cannot rdc from home over ssl-vpn to work domain remote desktop server 2008r2 enterprise
I recently changed our enviornment from Novell on Suse Linux to MS windows server 2008 enterprise hyper-V. While I love the hyper-V enviornment I do miss some stuff from Novell and linux. Anyways since changing our enviornment I have been struggling to have access for people outside of our lan. Most people who want to work from home have laptops added to our domain so they just ssl-vpn to our network and boom they can connect to there network drive mappings. What I really want to do is have people and more specifically clients that work for us in other states, be able to ssl-vpn and then RDC into a remote desktop server I created. The problem? I keep getting a "your credentials did not work". Our firewall is configured to do split tunneling and so there is no internal network conflict. I am using domain\_______credentials to RDC into the remote desktop server. I have allowed all domain users as a group to all the remote desktop services on that server. I am just at a lost on this at this point. If somebody could help with this and needs screen shots let me know! thanks
ASKER
That sounds like a great possibility! Do you think I need to have TMG Management console in order to do this for vpn settings on that Remote Desktop Server? As it is right now I actually just turned the firewalls off on that server and my pc at home from which I am doing the testing.
There should be no need for TMG. Many do not use a VPN, just enable the RDS Gateway service and you can then connect to the RDP server using port 443 and SSL without the need for port 3389, which can be risky. Using your SSL VPN though is as good or better.
ASKER
I put in the remote server address and added port :443 to it and hit connect. Used domain credentials and then I got this message "Remote Desktop fails with "This computer can't verify the identity of the RD Gateway". I do not have any certificates but is that what this is basically meaning? Should I do some type of self sign cert on the remote desktop server? Thanks for the quick responses by the way!
If you are using a VPN you should be able to just use the Remote desktop client and the server's IP after connecting to the VPN. This will connect over port 3389.
Using port 443 requires enabling and configuring the RDS gateway feature and you then use the server's NetBIOS name, and under advanced settings you use the puclic DNS name of the server for the Remote Gateway. This will automatically connect using 443, however if you have an SSL VPN it will not work as the VPN appliance will take precidense on port 443.
Using port 443 requires enabling and configuring the RDS gateway feature and you then use the server's NetBIOS name, and under advanced settings you use the puclic DNS name of the server for the Remote Gateway. This will automatically connect using 443, however if you have an SSL VPN it will not work as the VPN appliance will take precidense on port 443.
ASKER
Yup connect to ssl vpn no problem, ping firewall, ping the remote server no problem. Here is the thing. I can use rdc from home and connect to a pc (a windows xp machine in this case) that is at work on our network no problem. I just cant rdc into the remote desktop server. Fun stuff
Disable Network Level Authentication on the termserver's remote desktop services.
What O/S are you connecting from? If an older O/S (such as XP) or an older RDP client, it may not support NLA, as suggested by djcanter, which you may have enabled on the Server. To disable look at the remote connection properties (under properties of my Computer) and uncheck "allow connections only from computers running RD with NLA (recommended).
Connecting to XP does not require NLA, which may be why it works and not the server.
Connecting to XP does not require NLA, which may be why it works and not the server.
ASKER
I am using my home pc windows 7 pro, I have all any version of remote desktop checked on TS server and allow connections only from computers running remote desktop with network level unchecked
In your RDP client, when you try to connect to the server, under options | Advanced | connect from anywhere - settings | is it set to "automatically detect RD Gateway server settings"? It should be.
ASKER
Yes, I am just wondering if there is anything special I need to do on the TS server because it is a virtual 2008 r2 enterprise server. I have all remote desktop services installed.
Physical or virtual shouldn't matter so long as you can ping it.
There are items to configure if using the TS Gateway service, but you are bypassing that by using the server's IP. Doubt it will work with an SSL VPN anyway due to both sharing 443.
Can you remote to the Virtual host? If so can you RDP from it to the TS?
There are items to configure if using the TS Gateway service, but you are bypassing that by using the server's IP. Doubt it will work with an SSL VPN anyway due to both sharing 443.
Can you remote to the Virtual host? If so can you RDP from it to the TS?
ASKER
That worked, I can remote into the Host server and from there remote into the RDS server. I definitley do not want that to be the case though as the who purpose is for users at home to rdp into that specific RDS server and not the host. That is weird though why can I remote into our Host server over ssl-vpn but not into the RDS server that is within the host?
can you remote into the term server from any machine on the office network other than the vhost ? what vswitch (internal, external, ) is the term server connected to ? what is the lan ip of the vhost and the term server ?
ASKER
O yeah internally at work I can remote into of course the host, the terminal server, or anything connected to our domain no prob. I did a ipconfig of both the host and the rds servers and they are both on something we have called Team 1 - virtual network.
are the ips on the virtual network in the same scope as the regular network ?
ASKER
host server: scope of 0-49, ipconfig shows team 1 - virtual network
under the settings in hyper v for the RDS server it shows network adapter team 1 - virtual network but,
ipconfig for RDS server shows microsoft virtual machine bus network adapter #2. It is also in the scope we have setup for dhcp of 50-200 so different scope then the host server
under the settings in hyper v for the RDS server it shows network adapter team 1 - virtual network but,
ipconfig for RDS server shows microsoft virtual machine bus network adapter #2. It is also in the scope we have setup for dhcp of 50-200 so different scope then the host server
ASKER
I am almost thinking that you cannot rdp into a rds server that is virtual because its network adapter is virtual? Because I can rdp into the host server which has a physical network adapter and I can rdp into desktops at work from home over vpn that this must be why but if that is the case that would really suck!
not at all the case. All my servers are virtual (also running on hyperv). and i have 0 issues rdp to them.
What are the access rules in you sslvpn device ? Better yet, please explain what the sslvpn is and how you launch an rdp session from there.
ASKER
I know this is a little off topic but how do you run grainular backups? Right now I just have created extra I call backup volumnes on files servers and have shadow copies pointed to that and then that being backed up by a iscsi nas gear
ASKER
Well we use a fortigate firewall appliance and within that I have users setup into a group and so from home you would go to the defined ip address including the port for the firewall, then you login as that created ssl-vpn user which then brings you to another firewall page. From there you can either just connect which will launch the ssl vpn client and you can then ping everything or rdp. From the firewall page you could actually launch a rdp from within that and it connects to the rds server through that.
ASKER
I really like the new windows enviornment its just the kind of re-learning is what I am going through right now I guess.
Why above did you indicate you rdp to ip:443 ? From the LAN, you rdp to IP:3389(default) correct?
On the windows host server, have you tried disabling the firewall ? Step 2 of my install, I disable the firewall on the hyperv hosts.
ASKER
The vpn address that I use to connect the vpn uses port 443. Internally rdp uses the default of 3389.
ASKER
The windows firewall is on for dmain networks but home and public are not on
Dont use port 443 on your rdp connection, that just wont work.
If you use an rdp gateway, you can specify to connect to host a through an rdp gateway, but that should all be handled by the gateway broker, you dont have to specify anything different.
In your case, once you sslvpn, you should be able to rdp normally.
If you use an rdp gateway, you can specify to connect to host a through an rdp gateway, but that should all be handled by the gateway broker, you dont have to specify anything different.
In your case, once you sslvpn, you should be able to rdp normally.
As you are connected to a domain network, that would be your active profile, please disable and try again.
443 won't work because the VPN will accept all packets and not forward them. As mentioned using the VPN you have to use 3389.
Connecting to a VM is not a problem. This pretty well has to be a software firewall issue on the Server or a NAT'd virtual NIC. However you say you can ping the server so routing should be fine and rule out the second issue.
I am still suspicious of my very first question being the issue, whether it's a windows or 3rd party firewall such as McAfee security suite. Pings are usually allowed from remote networks by default but other services like RDP are not.
Connecting to a VM is not a problem. This pretty well has to be a software firewall issue on the Server or a NAT'd virtual NIC. However you say you can ping the server so routing should be fine and rule out the second issue.
I am still suspicious of my very first question being the issue, whether it's a windows or 3rd party firewall such as McAfee security suite. Pings are usually allowed from remote networks by default but other services like RDP are not.
ASKER
Makes sense. Okay I will change the login port of our 3rd party firewall appliance from 10443 to 3389 and see what it does! I will do this on Friday afternoon since I have other firewall work to do as well and dont want to interrupt the users. Thanks for the time and help and I will let you know how it goes on Friday
Sorry you don't need to change any port configurations.
The SSL VPN uses 443 which is fine, but RDP has the option to use the RD Gateway service which also uses 443. You cannot use the RD gateway service as a result.
Just connect to your VPN as you normally would, and use the standard RDP client, without the RD Gateway option under advanced, and do not specify a port. It will default to connect to the server using port 3389, within the VPN, which is very secure.
The SSL VPN uses 443 which is fine, but RDP has the option to use the RD Gateway service which also uses 443. You cannot use the RD gateway service as a result.
Just connect to your VPN as you normally would, and use the standard RDP client, without the RD Gateway option under advanced, and do not specify a port. It will default to connect to the server using port 3389, within the VPN, which is very secure.
ASKER
Gotcha, okay here is what I did. I removed rd gateway service from the roles of the rds server. I then login to the vpn from my computer at home connects good, then I open up remote desktop connection and attempt to connect to rds server and it says your credentials did not work. As a test I try and connect to the host server again using remote desktop connection with same credentials and it connects.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am able to rdp from home over ssl vpn to the rds server by using the rds servers local account and not the domain! I mean that works I am thinking for all general purposes? Network shares for sure. I want to have multiple users connect to this server from home so should I just create local accounts for them on the rds server? I was hoping they could use domain profiles but atleast this is a connection!
No, fix it and do it right or it will haunt you forever. They should be using domain accounts so you can manage domain wide permissions and apply group policy.
The question is why then.
Try using domain.local\username
and verify DNS is correct as mentioned above.
Is the domain account, or a group to which it belongs added to the RDS server's remote desktop user group?
At least this is progress :-)
The question is why then.
Try using domain.local\username
and verify DNS is correct as mentioned above.
Is the domain account, or a group to which it belongs added to the RDS server's remote desktop user group?
At least this is progress :-)
ASKER
I can rdp into the rds server by either local credentials or using domain.local\username to get in as well just says certificates are wrong but it works but then once I am rdp'd into the server I then have to change the credentials to domain\username.
Very odd. Firstly I don't know why it is even trying to use a certificate, and secondly it sounds like there is a domain member ship issue or DNS.
I assume the RDS server was joined to the domain?
And could you post the results of ipconfig /all from the RDS server?
Thanks.
I assume the RDS server was joined to the domain?
And could you post the results of ipconfig /all from the RDS server?
Thanks.
The certificate warning is normal as the certificate is not issued by a trusted CA.You can check the box to not prompt again for connections to this computer, or you can resolve this by installing a trusted cert (either from Vendor or your domain CA if configured). That is outside the scope of this issue.
..unsubscribing from further comments...
..unsubscribing from further comments...
I agree on the certificate issue about it not being from a trusted authority, but it is only used when using the TS Gateway service, not when connecting via port 3389, so there should be not certificate in the equation. Unless, this is when you are connecting the VPN and the VPN certificate is not recognized.
ASKER
So I connected to our ssl vpn from home today and as a test used one of my windows xp machines and rdp'ed right into the rds server! So I wonder why my windows 7 machine is having problems?
could you post the results of ipconfig /all from the RDS server?
mstsc version 6+ supports certificates. Certificate validation is tested. It is on all connections. Try remoting to any server 2008/2008 r2 server from vista/7/8. You WILL be prompted about the cert(unless you ticked the box to not notify again).
http://technet.microsoft.com/en-us/library/cc770833.aspx
You can If you like, change the security type from TLS to RPD (Remoe Desktop Host configuration, protocol RDP , properties) and eliminate the certificate issue.
RobWill, I have found your answers to be wildly inaccurate, but stated with conviction. I would suggest a primer on TLS and how it is incorporated into the many facets of Server08+ not just webservices.
http://technet.microsoft.com/en-us/library/cc770833.aspx
You can If you like, change the security type from TLS to RPD (Remoe Desktop Host configuration, protocol RDP , properties) and eliminate the certificate issue.
RobWill, I have found your answers to be wildly inaccurate, but stated with conviction. I would suggest a primer on TLS and how it is incorporated into the many facets of Server08+ not just webservices.
djcanter perhaps you are right in relation to certificates with 2008 and newer. If so I apologize, but I remote into an average of 8 RDS servers per day, from 2003 to 2012, some with RDS gateway and some without and I have never seen the certificate issue except where RDS gateway is deployed without a certificate. However, it may be that none of the servers I access with 3389 directly are missing certificates, I will have to review as you suggested. I amy well not be up to date.
We do seem to have a second, non-certificate issue, which is access by domain.local\username works but domain\Username does not, implying to me that either there is a trust relationship issue or DNS misconfiguration..
We do seem to have a second, non-certificate issue, which is access by domain.local\username works but domain\Username does not, implying to me that either there is a trust relationship issue or DNS misconfiguration..
Might that be your issue?