Can't RDP after enabling RRAS VPN Windows 2008
Hello we have a windows server 2008 machine. Client wants to log in via VPN from home.
We enabled rras as vpn and nat. We are able to connect to vpn. Advanced firewall inside windows server and client computer is turned off. We are not able to RDP into the server without first connecting to the VPN.
We would like to RDP into the server from our office IPs. Which are static. But we can't RDP into the server from any IP without first connecting via VPN. After connecting VPN we can connect using private ip for example 10.10.2.1.
Any thoughts?
We enabled rras as vpn and nat. We are able to connect to vpn. Advanced firewall inside windows server and client computer is turned off. We are not able to RDP into the server without first connecting to the VPN.
We would like to RDP into the server from our office IPs. Which are static. But we can't RDP into the server from any IP without first connecting via VPN. After connecting VPN we can connect using private ip for example 10.10.2.1.
Any thoughts?
ASKER
Ping is not working using the public IP.
For VPN we have it set to assign addresses from static pool 10.10.1.1. We only need this internal range for the vpn. Do we need a physical interface to be enabled with 10.10.1.1?
Yes server has two physical nics. I should mention that we have hyper-v on this server and one physical nic is a virtual switch for hyper-v to access the internet and the second is internal ips but it is disabled.
No, this server is not inside an office. It's on the public network.
We want to RDP from anywhere in the world into the server without having to use the VPN. After we get this working we will enable firewall to restrict access to only a few of our office's static public IPs.
Right now the only RDP access we have is through VPN tunnel. There is also the issue of pinging server without VPN as you mentioned.
For VPN we have it set to assign addresses from static pool 10.10.1.1. We only need this internal range for the vpn. Do we need a physical interface to be enabled with 10.10.1.1?
Yes server has two physical nics. I should mention that we have hyper-v on this server and one physical nic is a virtual switch for hyper-v to access the internet and the second is internal ips but it is disabled.
No, this server is not inside an office. It's on the public network.
We want to RDP from anywhere in the world into the server without having to use the VPN. After we get this working we will enable firewall to restrict access to only a few of our office's static public IPs.
Right now the only RDP access we have is through VPN tunnel. There is also the issue of pinging server without VPN as you mentioned.
ASKER
The VPN tunnel is for a few employees who need access remotely with laptops from outside that have dynamic ips and we can't get static ips for them. Their home ISP doesn't give static ips.
So if you want to RDP to the machine from anywhere you have the following options
1). Server is on the internal network. You will need a public IP address that you setup with NATon your firewall and open RDP ports.
2). Server is on the external network. You will assign the server the public IP and place it external to your firewall but internal to your internet router, DMZ if you will.
3). Require clients to VPN to the server, the use RDP to get to internal machines.
If you cannot ping the public IP then the machine is either not on the external network, has a firewall filtering somewhere or has misconfigured IP (unlikely as VPN is working).
1). Server is on the internal network. You will need a public IP address that you setup with NATon your firewall and open RDP ports.
2). Server is on the external network. You will assign the server the public IP and place it external to your firewall but internal to your internet router, DMZ if you will.
3). Require clients to VPN to the server, the use RDP to get to internal machines.
If you cannot ping the public IP then the machine is either not on the external network, has a firewall filtering somewhere or has misconfigured IP (unlikely as VPN is working).
ASKER
We can't find any firewall on the server that's blocking us.
Basically we have ISP--> server (public ip)
Windows firewall is turned off.
We can't ping, we can't rdp to server while vpn is enabled. If we stop rras , rdp start working, if we start rras, it stops working.
Right now the only option working is option 3. But we at least like to be able to ping so we can add the public ip to cacti so it can monitor ping.
Basically we have ISP--> server (public ip)
Windows firewall is turned off.
We can't ping, we can't rdp to server while vpn is enabled. If we stop rras , rdp start working, if we start rras, it stops working.
Right now the only option working is option 3. But we at least like to be able to ping so we can add the public ip to cacti so it can monitor ping.
Turn on the windows firewall service, then go into the firewall settings and turn everything off, leaving the service running.
ASKER
I did as you said but I still can't ping or RDP. We aren't running any AD or extra software on this server. Only Hyper-V was installed to run a few virtual machines. No additional firewall or antivirus was installed.
Here's a simple test. Plug in a laptop or another machine to the same switch the server is plugged into. Can you RDP/ Ping it?
If not, problem is on server and related to firewall, verify everything is off, no other security software is installed (sounds like you did already)
If you can ping it (I'll bet you can), problem exists externally, the router or the ISP or any other devices in between the server and the internet.
If not, problem is on server and related to firewall, verify everything is off, no other security software is installed (sounds like you did already)
If you can ping it (I'll bet you can), problem exists externally, the router or the ISP or any other devices in between the server and the internet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I use another machine with the same IP it can ping and rdp.
I'm a little confused.
Windows firewall service is on but disabled.
I can ping and connect to rdp from another computer.
On the server with the problem, we can ping and rdp if we stop the rras service which we only use for vpn but we set it up as vpn + nat.
I'm a little confused.
Windows firewall service is on but disabled.
I can ping and connect to rdp from another computer.
On the server with the problem, we can ping and rdp if we stop the rras service which we only use for vpn but we set it up as vpn + nat.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately I couldn't figure this one out because the project was scraped and taken in another direction. They went with other dedicated hardware as a solution to this. I think the RRAS configuration was at fault. Can't be proven though. Next time I guess.
- Can you ping the server from the office client
- Do you have DHCP handing out VPN client addresses? If so are they on the same internal range?
- Does the server have multiple network adaptors? If so, have you verified the local IP settings
Just to verify, you are attempting to RDP from the local network (10.10.x.x) to the servers internal address (10.10.x.x)?