Can't RDP from LAN to DMZ?

what is the firewall using for DMZ, ?

did u check the telnet to port 3389 from remote client... to host... ?

check antivirus and firewall ports exclusions etc.

all the best

I'm using a Watchguard firewall.

Right now I've only opened ports from LAN to the DMZ. So I need to open port 3389 from DMZ to LAN as well?

RDP requires TCP port 3389 - you need to allow that port from the LAN to the DMZ

what is the error message you are getting?

Derek: right now I've opened (for test purposes) all ports from the LAN to the DMZ. That's why I see on my firewall that the RDP request gets through. RDP is then trying to initiate the remote connection but fails with:

you can't just open the ports - you need to forward that specific port onto the specific server you are trying to RDP to.

Derek: I'm not sure why that would be necessary? I don't need to forward to specific ports in order to be able to access its network share, for example?

Why can't I just RDP to the IP address of the server in the DMZ?

if you RDP directly to the IP address, you don't technically have a DMZ, you have a separate network segment, with a firewall separating them,    

On the LAN, assume your subnet is 10.0.0.0/24, and the watchguard has IP 10.0.0.1.

the DMZ is subnet 192.168.100.0/24 with the watchguard having IP 192.168.100.1 on that network segment

from your machine on the LAN, assuming you have routing setup on the watchguard to cope with the traffic to the 192.168.100 subnet, you would RDP to the DMZ address of your server - assume 192.168.100.10.  the server then needs to know how to route the traffic back to the source address on the 10.0.0.0 subnet - the default gateway on each server, and the routing table on each, needs to know to send all traffic to the watchguard, and the watchguard needs to know how to route it.

port forwarding is easier and simpler - as the machines don't need to know anything about the routing, as they just communicate with the watchguard (you RDP to the watchguard IP address/port and it forwards it on to the correct server)

Ok, I think I'm slowly getting what you mean ... but let me lay out my actual situation:

My own PC is on the LAN (192.168.1.58)
The server I want to RDP to is in the DMZ (10.1.1.10)
The Watchguard has two relating addresses (192.168.1.1 and 10.1.1.1).

The DMZ is on the VLAN interface of the Watchguard.

So I need to forward 'something' to 10.1.1.10:3389, right? But what would be this something? Some 192.168.1.x address that I would just use for this? And I'd do this under 'SNAT'?

D'oh, I hadn't selected the RD Host option under the Remote Desktop role under Server Management ...

Although ... is the 'Remote Desktop Services' role really necessary to simply remotely connect to the server's desktop?

Usually it's not apparently (none of my LAN servers have it installed) but in this case it is because it's not inside one LAN but between a LAN and a DMZ?

RD host is only required if you want to set it up as a terminal server - simply enabling remove desktop will allow an administrator (or member of the remote desktop users group) to RDP onto the server

in you situation, I would usually forward port 3389 from 192.168.1.1 to server 10.1.1.10, then simply RDP to 192.168.1.1

Derek: hm, but when I remove the 'RD Host' role from my server in the DMZ then I can't use RDP anymore to connect to it from my LAN ... ?

odd - if you need RD Host, then leave it on - but enabling remote access should just require you to be a local admin or a member of the remote desktop users group.

it does depend on the OS on the server - and you may have changed some other settings

but the problem with leaving RD Host on is that Windows keeps telling me I'll need a licence in 3 months!?