Solved

.rdp connection no longer working - how diagnose?

Posted on 2016-08-08
20
85 Views
Last Modified: 2016-08-15
Environment:
Comcast business gateway with static ip addresses
Windows Server with small LAN
W7 PC running VirtualBox with W7 client; VM Network setting: Bridged adapter using PC's Intel wired Gigabit NIC

I've been using .rdp file (Remote Desktop Connection) to connect remotely to the W7 client.  But I can no longer connect, getting message:
Remote Desktop can’t connect to the remote computer for one of these reasons:

1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

How can I diagnose the problem?
0
Comment
Question by:SAbboushi
  • 10
  • 10
20 Comments
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748080
There are several things to check;

1.  How can you test that the server you need to connect to is running normally?
2.  Is there any firewall in the way that could be changed its configuration by somebody?
3.  About your own PC and virtual environment, perform the basics; ping to external network, internet navigation, DNS tests from the vbox.
4.  Do you have other RDP server to test if it connects to?.  If your PC connects with other server running RDP, almost 99% your PC config is ok.
5.  Check and re-check the .rdp configuration; IP and options about security.

Let us know to deepen on one subject or another.
0
 

Author Comment

by:SAbboushi
ID: 41748104
Hey - thanks for the quick response.

>>1.  How can you test that the server you need to connect to is running normally?
Need a clarification on this: the W7 client (VM) that I'm trying to connect to is on a LAN with domain controller.  So which "server" are you inquiring about?

>>2.  Is there any firewall in the way that could be changed its configuration by somebody?
Unlikely - unless done mistakenly.  The Host PC currently has Windows Firewall disabled, but I'm not sure how to check for other relevant firewalls (Server? Gateway?)

>>3.  About your own PC and virtual environment, perform the basics; ping to external network, internet navigation, DNS tests from the vbox.

To clarify:

W10Pro PC -> Internet to dedicated ip-> Comcast Gateway-> ??? (role of Windows Server) ??? -> Host PC NIC -> Client W7 VM

>> ping to external network
ping from W10Pro to google.com?  If so, that works fine

>> internet navigation
Can I navigate internet on W10Pro?  If so, that works fine

>>DNS tests from the vbox.
ping from W7 VM to google.com?  Or something else?

>>4.  Do you have other RDP server to test if it connects to?.  If your PC connects with other server running RDP, almost 99% your PC config is ok.

I don't have anything setup, but I'm already 99% sure the problem is not my PC (another user has a copy of the rdp file and they can't connect to the W7 VM either).
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748112
OK.  It is clear the problem is on that W7 on the local lan.

Unfortunately it will not be a solution without having physical access to the W7 . I assume you do not have access at this time to that computer.

In the future , you could set up a second PC, or the server in the lan as a second RDP.  This assuming a problem on the W7 box.

Another possibility is that the router or the internet line are dropped.

-> You can ping to the public ip to see if it works?

..MFlores..
0
 

Author Comment

by:SAbboushi
ID: 41748121
>> Unfortunately it will not be a solution without having physical access to the W7 . I assume you do not have access at this time to that computer.

I have remote access through Chrome Remote Desktop to the W7 Host (so I can access the Client W7 VM through VirtualBox on the Host too, but I'm trying to diagnose the rdp connection problem)
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748125
OK.  So that discard a internet or router problem.

You should try using the remote desktop client of the host, to connect to W7.  As you use bridged mode, a Lan IP is assigned to W7 client so you can try to connect.
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748128
W7 client is in brigded mode and a static lan ip configured, I suppose ?
0
 

Author Comment

by:SAbboushi
ID: 41748132
Yes
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748135
OK.  Please, tell us whether you can connect RDP from host to client or not.
0
 

Author Comment

by:SAbboushi
ID: 41748151
Thanks!  Embarrassed at my "Duh...!" moment...  So simple!

Nope, same error.  So looks like the problem is with the VM guest.

Turning off Windows Firewall for "Domain network location settings" on VM guest and I'm able to connect.  Any guidance on how to setup Windows Firewall to allow safe access?

Also, any thoughts on how this behavior might have "changed"?
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41748601
You must provide a firewall rule to allow incoming RDP connections.  Probably changed enabling the firewall?... any recent windows security update?

Here is step by step instructions;

http://itproguru.com/expert/2014/09/allow-remote-desktop-services-rdp-and-ping-icmp-through-windows-firewall/
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:SAbboushi
ID: 41749757
Don't understand the reason for enabling ICMP - any idea?  I enabled it for Domain.

Remote Desktop (TCP-In) was already enabled.  

Then I turned back on the Windows Firewall for "Domain networks".  I still can't connect.

I note the following properties in 'Remote Desktop (TCP-In)' rule:
“Programs and Services” Tab shows “Programs: This  program: System”
Advanced tab shows: Edge traversal: Block edge traversal

I'm wondering whether Windows Server Group Policy/Domain Controller could be a factor here?

Other info:
I can use the ip address without a port# to connect to the server; adding the port# to the ip address is for the client W7 VM.  I suspect the Server is managing rdp sessions and port forwarding

I would have expected to find a log entry each time Windows Firewall blocked the incoming Remote Desktop session, but the log is empty.

At a loss as to what to try next...
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41750727
I'll try to investigate later in my own infrastructure and try to give you some inputs.
0
 

Author Comment

by:SAbboushi
ID: 41750918
k thanks
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41751249
1.  Maybe vbox is blocking the traffic.  It should be only because depends on client firewall running state.  Just check vbox host settings.

2.  If you enabled ICMP, you should ping client IP from where RDP doesn't work with firewall enabled.  Does it ping correctly?

3.  Test connection from W7 client to IP: localhost
i.e. trying to connect to just the own machine.  I suppose it works with firewall active?.

4.  We could try NAT mode.  You need to forward the RDP port 3389 from ip host interface to client internal ip interface.

5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.

..MFlores..
0
 

Author Comment

by:SAbboushi
ID: 41751372
Man -- you're a prince.  Let me review your post and see what I can figure out & get back to you.  Thanks--
0
 

Author Comment

by:SAbboushi
ID: 41751490
>> 1.  Maybe vbox is blocking the traffic.  It should be only because depends on client firewall running state.  Just check vbox host settings.

I'm not following: haven't we proven that it's windows firewall on the guest which is blocking the traffic?  Wouldn't adding/modifying an inbound firewall rule on the guest windows firewall resolve the problem?


>> 2.  If you enabled ICMP, you should ping client IP from where RDP doesn't work with firewall enabled.  Does it ping correctly?

NOTE: Remote Desktop connection to Client requires ip:port address, so standard icmp "ping" won't work.  Using sysinternal's (tcp) psping, it works fine when client's Windows Firewall, Domain Networks if off; no response when Firewall turned back on.


>> 3.  Test connection from W7 client to IP: localhost
i.e. trying to connect to just the own machine.  I suppose it works with firewall active?.

Wasn't clear on what you wanted me to try: a remote desktop connection from client to itself by specifying "localhost" in Computer field instead of ip:port?  I tried that, but get same message (can't connect -- see below screenshot).


>> 4.  We could try NAT mode.  You need to forward the RDP port 3389 from ip host interface to client internal ip interface.

I'm still trying to figure out how/where port forwarding is currently configured!!  The client virtual adapter is bridged to the host NIC.  I don't know how to do what you're suggesting.

>> 5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.
That's what I've been wondering, but I haven't been able to track one down.

A big missing piece of the puzzle for me is I can't figure out where the adapter is that has the dedicated ip address!!  (I use the isp-assigned dedicated (public) ip address to remote desktop to the server, and append a port# to connect instead to the guest vm on another PC on the LAN).

In any event, I'm still thinking that the solution is to add an inbound rule for Remote Desktop TCP-in on the guest firewall and if that works, try to understand why the existing inbound rule is blocking the connection; and/or figure out how to log the blocked connection event to get further clues.  What do you think?
Argh!!!!
Capture.PNG
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41751971
About 3.  Use instead of localhost, the following IP; 127.0.0.1 that should work.  This kind of tests is to have information to guess what could be failing here.

About 4.  Indeed, is a good test in my opinion.  I'll try to explain below.

About 5 and your explanation of public IP.  So, the host (I guess) is being configured directly with the public IP?.  At this moment it will help to have a screenshots or a couple of files with host and vm ip configuration.  Please, just execute;

ipconfig /all

Open in new window

and attach the result.  If there is a public ip listed there, please hide it using something like xx......xx.

Bridged vs NAT

In bridged mode you will have some thing like;

---------------------------------------  network (address??) x.x.x.x (whatever)
       |                          |
    Host  (ip x)        client (ip of the same network as host)

So the client and host are in the same network, each having a different IP address of you local network.  Bridged mode put a bridge from the client VM to the physical network so can have a network ip by itself.

In NAT mode.

network (as above) ---------- HOST ----------- (internal/virtual vbox network)  something like 192.168.2.x
                                                                   |
                                                                   |
                                                               Client.  IP from vbox virtual network. i.e. 192.168.2.2

The internal/virtual network of the host will be 192.168.2.1 or what ever.  Indeed the host must be the default gateway of your client and is behaving as a router as well.
So, as router as Host is, you should configure an incoming route from external to internal net, port 3389 (you can use another 3388 i.e.) to 192.168.2.2 port 3389 (the port RDP is listening on Client).

NAT configuration is as valid as bridged, and indeed your client will be less exposed and you could disable its firewall, because the host can take care of this if properly configured.

..MFlores..
0
 

Author Comment

by:SAbboushi
ID: 41753398
>>About 3.  Use instead of localhost, the following IP; 127.0.0.1 that should work.  This kind of tests is to have information to guess what could be failing here.

Same "Can't connect" message

>> >> 5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.
I found a setting in the RD client on Advanced tab>Connect from anywhere>Settings>Connection Settings: Do not use an RD Gateway server

I'm still able to connect after enabling this setting, so I wonder if that rules out that there is an RD gateway in the mix?

ipconfig /all (Guest VM & Host) attached below.


>> So, the host (I guess) is being configured directly with the public IP?.

Your explanation was helpful; here's what I'm seeing:
1) Public ip 77.77.77.77 is being forwarded to Server1 (somehow)
2) Public ip 77.77.77.77:3333 is being forwarded (somehow) to the Guest_VM on Host_PC
3) It seems to me that the Guest_VM Firewall rule for "Remote Desktop TCP-In" is irrelevant because it is hardcoded to port 3389 whereas I'm using port 3333 to Remote Desktop to Guest_VM
4) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber is set to 3389 on Guest_VM; I would have thought this needed to be set to 3333, otherwise Guest_VM won't be listening to port 3333...?  Unless maybe the port forwarding (wherever it's being done) is forwarding 77.77.77.77:3333 to 192.168.1.22 (private ip of Guest_VM) and since there was no forwarding port specified, the default 3389 port is used on Guest_VM for rdp?
5) However, doing a netstat -a on Guest_VM shows port 3333 "Listening" and port 3389 isn't listed?? Doesn't this contradict "4)" above?

I added a new inbound rule in Windows Firewall of Guest_VM for Domain profile.  Now I'm able to connect with Firewall on.

Would appreciate any feedback you have on my analysis above/my questions.  Although I'm able to connect now with the firewall on, I still am at a loss to understand the routing/forwarding that's going on and how to get closer to figuring it out.
ipconfig_guest_EE.png
ipconfig_Host_EE.png
0
 
LVL 5

Accepted Solution

by:
Manuel Flores earned 500 total points
ID: 41753492
About 3.  Of course, you must write down: 127.0.0.1:3333  according to the point 5.

About 5.
>>I found a setting in the RD client on Advanced tab>Connect from anywhere>Settings>Connection Settings: Do not use an RD Gateway server

You're not using anything strange.  Plain RDP, it's clear.

You're using bridged mode, so the host and guest are in the same network; 192.168.1.x... at this moment this is ok.

Forwarding on server1: 77.77.77.77:3333 to 192.168.1.22 is ok too.  it is necessary.  Of course the firewall rule for RDP works using the standard port (3389) however it is clear that you use port 3333.  Must set up a corresponding rule for 3333.

Another option was to let standard 3389 port on guest client for RDP, and Forwarding on server1 77.77.77.77:3333 to 192.168.1.22:3389 (making a network and port translation; NAT and PAT).  However, finally your configuration is OK now, I wouldn't change anything, because you have a valid and correct solution.  You hide externally the 3389 standard port which it is always a best-practices config.

Happy that finally we could unveil what it was happening!!!.  Should you have any further doubt about NAT modes, routing, etc... please, let me know.

..MFlores..
0
 

Author Closing Comment

by:SAbboushi
ID: 41756777
Thanks for all your help.  Much appreciated!!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now