Solved

Can't remote desktop into 2008R2 web edition from W7

Posted on 2013-01-22
13
745 Views
Last Modified: 2013-01-23
Can't remote desktop into 2008R2 web edition from a Windows 7 box.

I have other 2008R2 boxes in that subnet and I can access all of them just fine.

W7 is on 192.168.19.x and servers on 192.168.0.x  

RD using IP address. Two networks connect through VPN over two sonic wall firewalls.

Compared settings between the boxes that work and the one that doesn't and can not find it.

Under system properties I have under remote tab Allow connections from computers running any version of Remote Desktop.

I turned off Windows firewall and Kaspersky Firewall on that server, still no connect:

reasons RD gives: 1) RA is not enabled, 2) Remote turned off,  3) remote not available on network (I do have a backup remote through Log ME IN).

I can ping the box, and can map a network drive to it, so it's definitely accessible.

I did install the Remote Assistance feature on the server as well.

Where else do I need to look?

Thanks,

Rolf
0
Comment
Question by:rolfg
  • 7
  • 6
13 Comments
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
from the client, run this command:
telnet <server ip> 3389
(you may have to install the telnet client Windows "feature" - it's not installed by default.

If the connection succeeds, you can rule out a network or server side problem.  If it fails, ensure the Remote Desktop Services service is running on the server, then start investigating where on the network the traffic is being blocked.
0
 

Author Comment

by:rolfg
Comment Utility
rscottvan Thanks! Cannot telnet to the box, Remote desktop services are running.
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
OK, that implies a network issue, probably a firewall getting in the way.

From a different server in the same subnet, try the same telnet command.  Does that work?  If yes, there's likely a network firewall in the way.  If no, it's something local to the failing server.
0
 

Author Comment

by:rolfg
Comment Utility
I tried telnet from within the same local network (another server in the same 192.168.0 subnet) and cannot connect. Then I tried to connect (on that same server) to itself and that works.

Tried the same on the server in question, I can connect out to another one, but not to itself.

So something on the server is definitely blocking, even though Kaspersky is turned off and the 3 firewall profiles turned off. (Domain, public and private)

 When I click on monitoring its says firewall is off, but at the next line it says inbound connection that do not match a rule are blocked...  so what does that mean when on the line above it says firewall is off....

There are four inbound rules:
Remote desktop (TCP IN)   domain enabled allowed 3389
Remote desktop (TCP IN)   public enabled allowed 3389
Remote desktop RemoteFX (TCP IN)   domain enabled allowed 3389
Remote desktop RemoteFX (TCP IN)   private enabled allowed 3389

I'm am very inexperienced with the 2008R2 firewall,  I do NOT run a domain but a workgroup as I'm running a 1 man IT shop in a company with only 7 employees.

 By the way all servers are hooked up to the same switch behind the Sonicwall. So other than the Windows firewall there are no other physical firewalls between the different servers

Thanks for your help.

Rolf
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
Based on your post, I don't think Windows Firewall is the problem.

Let's make sure the server is listening on 3389.  from a command prompt, run this command and post the results:  
netstat -an | find "3389"

Have you verified the Remote Desktop Services Service is running?  (Start>Administrative Tools>Services)
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
Also, here's an interesting post on a similar issue:
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/c3cfc2df-fc29-4abc-acf1-01797f528333/

We opened a case with Microsoft on this issue and we determined that it was related to the following driver being disabled:
remote desktop services security filter driver
To check whether this enabled or disabled, open device manager and show hidden devices. We were not able to enable it, so we uninstalled it and rebooted. After rebooting we were able to telnet to the server on port 3389, but we were still not able to connect with remote desktop.
As a last step, we set remote desktop security layer to “negotiate”. To do this, open the "remote desktop session host configuration" application in administrative tools and edit the properties of “rdp-tcp”. The setting can be found on the general tab.
Hope this helps someone!
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 

Author Comment

by:rolfg
Comment Utility
Nothing found with netstat -an
restarted the service and still no result

The driver mentioned does not have an enabled setting, but was not started, started it but still no netstat -an | find "3389" result.

The host configuration had was set to negotiate, only thing I could find that it was set for only one host adapter , of course the one that did not have a network cable, set it for both, but still no listener found.

In the mean time I looked at some of the other servers and saw the firewall only had one entry:

Remote desktop (tcp-in) all etc.

I set the offending server the same and deleted the other entries.

I had turned on remote assistance in the past, think it would help, removed the feature and rebooted.

Lo and behold, the port started listening, when I try to access from another server it comes up with a credentials screen and says after supplying those: Access is denied <sigh> enough for one evening, I guess.

Saw this error in the log file: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Thanks for sticking with it.

Rolf
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
Try changing the remote desktop setting on the target machine to allow connections from computer running any version of Remote Desktop
0
 

Author Comment

by:rolfg
Comment Utility
That's what it is set at.
Another observation, going from a 2008 server to 2008 R2 server, it asks for credentials, starts a session, displays the remote servers login screen with "access is denied".

I turned the Kaspersky and Windows firewall back on and the behavior has not changed, so it's definitely not a firewall issue.

From Win 7 on the sub net work I never get that far, get the same can't connect message box, but telnet will not immediately say it can't connect but sits a few minutes thinking about it, before deciding it can't connect.
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
Is the account you're trying to use a member of the Remote Desktop Users local group?
0
 

Author Comment

by:rolfg
Comment Utility
Didn't even know such group existed, but yes, they were probably added when I set up RD and picked the users.
0
 
LVL 10

Accepted Solution

by:
rscottvan earned 500 total points
Comment Utility
Now that you can connect, there are a few possible resolutions to the Access is Denied error in this thread:
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/8405bed7-57a8-4b54-b968-6b0e00f367dd
0
 

Author Closing Comment

by:rolfg
Comment Utility
I did not find anything in there that would apply to me. However I looked at another 2008R2 server and noticed RD runs as network service and not as local system. I changed that and I could log in.

But not from the windows 7 on the .19.x  subnet.  Killed the Kaspersky firewall on the server (Windows firewall is still running) and now RD works on W7 too.

Apparently Kaspersky kills traffic from the subnet even though it comes in over a VPN.

Thanks for all your help... took a few hours but what you don't know is that I have been trying to fix this on and off for at least 9 months. Thank goodness for this site!

I surely appreciate the quick back and forth questions and answers and the meticulous method of eliminating one issue after another!

Thank you RScottvan!

Rolf
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now