Solved

Why can't I RDP over VPN to a machine to which I can RDP from the LAN

Posted on 2012-04-12
31
1,059 Views
Last Modified: 2012-08-13
I've got a user to whom I just gave a new machine. She still has her old machine running.

All machines are Windows 7. VPN is via Cisco AnyConnect client to our ASA.

She can RDP to the new machine from her old machine from within the LAN.

She can RDP to her old machine from the new machine on the LAN.

She can RDP to the old machine from her home machine on the VPN.

She *cannot* RDP to the new machine from her home machine on the VPN. The error is a simple authentication message (see attached screen shot).



She can RDP to another machine on the VPN and then hop from there to the new machine.

I looked at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The Security Packages Key had kerberos msv1_0 schannel wdigest tspkg pku2u, as required.
4-12-2012-11-09-46-AM.png
0
Comment
Question by:richardRinJH
  • 10
  • 6
  • 6
  • +3
31 Comments
 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
VPN policy and certificates loaded on that new computer? Can she accesses all other network resources as before when she is VPN in?
0
 

Author Comment

by:richardRinJH
Comment Utility
Yes. Access over the VPN is unchanged to all other resources. I'd think is was simply not having RDP open on the new machine except that she can get to it from within the LAN. I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
Because the Windows Firewall is on.  Turn the Windows firewall off (all 3 settings) and test.

Once confirmed you can turn it back on and modify the firewall to allow RDP from the VPN address pool.
0
 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
Also make sure she did not set her "home" network to public when she "plugged in" at home.
0
 

Author Comment

by:richardRinJH
Comment Utility
I thought about that, but the fact that she can see other machines inside the LAN from the VPN connection led me away from thinking it's on her end.
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
Turn the firewall off on the machine she is connecting TO, not the machine she is connecting FROM.
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
> I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?

Yes.  The firewall.
0
 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
When she is connecting on the lan I would assume you are authenticating on the domain so the windows firewall sets that up under the "domain" firewall rules. When she is connecting from outside, she could have selected public.
0
 

Author Comment

by:richardRinJH
Comment Utility
Firewall is OFF on all settings as recommended. User is no longer at home so can't test right away. It will likely be this evening before I'll know more.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Are all systems on the same subnet? Or isit possible that the new system has an ip that is outside the VPN rule or they have an ip overlap where the user's home network matches thrip of the new system.
0
 

Author Comment

by:richardRinJH
Comment Utility
Still testing. The user has been on vacation!
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
I provided a valid answer and request the assigned points.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
I also provided a valid answer(s) and dialogue with the open poster. I would like to ask the post remain open two more weeks until the OP can respond with specifics. If no posts have been made by that time, I would agree with closing and assigning points as to participants.
0
 

Author Comment

by:richardRinJH
Comment Utility
The user in question returns to work on Monday and we will continue troubleshooting then. All solutions suggested to date have been applied with no success. The user will bring the laptop in question in to work on Monday and we'll see what we can find when we have it in hand.

I'd suggest letting the clock run on this for awhile longer.
0
 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
Hello Richard,

any luck yet?
0
 
LVL 6

Expert Comment

by:todd_beedy
Comment Utility
Experts,
 
Please make your recommendations here.  Your recommendations may include:
1) Delete/refund
2) Delete/no refund
3) Accept one or more Expert posts as the answer
4) PAQ refund if the Asker answered his/her own question
 
If you recommend #3 or #4, please indicate which post ID(s) should be selected as the answer.  To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#a12345678.
 
Further, if you recommend #3 or #4, please include a sentence or two to help the Moderator understand why that comment/selection of comments is the right answer, as your Moderator will not necessarily be an Expert in this particular subject!
 
A Moderator will be along in about 4 days to finalize the question.  Anyone not posting within that window shall be deemed no longer interested in the outcome.
 
Link to CSG thread:
http://www.experts-exchange.com/R_5657.html
 
modus_operandi
EE Admin

Comment: http:#a37965503

recommend to #1 delete and refund as points and responses provided did not result in success for the issue posted.
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
3) Accept one or more Expert posts as the answer
50/50 split todd_beedy & RPPreacher
0
 

Author Comment

by:richardRinJH
Comment Utility
No posts to this point have solved the problem. All were tested. I am pursuing a solution, but to date with no success.

I repeat, the problem has NOT been resolved.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The problem is that it is unclear what your issue is.  It seems you are able to connect, but the credentials you are using are being reflected as the cause for the failure to connect.

If you are entering the wrong credentials, attaching local resources that cause the remote system to reject.  Checking the event log on the desktop for the period when the connection attempts were made are the only way to see why it is being rejected.
0
 

Author Comment

by:richardRinJH
Comment Utility
Understood. As soon as I can coerce the user into bringing her laptop to work so I can get at it that's exactly what I'm going to do. I'm trying to get the information, but am fighting user inertia!
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do you have the same VPN access?  Are you able to VPN and then RDP to a LAN system?
Is RDP on the LAN from the same system?
i.e. the laptop is on the LAN and then the user RDPs to that system?

ip route table from the remote user might be helpful before and after the VPN connection is established.
ipconfig /all
netstat -rn
0
 

Author Comment

by:richardRinJH
Comment Utility
Using the same laptop, from the same Internet connection she can VPN to another machine sitting on her desk and plugged into another port on the same switch. If I switch the machines between the two ports the problem follows the machine.
0
 

Accepted Solution

by:
richardRinJH earned 0 total points
Comment Utility
We solved the problem here. All Windows 7 Security Descriptors were missing in the registry. We added them back in manually and the problem was solved. We are unsure how the registry entries went missing, the machine was a direct purchase by the user and had never been in our shop before.

I don't believe any of the proposed solutions mentioned that, so no points awarded?
0
 

Expert Comment

by:Modalot
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for richardRinJH's comment #37972839

for the following reason:

Final solution has been posted now by the Asker, and there were no Expert suggestions used, so accepting that comment is the only correct disposition.<br /><br />Modalot<br />Community Support Moderator
0
 
LVL 20

Expert Comment

by:RPPreacher
Comment Utility
Expert solutions aided the Asker in troubleshooting and identifying a solution.  Our submitted troubleshooting steps contributed to the overall identification of a solution.
0
 

Author Comment

by:richardRinJH
Comment Utility
I don't agree, but limited split OK by me.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now