Solved

Can't RDP after enabling RRAS VPN Windows 2008

Posted on 2014-03-24
12
2,654 Views
Last Modified: 2014-05-22
Hello we have a windows server 2008 machine. Client wants to log in via VPN from home.

We enabled rras as vpn and nat. We are able to connect to vpn. Advanced firewall inside windows server and client computer is turned off. We are not able to RDP into the server without first connecting to the VPN.

We would like to RDP into the server from our office IPs. Which are static. But we can't RDP into the server from any IP without first connecting via VPN. After connecting VPN we can connect using private ip for example 10.10.2.1.

Any thoughts?
0
Comment
Question by:pixelstation
  • 6
  • 5
12 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39951245
Quick questions

- Can you ping the server from the office client
- Do you have DHCP handing out VPN client addresses? If so are they on the same internal range?
- Does the server have multiple network adaptors? If so, have you verified the local IP settings

Just to verify, you are attempting to RDP from the local network (10.10.x.x) to the servers internal address (10.10.x.x)?
0
 

Author Comment

by:pixelstation
ID: 39951362
Ping is not working using the public IP.

For VPN we have it set to assign addresses from static pool 10.10.1.1. We only need this internal range for the vpn. Do we need a physical interface to be enabled with 10.10.1.1?

Yes server has two physical nics. I should mention that we have hyper-v on this server and one physical nic is a virtual switch for hyper-v to access the internet and the second is internal ips but it is disabled.

No, this server is not inside an office. It's on the public network.

We want to RDP from anywhere in the world into the server without having to use the VPN. After we get this working we will enable firewall to restrict access to only a few of our office's static public IPs.

Right now the only RDP access we have is through VPN tunnel. There is also the issue of pinging server without VPN as you mentioned.
0
 

Author Comment

by:pixelstation
ID: 39951366
The VPN tunnel is for a few employees who need access remotely with laptops from outside that have dynamic ips and we can't get static ips for them. Their home ISP doesn't give static ips.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39951392
So if you want to RDP to the machine from anywhere you have the following options

1). Server is on the internal network. You will need a public IP address that you setup with NATon your firewall and open RDP ports.

2). Server is on the external network. You will assign the server the public IP and place it external to your firewall but internal to your internet router, DMZ if you will.

3). Require clients to VPN to the server, the use RDP to get to internal machines.

If you cannot ping the public IP then the machine is either not on the external network, has a firewall filtering somewhere or has misconfigured IP (unlikely as VPN is working).
0
 

Author Comment

by:pixelstation
ID: 39951416
We can't find any firewall on the server that's blocking us.

Basically we have ISP--> server (public ip)

Windows firewall is turned off.

We can't ping, we can't rdp to server while vpn is enabled. If we stop rras , rdp start working, if we start rras, it stops working.

Right now the only option working is option 3. But we at least like to be able to ping so we can add the public ip to cacti so it can monitor ping.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39951431
Turn on the windows firewall service, then go into the firewall settings and turn everything off, leaving the service running.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:pixelstation
ID: 39951557
I did as you said but I still can't ping or RDP.  We aren't running any AD or extra software on this server. Only Hyper-V was installed to run a few virtual machines. No additional firewall or antivirus was installed.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39951574
Here's a simple test. Plug in a laptop or another machine to the same switch the server is plugged into. Can you RDP/ Ping it?

If not, problem is on server and related to firewall, verify everything is off, no other security software is installed (sounds like you did already)

If you can ping it (I'll bet you can), problem exists externally, the router or the ISP or any other devices in between the server and the internet.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 39951606
Go to routing and remote access mmc
Expand ipv4
Open NAT
Add the interface that is connected to your public ISP
Open up the Interface properties
Under the first TAB "NAT"
Select this is a public interface
Also select enable NAT

You should be able to connect now. You can also add at the same properties pop up under ports and services an Rdp allow connection with port and IP address..

DirkMare
0
 

Author Comment

by:pixelstation
ID: 39951619
If I use another machine with the same IP it can ping and rdp.

I'm a little confused.

Windows firewall service is on but disabled.

I can ping and connect to rdp from another computer.

On the server with the problem, we can ping and rdp if we stop the rras service which we only use for vpn but we set it up as vpn + nat.
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 250 total points
ID: 39951629
Probably check out DirkMares suggestion then. I thought you were only unable to access RDP/Ping from other machines on the internet (from home, etc.) but if turning off RRAS solves the problem then the RRAS config is likely at issue.
0
 

Author Closing Comment

by:pixelstation
ID: 40085230
Unfortunately I couldn't figure this one out because the project was scraped and taken in another direction. They went with other dedicated hardware as a solution to this. I think the RRAS configuration was at fault. Can't be proven though. Next time I guess.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now