
== No change.

Rojosho
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Papertrip,

Something else.
In comparing the working systems to this new one, I notice that the new one did not have a 'RDP_TCP' entry in the Firewall section under 'Exceptions'.  I added a 'Port' with the following information:

   NAME: RDP_TCP
   PORT NUMBER: 57212
   TCP
   Scope Selected: Any computer including internet

Rojosho
   
   

   
RDP-TCP.doc
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Hi Rojosho,

I have one more thing for you to check --

Where you enable Remote Desktop for the machine through the Remote tab in System Properties, there is a button to Select Users -- check that out and make sure nothing looks unexpected.

On that note, are you trying to RDP as a user in the Administrators group?  What exactly happens when you try to RDP, does it just timeout or do you get any other errors?

I just noticed you are trying to connect to port 57212 -- that isn't going to the port that a firewall will open when you tell it to allow RDP -- try to open up that port manually in your firewall software.
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Hello Papertrip,

1. I did check the 'Enabled Users' and there were none, but the default user, 'Owner' has Remote Permissions by default.
2. All of the users are in the Administrator's Group, so we are OK, there.  
3. The symptom, after starting the RDP connection, there is a 20-30 second delay and then a pop-up that indicates a 'Remote Connection Disconnection' - I have included a screen shot of the pop-up.

Sorry, can you explain:
"I just noticed you are trying to connect to port 57212 -- that isn't going to the port that a firewall will open when you tell it to allow RDP -- try to open up that port manually in your firewall software."

Question: Should I be using a port in a lower range, say 57206?
Question: Not sure how to open a port manually - any documentation you can point me to?

The game plan for tomorrow is to:
  a. take a different Windows XP system which has never use RDP.  
  b. Starting with the Router, configure this other system in.  Everything I have read indicates that this should be a pretty straight forward process.

Thank you for your suggestions.  It is 2AM here in EST and I have left the site.  I am scheduled to be back on site tomorrow afternoon, around 2-3PM.

Again, thank you for your support.

Rojosho
RDP.Pop-Up.doc
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Sorry, can you explain:
"I just noticed you are trying to connect to port 57212 -- that isn't going to the port that a firewall will open when you tell it to allow RDP -- try to open up that port manually in your firewall software."
I meant that by default, enabling RDP via Windows Firewall is going to open up TCP/3389 which is the default RDP port.  I'm not sure if that rule is dependent upon the registry setting for RDP which I will comment on next.

You added the custom rule to allow TCP/57212, but we don't know at this point if the registry settings for RDP are actually configured to listen on that port.  Curious now that we are talking about it, why are you trying to RDP into that port instead of the default?

Check out this article on changing the listening port for RDP -- check the port number in that registry subkey to see if it is 57212.  If it's 3389, leave it.  Either way whatever PortNumber is set to is what RDP is listening on.
Question: Should I be using a port in a lower range, say 57206?
Nope your current port is fine, provided everything I mentioned above checks out.
Question: Not sure how to open a port manually - any documentation you can point me to?
You already did that by making the exception earlier :)  However I'm not sure naming the exception RDP-TCP is going to interfere with anything.  Since this is just for testing you should use a non-volatile name, like rdp-test.  I haven't done exactly what you are doing but we can figure this out just as well.
The game plan for tomorrow is to:
  a. take a different Windows XP system which has never use RDP.  
  b. Starting with the Router, configure this other system in.  Everything I have read indicates that this should be a pretty straight forward process.
This is always a good route to take for any situation similar to this so you have somewhat of a control environment to reference.
0
 
LVL 4

Expert Comment

by:Software_onbekend
Comment Utility
Also don't forget to check if all services needed for a RDP session are started.
0
 
LVL 10

Expert Comment

by:Jim-R
Comment Utility
Just a shot in the dark, but I had a similar situation (after many hours of troubleshooting) where it was discovered that Nvidia display drivers on the machine refusing connection is what were causing the problem.  If your offending machine doesn't use Nvidia display or Nvidia drivers just ignore this posting.
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
El al,

Thank you all for your support and suggestions.  Here is an update on what I have done today.

1.      I installed and configured a completely foreign system to this network.  Unfortunately this test system was running Windows XP Home Edition – Yes, you guessed it, RDP is not supported – Argg.
2.      I found a very informative site which stepped me through the process to ‘fool’ HE into thinking that it was XP Pro which, in turn, allowed me to install the RDP software modules - a process also outlined in this article:
http://robertrath.com/blog_tomtom/archives/12-Install-and-Enable-Remote-Desktop-in-Windows-XP-Home-Edition.html
            Long story cut short – the process worked and I was able to run RDP on this Test system.
3.      I then tested using the Test system to RDP to other systems on the same LAN segment = This worked GREAT!  But I can do the same with the target system as well, so nothing gained at this point – but I was getting excited.
4.      I then tested using other systems on the same LAN segment to RDP to the TEST system = This worked as well!!!  This is something that I was not able to do with the target system.

So, at this point, as long as I want to RDP to systems inside the firewall, I am OK.  BUT, that is not what is needed, as the users need to RDP from their home, or Starbucks, into their office workstations.  

Now what remains is to configure the Router and target system to allow outside users to RDP in.  Looking at the NetGear Router I think that the previous IT consultant used NAT to allow the users to RDP in from home.  Each office system has a ‘service’ assigned to it, which allows the RDP request to be forwarded to the designated office system.   The format is:
•      If the ip address is ‘192.168.1.203, then the ‘service’ was 57203.
•      I have included screen shots of what I think are the key NetGear configuration pages.

Additionally, the previous IT person configured each Firewall/Exclusions sections of the working systems (There are 4 other users/systems which work very nicely) with  a RDP_TCP object which reflects the NetGear Services ‘port’ for each of the Workstations.  Not sure what this is all about, but my research indicates that this parameter sets up a ‘listening’ object for Windows XP to watch out for.  In this case, the object that is being listened to is the NetGear Service.  Anyone care to confirm or explain that for me?

?Can someone confirm that I am on the right track?
?Or am in lost in the woods?

SUMMARY:
I got RDP to work inside the firewall.  Now I need to get it working in the cloud.

ANSWERS TO QUESTIONS POSTED:
1. Software_on - Not sure what services are needed, but I will research that.  I can say that RDP is working in both directions inside the file wall.

2. Jim-R: This system is not using the Nvidia drivers and now I have two systems, both are Dells.

Any assistance would be greatly appreciated.

Rojosho
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Hey Rojosho!

Sounds like you had a fun day :p

•      I have included screen shots of what I think are the key NetGear configuration pages.

I don't see the attachments, try again while I type up my reply.
0
ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 12

Expert Comment

by:asidu
Comment Utility
Rojosho,

I dont see any screen shots of netgear included in the post.
Your router will have to do the correct NAT from the exterior to your machine.
What you need now is the IP address of your machine and the port number used by RDP.
Then could use that information for NAT in the router.
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 200 total points
Comment Utility
•      If the ip address is ‘192.168.1.203, then the ‘service’ was 57203.
Ah, this is all starting to clear up a bit...

Additionally, the previous IT person configured each Firewall/Exclusions sections of the working systems (There are 4 other users/systems which work very nicely) with  a RDP_TCP object which reflects the NetGear Services ‘port’ for each of the Workstations.  Not sure what this is all about, but my research indicates that this parameter sets up a ‘listening’ object for Windows XP to watch out for.  In this case, the object that is being listened to is the NetGear Service.  Anyone care to confirm or explain that for me?
The RDP_TCP exclusion is a custom rule to open up the custom port for RDP, which should correspond with both the port forwarding on your router as well as the registry subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber.

Another thing to look at is the IP/port configured on the router against how the server that has that IP is configured for RDP.  The devices that are setup this way for RDP must have a static IP, must be configured in the registry to listen on a specific port, and have that port opened up in the machines firewall.

Let's take the new workstation for example:
Set a static IP of 192.168.1.100 on the workstation (use a different IP of course if it's already taken)
Check out the link I provided in http:#36591356 and set the PortNumber subkey to something that isn't already being forwarded on your router, like 58855 for example.
Create your firewall exclusion on the workstation for RDP_TCP port 58855
On the router, replicate the existing settings that you found for 192.168.1.203 except with the workstations IP and the port number you put into the subkey.

Oh, and yes you are definitely on the right track... we are almost done :)
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Hey EE,

Sorry, I was out and just got back in.  I will double check the screen shots and review the recent information.  Just wanted to make sure you all knew that you were not forgotten.

Rojosho
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Hey EE,

Sorry for the delay, had to work on some other systems... YES, on a Sunday, but I LOVE MY JOB!!!

I recreated the Screen Shot file and have attached it to this case as a 'file/doc'.

I am remote from the site and I can not connect to the problem system via Logmein - Bummer.  I will be on site tomorrow in the AM, early and will confirm the Registry setting for the RDP_TCP... and yes, PaperTrip, this is all starting to fall into place, especially the 'RDP_TCP' parameter in the Registry.

Also, your comment:
"Another thing to look at is the IP/port configured on the router against how the server that has that IP is configured for RDP.  The devices that are setup this way for RDP must have a static IP, must be configured in the registry to listen on a specific port, and have that port opened up in the machines firewall."

Answer: All of the workstations have a static IP Address.
- I will have to check to confirm that the port is noted in the Registry and use the link you provided above.
- "and have that port opened up in the machines firewall." == I am assuming that this is the 'RDP_TCP' parameter that was created in the Firewall Exclusion area - Yes?

I will keep you all posted as tomorrow is crunch day to get this thing working....

Rojosho


2011.09.20-SS-Heidi-RDP.doc
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Good Morning EE,

OK, here is where are today.

I am working on getting the new ‘Test’ system up and running on RDP and once that is done, I will apply the steps and changes to the target system, so that I do not damage a production system  ¿  This would be a bad thing.

On the ‘Test’ System, I have completed the following steps:

1.      Successfully updated the Windows XP HE OS to run RDP.  
2.      I have successfully used RDP from the ‘Test’ system and connected to another system inside the company firewall and have used other system to RDP back to the ‘Test’, again, within the company firewall.
3.      I configured the NetGear Router to match the other working configurations:
a.      Under the ‘Security/Services/Custom Services Table’ tab, I created a Custom Service for the Test system (Screen Shot included in the attached document):
1.      Name = TEST
2.      Type = TCP
3.      Start Port = 57217
4.      Finish Port = 57217
5.      Priority = Normal-Service

 

b.      Under the Firewall Rules (Screen Shot included in the attached document):
1.      Service Name = TEST
2.      Filter = Allow Always
3.      LAN Server IP Address = 192.168.1.217
4.      WAN Users = ANY
5.      Log = Always



 


4.      On the ‘Test’ system, for the [Control Panel > ‘Firewall’ > ‘Exceptions’ I have the following (Screen Shot included in the attached document):
a.      ‘Remote Assistance’ is checked
b.      ‘Remote Desktop’ is checked

 

c.      I created an object “RDP_TCP’ and the data contained within this parameter is (Screen Shot included in the attached document):
1.      Name: RDP_TCP
2.      Port Number = 57217
3.      TCP is checked

 


5.      I used the Microsoft process noted in Article Id #306759 “How to change the listening port for Remote Desktop” to make the necessary Registry entries and I confirmed that the entry was made (Screen Shot included in the attached document):

 

6.      System was rebooted after each change.
7.      I tested the RDP connection and I still can not connect.

Does anyone see anything that I may have missed?

Rojosho

SummaryDoc-2011.09.26.doc
0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
Just out of curiosity... have you checked to make sure RDP is, in fact, listening?

from the command prompt:

C:\> netstat -ao | find "3389"

and

C:\> >netstat -ao | find "57217"

You should get a listing of the listening IP, (in my case 0.0.0.0... all addresses) The port, the machine name, a state of LISTENING, and the owning process id:

TCP    0.0.0.0:3389           Think7:0               LISTENING       1284

Please confirm the target machines are, in fact, listening.
0
 
LVL 32

Accepted Solution

by:
DrDamnit earned 300 total points
Comment Utility
Once you confirm the target machine is listening on the corect port, try to connect to it from another LAN machine. I personally use nmap (www.insecure.org) to scan for it, but you can use any number of port scanning tools like angry ip scanner, etc... (http://www.angryip.org/w/Home) Barring that, you can use telnet. If it connects, the firewall is now working.

Once you confirm LAN connectivity, the next step is the router / firewall.  Based on what you've written, it appears that this is working (at least for some folks). But, again, you want to make sure NAT is working for the target machines. From an outside source (or using tor) scan your public IP to see if you can get through and make a connection. If no joy, reboot firewall. You may be filling up the NAT Tables.

If you can, in fact, RDP in, then make sure that you have the local resources and shared resources tab in the RDP setup screen checked to allow those printers to come forward through the RDP tunnel. (These are encapsulated in the tunnel, so there are no alternate ports... if you can connect RDP, you can print).
0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
One more thing... I noticed that you have Log = Always in yoru screenshots. Please post the firewall logs for the ports that aren't working...
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Hello Dr. D,

First, thank you for joing the party, we are having a BLAST here - Good thing I coach pre-teenage girls
because I have a very high pain thresold   :)

OK, there are the results of your suggestions.  The first command did not yeild an output so
I removed the 'pipe' and as you can see '3389' is not listening.  This does not suprise me as
eariler this AM, I changed the Registry to reflect the '57217' port as the RDP listening port,
or at least that is what I think I did.
+=================================================================+

C:\>netstat -ao | find "3389"

C:\>netstat -ao

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    dell-12c1:epmap        dell-12c1:0            LISTENING       976
  TCP    dell-12c1:microsoft-ds  dell-12c1:0            LISTENING       4
  TCP    dell-12c1:2002         dell-12c1:0            LISTENING       1684
  TCP    dell-12c1:57217        dell-12c1:0            LISTENING       908
  TCP    dell-12c1:1034         dell-12c1:0            LISTENING       1124
  TCP    dell-12c1:1080         localhost:2002         ESTABLISHED     3248
  TCP    dell-12c1:2002         localhost:1080         ESTABLISHED     1684
  TCP    dell-12c1:netbios-ssn  dell-12c1:0            LISTENING       4
  TCP    dell-12c1:1029         216.52.233.131:https   ESTABLISHED     1684
  TCP    dell-12c1:1549         216.52.233.131:https   ESTABLISHED     1684
  TCP    dell-12c1:1550         216.52.233.131:https   ESTABLISHED     1684
  TCP    dell-12c1:1551         216.52.233.131:https   ESTABLISHED     1684
  TCP    dell-12c1:1586         63.236.252.194:http    ESTABLISHED     1064
  UDP    dell-12c1:microsoft-ds  *:*                                    4
  UDP    dell-12c1:isakmp       *:*                                    740
  UDP    dell-12c1:1025         *:*                                    1184
  UDP    dell-12c1:1026         *:*                                    1184
  UDP    dell-12c1:4500         *:*                                    740
  UDP    dell-12c1:ntp          *:*                                    1064
  UDP    dell-12c1:1085         *:*                                    2260
  UDP    dell-12c1:1900         *:*                                    1220
  UDP    dell-12c1:ntp          *:*                                    1064
  UDP    dell-12c1:netbios-ns   *:*                                    4
  UDP    dell-12c1:netbios-dgm  *:*                                    4
  UDP    dell-12c1:1900         *:*                                    1220

C:\>

+=================================================================+

I think the Custom Port of '57217' is Listening, if I read this listing correctly.

#2:
From within the Firewall, I am able to RDP from another WorkStation (WS) to the Test-System (192.168.1.217).
I can RDP if I use '192.168.1.217:57217' as the Target Address, but I get a connection error if
I use '192.168.1.217' without the Port Id.

#3:
As for the other two suggestion, I will be on site tomorrow AM and will see what I can do to get
these action items completed.

Any suggestions on how I can perform a simple tests to confirm the 'connection path' to the
target system (Which is: 192.168.1.217:57217)

Rojosho
0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
I see that 57217 is, in fact, listening.

The next step is to connect from within the firewall, which you have done successfully (according to your post).

Since we have now confirmed the ports are working, and the connections are good, it's time to see about the router.

First, I would delete the TEST entry that defines the port forward for 57217, and re-enter it. Then, I would use a port scanner (nmap is preferred) to test the connection.

The nmap syntax is:

nmap 12.34.56.78 -p57217

where 12.34.576.78 is the public IP address of the office. nmap will tell you if the port is open (connections are up and can be made), closed (the port can be reached and opened with a TCP SYN, but the system is not accepting connections so it sent back a RST and closed the connection), or Filtered (the packets are dropped indicating that the firewall is dropping packets, the system is down entirely, the IP address is wrong, or the destination doesn't exist).

Reply back the results here, and we'll continue forward.
0
 
LVL 7

Author Comment

by:rojosho
Comment Utility
Et al,

Very sorry for the delay in closing this case.

The solution path was long and arduous, but in the end the 'good guys' (That would be us) prevailed and the dragon lies in the dirt with casters up.

The solution:
- Cliff Note version of the solution == The Butler did it.... well, sort of.
- I had mentioned that I did not designed this network and that I inherited it from the previous IT Consultant who did not leave any documentation about it.
- Second, I had mentioned that we had a Modem/Router from the ISP that was supplying the T1 service - Read on the plot get thicker.
- After the last comments and troubleshooting, I called NetGear and confirmed that all of the configurations were correct = They were.
- I then call the ISP provider and as it turns out that the ISP Modem/Router was ALSO providing a NAT service to the main NetGear equipment and it was this box that was blocking the RDP requests - Who knew?  Well, I DO NOW!!!

- So, I added the Port number for the client in the ISP's box and everything worked GREAT!!!

THANK YOU all for your OUTSTANDING trouble shooting hints, which was well worth the effort as I now have several tools in my 'goodie bag'.

I will assign points next... going to be difficult.

Chow for now,

Rojosho

0
 
LVL 7

Author Closing Comment

by:rojosho
Comment Utility
EE y Et Al,

The troubleshooting hints and suggestions were OUTSTANDING - Thank you for teaching an 'old dog' some new tricks...

Rojosho
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now