Link to home
Start Free TrialLog in
Avatar of SAbboushi
SAbboushiFlag for United States of America

asked on

.rdp connection no longer working - how diagnose?

Environment:
Comcast business gateway with static ip addresses
Windows Server with small LAN
W7 PC running VirtualBox with W7 client; VM Network setting: Bridged adapter using PC's Intel wired Gigabit NIC

I've been using .rdp file (Remote Desktop Connection) to connect remotely to the W7 client.  But I can no longer connect, getting message:
Remote Desktop can’t connect to the remote computer for one of these reasons:

1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

How can I diagnose the problem?
Avatar of Manuel Flores
Manuel Flores
Flag of Spain image

There are several things to check;

1.  How can you test that the server you need to connect to is running normally?
2.  Is there any firewall in the way that could be changed its configuration by somebody?
3.  About your own PC and virtual environment, perform the basics; ping to external network, internet navigation, DNS tests from the vbox.
4.  Do you have other RDP server to test if it connects to?.  If your PC connects with other server running RDP, almost 99% your PC config is ok.
5.  Check and re-check the .rdp configuration; IP and options about security.

Let us know to deepen on one subject or another.
Avatar of SAbboushi

ASKER

Hey - thanks for the quick response.

>>1.  How can you test that the server you need to connect to is running normally?
Need a clarification on this: the W7 client (VM) that I'm trying to connect to is on a LAN with domain controller.  So which "server" are you inquiring about?

>>2.  Is there any firewall in the way that could be changed its configuration by somebody?
Unlikely - unless done mistakenly.  The Host PC currently has Windows Firewall disabled, but I'm not sure how to check for other relevant firewalls (Server? Gateway?)

>>3.  About your own PC and virtual environment, perform the basics; ping to external network, internet navigation, DNS tests from the vbox.

To clarify:

W10Pro PC -> Internet to dedicated ip-> Comcast Gateway-> ??? (role of Windows Server) ??? -> Host PC NIC -> Client W7 VM

>> ping to external network
ping from W10Pro to google.com?  If so, that works fine

>> internet navigation
Can I navigate internet on W10Pro?  If so, that works fine

>>DNS tests from the vbox.
ping from W7 VM to google.com?  Or something else?

>>4.  Do you have other RDP server to test if it connects to?.  If your PC connects with other server running RDP, almost 99% your PC config is ok.

I don't have anything setup, but I'm already 99% sure the problem is not my PC (another user has a copy of the rdp file and they can't connect to the W7 VM either).
OK.  It is clear the problem is on that W7 on the local lan.

Unfortunately it will not be a solution without having physical access to the W7 . I assume you do not have access at this time to that computer.

In the future , you could set up a second PC, or the server in the lan as a second RDP.  This assuming a problem on the W7 box.

Another possibility is that the router or the internet line are dropped.

-> You can ping to the public ip to see if it works?

..MFlores..
>> Unfortunately it will not be a solution without having physical access to the W7 . I assume you do not have access at this time to that computer.

I have remote access through Chrome Remote Desktop to the W7 Host (so I can access the Client W7 VM through VirtualBox on the Host too, but I'm trying to diagnose the rdp connection problem)
OK.  So that discard a internet or router problem.

You should try using the remote desktop client of the host, to connect to W7.  As you use bridged mode, a Lan IP is assigned to W7 client so you can try to connect.
W7 client is in brigded mode and a static lan ip configured, I suppose ?
Yes
OK.  Please, tell us whether you can connect RDP from host to client or not.
Thanks!  Embarrassed at my "Duh...!" moment...  So simple!

Nope, same error.  So looks like the problem is with the VM guest.

Turning off Windows Firewall for "Domain network location settings" on VM guest and I'm able to connect.  Any guidance on how to setup Windows Firewall to allow safe access?

Also, any thoughts on how this behavior might have "changed"?
You must provide a firewall rule to allow incoming RDP connections.  Probably changed enabling the firewall?... any recent windows security update?

Here is step by step instructions;

http://itproguru.com/expert/2014/09/allow-remote-desktop-services-rdp-and-ping-icmp-through-windows-firewall/
Don't understand the reason for enabling ICMP - any idea?  I enabled it for Domain.

Remote Desktop (TCP-In) was already enabled.  

Then I turned back on the Windows Firewall for "Domain networks".  I still can't connect.

I note the following properties in 'Remote Desktop (TCP-In)' rule:
“Programs and Services” Tab shows “Programs: This  program: System”
Advanced tab shows: Edge traversal: Block edge traversal

I'm wondering whether Windows Server Group Policy/Domain Controller could be a factor here?

Other info:
I can use the ip address without a port# to connect to the server; adding the port# to the ip address is for the client W7 VM.  I suspect the Server is managing rdp sessions and port forwarding

I would have expected to find a log entry each time Windows Firewall blocked the incoming Remote Desktop session, but the log is empty.

At a loss as to what to try next...
I'll try to investigate later in my own infrastructure and try to give you some inputs.
k thanks
1.  Maybe vbox is blocking the traffic.  It should be only because depends on client firewall running state.  Just check vbox host settings.

2.  If you enabled ICMP, you should ping client IP from where RDP doesn't work with firewall enabled.  Does it ping correctly?

3.  Test connection from W7 client to IP: localhost
i.e. trying to connect to just the own machine.  I suppose it works with firewall active?.

4.  We could try NAT mode.  You need to forward the RDP port 3389 from ip host interface to client internal ip interface.

5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.

..MFlores..
Man -- you're a prince.  Let me review your post and see what I can figure out & get back to you.  Thanks--
>> 1.  Maybe vbox is blocking the traffic.  It should be only because depends on client firewall running state.  Just check vbox host settings.

I'm not following: haven't we proven that it's windows firewall on the guest which is blocking the traffic?  Wouldn't adding/modifying an inbound firewall rule on the guest windows firewall resolve the problem?


>> 2.  If you enabled ICMP, you should ping client IP from where RDP doesn't work with firewall enabled.  Does it ping correctly?

NOTE: Remote Desktop connection to Client requires ip:port address, so standard icmp "ping" won't work.  Using sysinternal's (tcp) psping, it works fine when client's Windows Firewall, Domain Networks if off; no response when Firewall turned back on.


>> 3.  Test connection from W7 client to IP: localhost
i.e. trying to connect to just the own machine.  I suppose it works with firewall active?.

Wasn't clear on what you wanted me to try: a remote desktop connection from client to itself by specifying "localhost" in Computer field instead of ip:port?  I tried that, but get same message (can't connect -- see below screenshot).


>> 4.  We could try NAT mode.  You need to forward the RDP port 3389 from ip host interface to client internal ip interface.

I'm still trying to figure out how/where port forwarding is currently configured!!  The client virtual adapter is bridged to the host NIC.  I don't know how to do what you're suggesting.

>> 5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.
That's what I've been wondering, but I haven't been able to track one down.

A big missing piece of the puzzle for me is I can't figure out where the adapter is that has the dedicated ip address!!  (I use the isp-assigned dedicated (public) ip address to remote desktop to the server, and append a port# to connect instead to the guest vm on another PC on the LAN).

In any event, I'm still thinking that the solution is to add an inbound rule for Remote Desktop TCP-in on the guest firewall and if that works, try to understand why the existing inbound rule is blocking the connection; and/or figure out how to log the blocked connection event to get further clues.  What do you think?
Argh!!!!
Capture.PNG
About 3.  Use instead of localhost, the following IP; 127.0.0.1 that should work.  This kind of tests is to have information to guess what could be failing here.

About 4.  Indeed, is a good test in my opinion.  I'll try to explain below.

About 5 and your explanation of public IP.  So, the host (I guess) is being configured directly with the public IP?.  At this moment it will help to have a screenshots or a couple of files with host and vm ip configuration.  Please, just execute;

ipconfig /all

Open in new window

and attach the result.  If there is a public ip listed there, please hide it using something like xx......xx.

Bridged vs NAT

In bridged mode you will have some thing like;

---------------------------------------  network (address??) x.x.x.x (whatever)
       |                          |
    Host  (ip x)        client (ip of the same network as host)

So the client and host are in the same network, each having a different IP address of you local network.  Bridged mode put a bridge from the client VM to the physical network so can have a network ip by itself.

In NAT mode.

network (as above) ---------- HOST ----------- (internal/virtual vbox network)  something like 192.168.2.x
                                                                   |
                                                                   |
                                                               Client.  IP from vbox virtual network. i.e. 192.168.2.2

The internal/virtual network of the host will be 192.168.2.1 or what ever.  Indeed the host must be the default gateway of your client and is behaving as a router as well.
So, as router as Host is, you should configure an incoming route from external to internal net, port 3389 (you can use another 3388 i.e.) to 192.168.2.2 port 3389 (the port RDP is listening on Client).

NAT configuration is as valid as bridged, and indeed your client will be less exposed and you could disable its firewall, because the host can take care of this if properly configured.

..MFlores..
>>About 3.  Use instead of localhost, the following IP; 127.0.0.1 that should work.  This kind of tests is to have information to guess what could be failing here.

Same "Can't connect" message

>> >> 5.  Maybe is there a RDP gateway or broker which of course would need it's own firewall rules?.
I found a setting in the RD client on Advanced tab>Connect from anywhere>Settings>Connection Settings: Do not use an RD Gateway server

I'm still able to connect after enabling this setting, so I wonder if that rules out that there is an RD gateway in the mix?

ipconfig /all (Guest VM & Host) attached below.


>> So, the host (I guess) is being configured directly with the public IP?.

Your explanation was helpful; here's what I'm seeing:
1) Public ip 77.77.77.77 is being forwarded to Server1 (somehow)
2) Public ip 77.77.77.77:3333 is being forwarded (somehow) to the Guest_VM on Host_PC
3) It seems to me that the Guest_VM Firewall rule for "Remote Desktop TCP-In" is irrelevant because it is hardcoded to port 3389 whereas I'm using port 3333 to Remote Desktop to Guest_VM
4) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber is set to 3389 on Guest_VM; I would have thought this needed to be set to 3333, otherwise Guest_VM won't be listening to port 3333...?  Unless maybe the port forwarding (wherever it's being done) is forwarding 77.77.77.77:3333 to 192.168.1.22 (private ip of Guest_VM) and since there was no forwarding port specified, the default 3389 port is used on Guest_VM for rdp?
5) However, doing a netstat -a on Guest_VM shows port 3333 "Listening" and port 3389 isn't listed?? Doesn't this contradict "4)" above?

I added a new inbound rule in Windows Firewall of Guest_VM for Domain profile.  Now I'm able to connect with Firewall on.

Would appreciate any feedback you have on my analysis above/my questions.  Although I'm able to connect now with the firewall on, I still am at a loss to understand the routing/forwarding that's going on and how to get closer to figuring it out.
ipconfig_guest_EE.png
ipconfig_Host_EE.png
ASKER CERTIFIED SOLUTION
Avatar of Manuel Flores
Manuel Flores
Flag of Spain image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all your help.  Much appreciated!!