Solved

Remote Desktops Services not working to workstations

Posted on 2014-11-23
8
291 Views
Last Modified: 2014-11-23
Just took over managing a network for a company that has had 3 different companies managing it in the past year.  Two servers and 9 PCs with an SQL DB hosted on one of them.  The entire network had the firewalls turned off and a bunch of group policies defined to limit traffic.  All of this because apparently they didn't know how to enable a few SQL ports through the server and workstations.

I have tried removing all the policies I can find, turned the workstations firewalls on again but I am having issues with not having the ability to RDP to any of the workstations.  I can RDP to the servers no problem.  Have checked the workstations to make sure RDP is enabled and the firewall rules allow it as well...no luck.

Previously the owner could remote straight in to their workstation from home using the full machine name plus :3390 port at the end.  (Yes, they were natting apparently through the sonicwall.)  I removed all the sonicwall rules and redefined them all to push 1723 and 3389 to the VPN server and established the RAS service on that server.  They are no longer able to remote in, even with the port definition removed.

I can RDP into the servers but upon attempting to RDP from the servers to the workstations, this internal RDP does not work either.  Need help on where to look for what is stopping the workstation RDP function.
0
Comment
Question by:dstewart83161
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:abraham808
ID: 40460687
Check the registry. FDenyTSConnections. This article shows one.  Http://www.computerperformance.co.uk/w2k3/services/terminal_services_remote_desktop.htm


there is another registry entry,

HKLM->SOFTWARE->Policies->Microsoft->Terminal Services->

check if fDenyTsconnections to 0
0
 

Author Comment

by:dstewart83161
ID: 40460697
Have checked a machine for the registry entry and it is set to 0.  Please note that the owner was able to remote in before to her machine but since I removed the NAT rules and I believe the GP rules it no longer allows remoting.  I'm not sure if I got all the GP rules discovered though.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40460717
Looks like there was no PAT with the NAT applied, and port 3390 also used in the client RDP setup. Did you try that port (plus adding the new RDP rules to the Firewall for allowing port 3390)?

On another note, why do you forward port 3389 to the VPN server?
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:dstewart83161
ID: 40460739
Have always been taught that 3389 needed to be open for terminal services and to point it to the RAS server.  How else would it be done?

This issue is secondary to the primary issue though.  From the servers, I am unable to RDP to the workstations which is internal to the network.  No NATting or ports on the Sonicwall should be involved in that.
0
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 500 total points
ID: 40460754
Have you confirmed that the workstations are listening for RDP connections on 3389? It seems from what you report that they might be listening on 3390, or indeed any other port that's been specified. You can check it in the target computer's registry by browsing to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

In the right pane scroll down to PortNumber - the value in brackets is the port number being used. Be aware that if you change the value, you will need to reboot the workstation before it will take effect.

I'm guessing that three different companies managing the system in the space of a year equates to approximately zero documentation of the system and any changes made to it...
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40460765
^^^ exactly what I tried to say in http:#a40460717.

"Have always been taught that 3389 needed to be open for terminal services and to point it to the RAS server. " What for? You either
 use RDP without a VPN, and RDP is forwarded to the machine you need to go to,
or
 user RDP with a VPN, and there is no port-forwarding - the VPN clients uses the LAN IPs.
0
 

Author Closing Comment

by:dstewart83161
ID: 40460792
This was it.  I assumed the Sonicwall rules were the only area that was changing the port.  Each of the machines in question had the port set to other than 3389.  reset them and rebooted and everything began working correctly both locally and remotely.  Thanks so much !!!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40460805
Sorry? That. again, is what I told you in http:#a40460717.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OnPage: Incident management and secure messaging on your smartphone
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question