ZyWall Remote Desktop

Albatross1953
Albatross1953 used Ask the Experts™
on
I'm fighting a Zywall USG 100 firewall that will not connect Remote Desktop from a remote computer to a computer on the domain behind the firewall. I can't ping the firewall from outside of the LAN, but I can ping out OK. I can open an IPSec VPN tunnel with ZyXel IPSec VPN Remote Client but nothing happens. I have tried using networks with different network schemas. I created an object/address, NAT & firewall rule. I created an RPD service for port 3389, but then found that the USG 100 has a remotelogin on port 513. I don't know if that has a different purpose. I haven't been able to get a complete set of instructions, so I can't be positive that all the settings are correct. The user manual is not completely clear about configuration for a static domain network with a dynamic remote client. I've been losing time on this for 2 weeks & it has to be finished. Any help is appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Try the steps below:

1. Create Object -> Service: RDP=3389/TCP
2. Create Object -> Address: My_HOST=100.100.100.100 (replace with your LAN Host IP)
3. Create NAT -> Virtual Server: Incoming:wan1, OrigIP:any, MappedIP:My_HOST, Mapping Type: Service: Original:RDP, Mapped:RDP
4. Create Firewall Rule: From:WAN, To:LAN1, Source:any, Destination:My_HOST, Service:RDP, Access:Allow

Author

Commented:
I followed those steps. Still no ping or connection.

Author

Commented:
I added the LAN IP address of the computer on the office network to the Remote Sharing tab on the VPN Client. I can connect through that & navigate to a login screen,  but when I enter her domain logini username & password I get the error:

The security database on the server does not have a computer account for this workstation trust relationship.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

The inability to ping the Zywall from outside is probably because the feature is turned off by default. It will probably be a check box labelled Respond to Pings or Ignore ICMP Requests, or similar.

The remote login may be to manage the unit from the internet, rather than from the LAN.

If I understand your question correctly, you're trying to establish an RDP connection over a VPN link. Have you tried connecting with RDP directly, that is, without using a VPN? Also, have you verified that the LAN target host is actually listening on 3389? It's not uncommon for the default port to be changed, and more common for such a change to be undocumented... You can check it in the target computer's registry by browsing to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

In the right pane scroll down to PortNumber - the decimal value (in brackets) is the port number on which the machine is listening for RDP connections. If you change it, you will need to reboot the computer for the change to take effect.
Ah, that's new information...

How was the machine added to the domain? What version of Window server is being used? It sounds as though there is a corrupt, damaged, or missing computer domain account, as opposed to a user account.

Author

Commented:
I enabled echo. It still doesn't connect through the Remote Desktop app, but when I click on it in the VPN Client, it goes through Remote Desktop automatically. But I use the public IP when I try to go directly through Remote Desktop. The VPN Client uses the LAN IP of the PC. I don't care if it only works that way. She is the only person that will have remote access.

The office computer functions normally on the domain. It was added through Users folder on the server which is running MS Server 2008 R2. It had a problem logging on previously with a similar error message & I had to manually add it to the security agreement (?) folder.
It might be better to delete the troublesome computer domain account and create a new one, to get rid of the error.

The fact that you can get to the log-on screen indicates that your RDP and VPN settings are working, although it isn't clear to me why you can't connect directly with RDP, unless there is an error in the firewall configuration that has so far been overlooked.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial