Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Remote Desktops Services not working to workstations

Just took over managing a network for a company that has had 3 different companies managing it in the past year.  Two servers and 9 PCs with an SQL DB hosted on one of them.  The entire network had the firewalls turned off and a bunch of group policies defined to limit traffic.  All of this because apparently they didn't know how to enable a few SQL ports through the server and workstations.

I have tried removing all the policies I can find, turned the workstations firewalls on again but I am having issues with not having the ability to RDP to any of the workstations.  I can RDP to the servers no problem.  Have checked the workstations to make sure RDP is enabled and the firewall rules allow it as well...no luck.

Previously the owner could remote straight in to their workstation from home using the full machine name plus :3390 port at the end.  (Yes, they were natting apparently through the sonicwall.)  I removed all the sonicwall rules and redefined them all to push 1723 and 3389 to the VPN server and established the RAS service on that server.  They are no longer able to remote in, even with the port definition removed.

I can RDP into the servers but upon attempting to RDP from the servers to the workstations, this internal RDP does not work either.  Need help on where to look for what is stopping the workstation RDP function.
0
dstewart83161
Asked:
dstewart83161
1 Solution
 
abraham808Commented:
Check the registry. FDenyTSConnections. This article shows one.  Http://www.computerperformance.co.uk/w2k3/services/terminal_services_remote_desktop.htm


there is another registry entry,

HKLM->SOFTWARE->Policies->Microsoft->Terminal Services->

check if fDenyTsconnections to 0
0
 
dstewart83161Author Commented:
Have checked a machine for the registry entry and it is set to 0.  Please note that the owner was able to remote in before to her machine but since I removed the NAT rules and I believe the GP rules it no longer allows remoting.  I'm not sure if I got all the GP rules discovered though.
0
 
QlemoC++ DeveloperCommented:
Looks like there was no PAT with the NAT applied, and port 3390 also used in the client RDP setup. Did you try that port (plus adding the new RDP rules to the Firewall for allowing port 3390)?

On another note, why do you forward port 3389 to the VPN server?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
dstewart83161Author Commented:
Have always been taught that 3389 needed to be open for terminal services and to point it to the RAS server.  How else would it be done?

This issue is secondary to the primary issue though.  From the servers, I am unable to RDP to the workstations which is internal to the network.  No NATting or ports on the Sonicwall should be involved in that.
0
 
PerarduaadastraCommented:
Have you confirmed that the workstations are listening for RDP connections on 3389? It seems from what you report that they might be listening on 3390, or indeed any other port that's been specified. You can check it in the target computer's registry by browsing to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

In the right pane scroll down to PortNumber - the value in brackets is the port number being used. Be aware that if you change the value, you will need to reboot the workstation before it will take effect.

I'm guessing that three different companies managing the system in the space of a year equates to approximately zero documentation of the system and any changes made to it...
0
 
QlemoC++ DeveloperCommented:
^^^ exactly what I tried to say in http:#a40460717.

"Have always been taught that 3389 needed to be open for terminal services and to point it to the RAS server. " What for? You either
 use RDP without a VPN, and RDP is forwarded to the machine you need to go to,
or
 user RDP with a VPN, and there is no port-forwarding - the VPN clients uses the LAN IPs.
0
 
dstewart83161Author Commented:
This was it.  I assumed the Sonicwall rules were the only area that was changing the port.  Each of the machines in question had the port set to other than 3389.  reset them and rebooted and everything began working correctly both locally and remotely.  Thanks so much !!!
0
 
QlemoC++ DeveloperCommented:
Sorry? That. again, is what I told you in http:#a40460717.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now