Can't remote desktop into 2008R2 web edition from W7

Posted on 2013-01-22
Medium Priority
Last Modified: 2013-01-23
Can't remote desktop into 2008R2 web edition from a Windows 7 box.

I have other 2008R2 boxes in that subnet and I can access all of them just fine.

W7 is on 192.168.19.x and servers on 192.168.0.x  

RD using IP address. Two networks connect through VPN over two sonic wall firewalls.

Compared settings between the boxes that work and the one that doesn't and can not find it.

Under system properties I have under remote tab Allow connections from computers running any version of Remote Desktop.

I turned off Windows firewall and Kaspersky Firewall on that server, still no connect:

reasons RD gives: 1) RA is not enabled, 2) Remote turned off,  3) remote not available on network (I do have a backup remote through Log ME IN).

I can ping the box, and can map a network drive to it, so it's definitely accessible.

I did install the Remote Assistance feature on the server as well.

Where else do I need to look?


Question by:rolfg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
LVL 10

Expert Comment

ID: 38807537
from the client, run this command:
telnet <server ip> 3389
(you may have to install the telnet client Windows "feature" - it's not installed by default.

If the connection succeeds, you can rule out a network or server side problem.  If it fails, ensure the Remote Desktop Services service is running on the server, then start investigating where on the network the traffic is being blocked.

Author Comment

ID: 38807904
rscottvan Thanks! Cannot telnet to the box, Remote desktop services are running.
LVL 10

Expert Comment

ID: 38808066
OK, that implies a network issue, probably a firewall getting in the way.

From a different server in the same subnet, try the same telnet command.  Does that work?  If yes, there's likely a network firewall in the way.  If no, it's something local to the failing server.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 38808217
I tried telnet from within the same local network (another server in the same 192.168.0 subnet) and cannot connect. Then I tried to connect (on that same server) to itself and that works.

Tried the same on the server in question, I can connect out to another one, but not to itself.

So something on the server is definitely blocking, even though Kaspersky is turned off and the 3 firewall profiles turned off. (Domain, public and private)

 When I click on monitoring its says firewall is off, but at the next line it says inbound connection that do not match a rule are blocked...  so what does that mean when on the line above it says firewall is off....

There are four inbound rules:
Remote desktop (TCP IN)   domain enabled allowed 3389
Remote desktop (TCP IN)   public enabled allowed 3389
Remote desktop RemoteFX (TCP IN)   domain enabled allowed 3389
Remote desktop RemoteFX (TCP IN)   private enabled allowed 3389

I'm am very inexperienced with the 2008R2 firewall,  I do NOT run a domain but a workgroup as I'm running a 1 man IT shop in a company with only 7 employees.

 By the way all servers are hooked up to the same switch behind the Sonicwall. So other than the Windows firewall there are no other physical firewalls between the different servers

Thanks for your help.

LVL 10

Expert Comment

ID: 38808254
Based on your post, I don't think Windows Firewall is the problem.

Let's make sure the server is listening on 3389.  from a command prompt, run this command and post the results:  
netstat -an | find "3389"

Have you verified the Remote Desktop Services Service is running?  (Start>Administrative Tools>Services)
LVL 10

Expert Comment

ID: 38808261
Also, here's an interesting post on a similar issue:

We opened a case with Microsoft on this issue and we determined that it was related to the following driver being disabled:
remote desktop services security filter driver
To check whether this enabled or disabled, open device manager and show hidden devices. We were not able to enable it, so we uninstalled it and rebooted. After rebooting we were able to telnet to the server on port 3389, but we were still not able to connect with remote desktop.
As a last step, we set remote desktop security layer to “negotiate”. To do this, open the "remote desktop session host configuration" application in administrative tools and edit the properties of “rdp-tcp”. The setting can be found on the general tab.
Hope this helps someone!

Author Comment

ID: 38808287
Nothing found with netstat -an
restarted the service and still no result

The driver mentioned does not have an enabled setting, but was not started, started it but still no netstat -an | find "3389" result.

The host configuration had was set to negotiate, only thing I could find that it was set for only one host adapter , of course the one that did not have a network cable, set it for both, but still no listener found.

In the mean time I looked at some of the other servers and saw the firewall only had one entry:

Remote desktop (tcp-in) all etc.

I set the offending server the same and deleted the other entries.

I had turned on remote assistance in the past, think it would help, removed the feature and rebooted.

Lo and behold, the port started listening, when I try to access from another server it comes up with a credentials screen and says after supplying those: Access is denied <sigh> enough for one evening, I guess.

Saw this error in the log file: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Thanks for sticking with it.

LVL 10

Expert Comment

ID: 38808459
Try changing the remote desktop setting on the target machine to allow connections from computer running any version of Remote Desktop

Author Comment

ID: 38810413
That's what it is set at.
Another observation, going from a 2008 server to 2008 R2 server, it asks for credentials, starts a session, displays the remote servers login screen with "access is denied".

I turned the Kaspersky and Windows firewall back on and the behavior has not changed, so it's definitely not a firewall issue.

From Win 7 on the sub net work I never get that far, get the same can't connect message box, but telnet will not immediately say it can't connect but sits a few minutes thinking about it, before deciding it can't connect.
LVL 10

Expert Comment

ID: 38810850
Is the account you're trying to use a member of the Remote Desktop Users local group?

Author Comment

ID: 38810889
Didn't even know such group existed, but yes, they were probably added when I set up RD and picked the users.
LVL 10

Accepted Solution

rscottvan earned 2000 total points
ID: 38810945
Now that you can connect, there are a few possible resolutions to the Access is Denied error in this thread:

Author Closing Comment

ID: 38811392
I did not find anything in there that would apply to me. However I looked at another 2008R2 server and noticed RD runs as network service and not as local system. I changed that and I could log in.

But not from the windows 7 on the .19.x  subnet.  Killed the Kaspersky firewall on the server (Windows firewall is still running) and now RD works on W7 too.

Apparently Kaspersky kills traffic from the subnet even though it comes in over a VPN.

Thanks for all your help... took a few hours but what you don't know is that I have been trying to fix this on and off for at least 9 months. Thank goodness for this site!

I surely appreciate the quick back and forth questions and answers and the meticulous method of eliminating one issue after another!

Thank you RScottvan!


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question