rolfg
asked on
Can't remote desktop into 2008R2 web edition from W7
Can't remote desktop into 2008R2 web edition from a Windows 7 box.
I have other 2008R2 boxes in that subnet and I can access all of them just fine.
W7 is on 192.168.19.x and servers on 192.168.0.x
RD using IP address. Two networks connect through VPN over two sonic wall firewalls.
Compared settings between the boxes that work and the one that doesn't and can not find it.
Under system properties I have under remote tab Allow connections from computers running any version of Remote Desktop.
I turned off Windows firewall and Kaspersky Firewall on that server, still no connect:
reasons RD gives: 1) RA is not enabled, 2) Remote turned off, 3) remote not available on network (I do have a backup remote through Log ME IN).
I can ping the box, and can map a network drive to it, so it's definitely accessible.
I did install the Remote Assistance feature on the server as well.
Where else do I need to look?
Thanks,
Rolf
I have other 2008R2 boxes in that subnet and I can access all of them just fine.
W7 is on 192.168.19.x and servers on 192.168.0.x
RD using IP address. Two networks connect through VPN over two sonic wall firewalls.
Compared settings between the boxes that work and the one that doesn't and can not find it.
Under system properties I have under remote tab Allow connections from computers running any version of Remote Desktop.
I turned off Windows firewall and Kaspersky Firewall on that server, still no connect:
reasons RD gives: 1) RA is not enabled, 2) Remote turned off, 3) remote not available on network (I do have a backup remote through Log ME IN).
I can ping the box, and can map a network drive to it, so it's definitely accessible.
I did install the Remote Assistance feature on the server as well.
Where else do I need to look?
Thanks,
Rolf
ASKER
rscottvan Thanks! Cannot telnet to the box, Remote desktop services are running.
OK, that implies a network issue, probably a firewall getting in the way.
From a different server in the same subnet, try the same telnet command. Does that work? If yes, there's likely a network firewall in the way. If no, it's something local to the failing server.
From a different server in the same subnet, try the same telnet command. Does that work? If yes, there's likely a network firewall in the way. If no, it's something local to the failing server.
ASKER
I tried telnet from within the same local network (another server in the same 192.168.0 subnet) and cannot connect. Then I tried to connect (on that same server) to itself and that works.
Tried the same on the server in question, I can connect out to another one, but not to itself.
So something on the server is definitely blocking, even though Kaspersky is turned off and the 3 firewall profiles turned off. (Domain, public and private)
When I click on monitoring its says firewall is off, but at the next line it says inbound connection that do not match a rule are blocked... so what does that mean when on the line above it says firewall is off....
There are four inbound rules:
Remote desktop (TCP IN) domain enabled allowed 3389
Remote desktop (TCP IN) public enabled allowed 3389
Remote desktop RemoteFX (TCP IN) domain enabled allowed 3389
Remote desktop RemoteFX (TCP IN) private enabled allowed 3389
I'm am very inexperienced with the 2008R2 firewall, I do NOT run a domain but a workgroup as I'm running a 1 man IT shop in a company with only 7 employees.
By the way all servers are hooked up to the same switch behind the Sonicwall. So other than the Windows firewall there are no other physical firewalls between the different servers
Thanks for your help.
Rolf
Tried the same on the server in question, I can connect out to another one, but not to itself.
So something on the server is definitely blocking, even though Kaspersky is turned off and the 3 firewall profiles turned off. (Domain, public and private)
When I click on monitoring its says firewall is off, but at the next line it says inbound connection that do not match a rule are blocked... so what does that mean when on the line above it says firewall is off....
There are four inbound rules:
Remote desktop (TCP IN) domain enabled allowed 3389
Remote desktop (TCP IN) public enabled allowed 3389
Remote desktop RemoteFX (TCP IN) domain enabled allowed 3389
Remote desktop RemoteFX (TCP IN) private enabled allowed 3389
I'm am very inexperienced with the 2008R2 firewall, I do NOT run a domain but a workgroup as I'm running a 1 man IT shop in a company with only 7 employees.
By the way all servers are hooked up to the same switch behind the Sonicwall. So other than the Windows firewall there are no other physical firewalls between the different servers
Thanks for your help.
Rolf
Based on your post, I don't think Windows Firewall is the problem.
Let's make sure the server is listening on 3389. from a command prompt, run this command and post the results:
netstat -an | find "3389"
Have you verified the Remote Desktop Services Service is running? (Start>Administrative Tools>Services)
Let's make sure the server is listening on 3389. from a command prompt, run this command and post the results:
netstat -an | find "3389"
Have you verified the Remote Desktop Services Service is running? (Start>Administrative Tools>Services)
Also, here's an interesting post on a similar issue:
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/c3cfc2df-fc29-4abc-acf1-01797f528333/
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/c3cfc2df-fc29-4abc-acf1-01797f528333/
We opened a case with Microsoft on this issue and we determined that it was related to the following driver being disabled:
remote desktop services security filter driver
To check whether this enabled or disabled, open device manager and show hidden devices. We were not able to enable it, so we uninstalled it and rebooted. After rebooting we were able to telnet to the server on port 3389, but we were still not able to connect with remote desktop.
As a last step, we set remote desktop security layer to “negotiate”. To do this, open the "remote desktop session host configuration" application in administrative tools and edit the properties of “rdp-tcp”. The setting can be found on the general tab.
Hope this helps someone!
ASKER
Nothing found with netstat -an
restarted the service and still no result
The driver mentioned does not have an enabled setting, but was not started, started it but still no netstat -an | find "3389" result.
The host configuration had was set to negotiate, only thing I could find that it was set for only one host adapter , of course the one that did not have a network cable, set it for both, but still no listener found.
In the mean time I looked at some of the other servers and saw the firewall only had one entry:
Remote desktop (tcp-in) all etc.
I set the offending server the same and deleted the other entries.
I had turned on remote assistance in the past, think it would help, removed the feature and rebooted.
Lo and behold, the port started listening, when I try to access from another server it comes up with a credentials screen and says after supplying those: Access is denied <sigh> enough for one evening, I guess.
Saw this error in the log file: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Thanks for sticking with it.
Rolf
restarted the service and still no result
The driver mentioned does not have an enabled setting, but was not started, started it but still no netstat -an | find "3389" result.
The host configuration had was set to negotiate, only thing I could find that it was set for only one host adapter , of course the one that did not have a network cable, set it for both, but still no listener found.
In the mean time I looked at some of the other servers and saw the firewall only had one entry:
Remote desktop (tcp-in) all etc.
I set the offending server the same and deleted the other entries.
I had turned on remote assistance in the past, think it would help, removed the feature and rebooted.
Lo and behold, the port started listening, when I try to access from another server it comes up with a credentials screen and says after supplying those: Access is denied <sigh> enough for one evening, I guess.
Saw this error in the log file: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Thanks for sticking with it.
Rolf
Try changing the remote desktop setting on the target machine to allow connections from computer running any version of Remote Desktop
ASKER
That's what it is set at.
Another observation, going from a 2008 server to 2008 R2 server, it asks for credentials, starts a session, displays the remote servers login screen with "access is denied".
I turned the Kaspersky and Windows firewall back on and the behavior has not changed, so it's definitely not a firewall issue.
From Win 7 on the sub net work I never get that far, get the same can't connect message box, but telnet will not immediately say it can't connect but sits a few minutes thinking about it, before deciding it can't connect.
Another observation, going from a 2008 server to 2008 R2 server, it asks for credentials, starts a session, displays the remote servers login screen with "access is denied".
I turned the Kaspersky and Windows firewall back on and the behavior has not changed, so it's definitely not a firewall issue.
From Win 7 on the sub net work I never get that far, get the same can't connect message box, but telnet will not immediately say it can't connect but sits a few minutes thinking about it, before deciding it can't connect.
Is the account you're trying to use a member of the Remote Desktop Users local group?
ASKER
Didn't even know such group existed, but yes, they were probably added when I set up RD and picked the users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did not find anything in there that would apply to me. However I looked at another 2008R2 server and noticed RD runs as network service and not as local system. I changed that and I could log in.
But not from the windows 7 on the .19.x subnet. Killed the Kaspersky firewall on the server (Windows firewall is still running) and now RD works on W7 too.
Apparently Kaspersky kills traffic from the subnet even though it comes in over a VPN.
Thanks for all your help... took a few hours but what you don't know is that I have been trying to fix this on and off for at least 9 months. Thank goodness for this site!
I surely appreciate the quick back and forth questions and answers and the meticulous method of eliminating one issue after another!
Thank you RScottvan!
Rolf
But not from the windows 7 on the .19.x subnet. Killed the Kaspersky firewall on the server (Windows firewall is still running) and now RD works on W7 too.
Apparently Kaspersky kills traffic from the subnet even though it comes in over a VPN.
Thanks for all your help... took a few hours but what you don't know is that I have been trying to fix this on and off for at least 9 months. Thank goodness for this site!
I surely appreciate the quick back and forth questions and answers and the meticulous method of eliminating one issue after another!
Thank you RScottvan!
Rolf
telnet <server ip> 3389
(you may have to install the telnet client Windows "feature" - it's not installed by default.
If the connection succeeds, you can rule out a network or server side problem. If it fails, ensure the Remote Desktop Services service is running on the server, then start investigating where on the network the traffic is being blocked.