TS in DMZ will not allow clients to connect - licensing issue

[Andrew Story]

Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

90 days ago (i know) we installed a TS server in a DMZ to allow access via
TS Web Access to an application on the trusted network. All works fine
until now, external clients cannot connect and get a message box with this
text:

The remote computer disconnected the session because of an error in the
licensing protocol. Please try connecting to the remote computer again or
contact your server administrator.

Internal clients are fine, also there are many event ID: 1004 regarding the
devices unable to connect. Is there a way to test whether your TS server
can actually see a license server? I assumed that due to all clients being
able to logon that they just could? I know that 90 days grace is up, but
would expernal clients have been able to connect if the TS could never see a
licensing server?

Any help much appreciated

 

[Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew Story"
<andrewDOTstoryATjameswalkerDOTbiz> says...
> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.
>
> 90 days ago (i know) we installed a TS server in a DMZ to allow access via
> TS Web Access to an application on the trusted network. All works fine
> until now, external clients cannot connect and get a message box with this
> text:
>
> The remote computer disconnected the session because of an error in the
> licensing protocol. Please try connecting to the remote computer again or
> contact your server administrator.
>
> Internal clients are fine, also there are many event ID: 1004 regarding the
> devices unable to connect. Is there a way to test whether your TS server
> can actually see a license server? I assumed that due to all clients being
> able to logon that they just could? I know that 90 days grace is up, but
> would expernal clients have been able to connect if the TS could never see a
> licensing server?
>
> Any help much appreciated

What's the point of putting a server in the DMZ if it has to
authenticate and share with the LAN?

If you are going to have to punch gaping holes in the firewall to allow
DMZ>LAN access there really isn't any point in having a DMZ.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

Thanks for your input Leythos, very valid.

But, can you help with the original question please?

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...
> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew Story"
> <andrewDOTstoryATjameswalkerDOTbiz> says...
>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.
>>
>> 90 days ago (i know) we installed a TS server in a DMZ to allow access
>> via
>> TS Web Access to an application on the trusted network. All works fine
>> until now, external clients cannot connect and get a message box with
>> this
>> text:
>>
>> The remote computer disconnected the session because of an error in the
>> licensing protocol. Please try connecting to the remote computer again or
>> contact your server administrator.
>>
>> Internal clients are fine, also there are many event ID: 1004 regarding
>> the
>> devices unable to connect. Is there a way to test whether your TS server
>> can actually see a license server? I assumed that due to all clients
>> being
>> able to logon that they just could? I know that 90 days grace is up, but
>> would expernal clients have been able to connect if the TS could never
>> see a
>> licensing server?
>>
>> Any help much appreciated
>
> What's the point of putting a server in the DMZ if it has to
> authenticate and share with the LAN?
>
> If you are going to have to punch gaping holes in the firewall to allow
> DMZ>LAN access there really isn't any point in having a DMZ.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

 

[Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

You can run the Resource Kit utility lsview on the TS to check if
it can locate the TS Licensing Server.
Where is the TS Licensing Server located?
Have you checked in the TS Licensing Manager on the TS Licensing
Server which licenses have been issued, both to your internal and
external clients?
Have your internal clients received a free license from the built-
in pool of "Existing Windows 2000 TS CALs"? Have you external
clients been issued temporary licenses, which now have expired?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt
2007 in microsoft.public.windows.terminal_services:

> Thanks for your input Leythos, very valid.
>
> But, can you help with the original question please?
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...
>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew
>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.
>>>
>>> 90 days ago (i know) we installed a TS server in a DMZ to
>>> allow access via
>>> TS Web Access to an application on the trusted network. All
>>> works fine until now, external clients cannot connect and get
>>> a message box with this
>>> text:
>>>
>>> The remote computer disconnected the session because of an
>>> error in the licensing protocol. Please try connecting to the
>>> remote computer again or contact your server administrator.
>>>
>>> Internal clients are fine, also there are many event ID: 1004
>>> regarding the
>>> devices unable to connect. Is there a way to test whether
>>> your TS server can actually see a license server? I assumed
>>> that due to all clients being
>>> able to logon that they just could? I know that 90 days grace
>>> is up, but would expernal clients have been able to connect if
>>> the TS could never see a
>>> licensing server?
>>>
>>> Any help much appreciated
>>
>> What's the point of putting a server in the DMZ if it has to
>> authenticate and share with the LAN?
>>
>> If you are going to have to punch gaping holes in the firewall
>> to allow DMZ>LAN access there really isn't any point in having
>> a DMZ.
>>
>> --
>>
>> Leythos
>> - Igitur qui desiderat pacem, praeparet bellum.
>> - Calling an illegal alien an "undocumented worker" is like
>> calling a
>> drug dealer an "unlicensed pharmacist"
>> spam999free@rrohio.com (remove 999 for proper email address)

 

[Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

Thanks Vera,

External clients cannot get licenses issued so I assume the TS in the DMZ
cannot see the Licesning server on the trusted network.

You can ping the license server, and it issues licenses to ther TS clients,
just not the external ones.

I will run LSview on the TS and report back.


"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns99BEF36A7FA8Averanoesthemutforsse@207.46.248.16...
> You can run the Resource Kit utility lsview on the TS to check if
> it can locate the TS Licensing Server.
> Where is the TS Licensing Server located?
> Have you checked in the TS Licensing Manager on the TS Licensing
> Server which licenses have been issued, both to your internal and
> external clients?
> Have your internal clients received a free license from the built-
> in pool of "Existing Windows 2000 TS CALs"? Have you external
> clients been issued temporary licenses, which now have expired?
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt
> 2007 in microsoft.public.windows.terminal_services:
>
>> Thanks for your input Leythos, very valid.
>>
>> But, can you help with the original question please?
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...
>>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew
>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.
>>>>
>>>> 90 days ago (i know) we installed a TS server in a DMZ to
>>>> allow access via
>>>> TS Web Access to an application on the trusted network. All
>>>> works fine until now, external clients cannot connect and get
>>>> a message box with this
>>>> text:
>>>>
>>>> The remote computer disconnected the session because of an
>>>> error in the licensing protocol. Please try connecting to the
>>>> remote computer again or contact your server administrator.
>>>>
>>>> Internal clients are fine, also there are many event ID: 1004
>>>> regarding the
>>>> devices unable to connect. Is there a way to test whether
>>>> your TS server can actually see a license server? I assumed
>>>> that due to all clients being
>>>> able to logon that they just could? I know that 90 days grace
>>>> is up, but would expernal clients have been able to connect if
>>>> the TS could never see a
>>>> licensing server?
>>>>
>>>> Any help much appreciated
>>>
>>> What's the point of putting a server in the DMZ if it has to
>>> authenticate and share with the LAN?
>>>
>>> If you are going to have to punch gaping holes in the firewall
>>> to allow DMZ>LAN access there really isn't any point in having
>>> a DMZ.
>>>
>>> --
>>>
>>> Leythos
>>> - Igitur qui desiderat pacem, praeparet bellum.
>>> - Calling an illegal alien an "undocumented worker" is like
>>> calling a
>>> drug dealer an "unlicensed pharmacist"
>>> spam999free@rrohio.com (remove 999 for proper email address)

 

[Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

OK Fixed - sort of.

I am now pointing the TS in the DMZ to a licensing server we have on an
IPSec site and it communicates with it.

What is the best way to have a TS box running in a DMZ? Can a domain TS
server use a workgroup licensing server?
Thsi would make life easier as I could put a workgroup server with TS
liceining in the DMZ with the TS server?


"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:%23gorJTlBIHA.3916@TK2MSFTNGP02.phx.gbl...
> Thanks Vera,
>
> External clients cannot get licenses issued so I assume the TS in the DMZ
> cannot see the Licesning server on the trusted network.
>
> You can ping the license server, and it issues licenses to ther TS
> clients, just not the external ones.
>
> I will run LSview on the TS and report back.
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
> news:Xns99BEF36A7FA8Averanoesthemutforsse@207.46.248.16...
>> You can run the Resource Kit utility lsview on the TS to check if
>> it can locate the TS Licensing Server.
>> Where is the TS Licensing Server located?
>> Have you checked in the TS Licensing Manager on the TS Licensing
>> Server which licenses have been issued, both to your internal and
>> external clients?
>> Have your internal clients received a free license from the built-
>> in pool of "Existing Windows 2000 TS CALs"? Have you external
>> clients been issued temporary licenses, which now have expired?
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt
>> 2007 in microsoft.public.windows.terminal_services:
>>
>>> Thanks for your input Leythos, very valid.
>>>
>>> But, can you help with the original question please?
>>>
>>> "Leythos" <void@nowhere.lan> wrote in message
>>> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...
>>>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew
>>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.
>>>>>
>>>>> 90 days ago (i know) we installed a TS server in a DMZ to
>>>>> allow access via
>>>>> TS Web Access to an application on the trusted network. All
>>>>> works fine until now, external clients cannot connect and get
>>>>> a message box with this
>>>>> text:
>>>>>
>>>>> The remote computer disconnected the session because of an
>>>>> error in the licensing protocol. Please try connecting to the
>>>>> remote computer again or contact your server administrator.
>>>>>
>>>>> Internal clients are fine, also there are many event ID: 1004
>>>>> regarding the
>>>>> devices unable to connect. Is there a way to test whether
>>>>> your TS server can actually see a license server? I assumed
>>>>> that due to all clients being
>>>>> able to logon that they just could? I know that 90 days grace
>>>>> is up, but would expernal clients have been able to connect if
>>>>> the TS could never see a
>>>>> licensing server?
>>>>>
>>>>> Any help much appreciated
>>>>
>>>> What's the point of putting a server in the DMZ if it has to
>>>> authenticate and share with the LAN?
>>>>
>>>> If you are going to have to punch gaping holes in the firewall
>>>> to allow DMZ>LAN access there really isn't any point in having
>>>> a DMZ.
>>>>
>>>> --
>>>>
>>>> Leythos
>>>> - Igitur qui desiderat pacem, praeparet bellum.
>>>> - Calling an illegal alien an "undocumented worker" is like
>>>> calling a
>>>> drug dealer an "unlicensed pharmacist"
>>>> spam999free@rrohio.com (remove 999 for proper email address)
>
>

 

[Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

In article <#QfArfeBIHA.5980@TK2MSFTNGP04.phx.gbl>, "Andrew Story"
<andrewDOTstoryATjameswalkerDOTbiz> says...
>
> Thanks for your input Leythos, very valid.
>
> But, can you help with the original question please?

I did, you just didn't understand the implication and cause of your
failure.

You don't run a Windows authenticating server in the DMZ that
authenticates with the LAN. It's that simple. You need to open to many
holes to make it secure, so move it to the LAN and you won't have a
problem.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew Story"
<andrewDOTstoryATjameswalkerDOTbiz> says...
> OK Fixed - sort of.

Forgive me, but you screwed the pooch doing this.

> I am now pointing the TS in the DMZ to a licensing server we have on an
> IPSec site and it communicates with it.

And you've exposed the network to compromise in doing so.

> What is the best way to have a TS box running in a DMZ? Can a domain TS
> server use a workgroup licensing server?
> Thsi would make life easier as I could put a workgroup server with TS
> liceining in the DMZ with the TS server?

Just install the license service on the TS, still not good, but it means
that you don't have to compromise your network.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

I can't install the license service on the TS as it's not a DC.

Thanks for your input anyhow.

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...
> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew Story"
> <andrewDOTstoryATjameswalkerDOTbiz> says...
>> OK Fixed - sort of.
>
> Forgive me, but you screwed the pooch doing this.
>
>> I am now pointing the TS in the DMZ to a licensing server we have on an
>> IPSec site and it communicates with it.
>
> And you've exposed the network to compromise in doing so.
>
>> What is the best way to have a TS box running in a DMZ? Can a domain TS
>> server use a workgroup licensing server?
>> Thsi would make life easier as I could put a workgroup server with TS
>> liceining in the DMZ with the TS server?
>
> Just install the license service on the TS, still not good, but it means
> that you don't have to compromise your network.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

 

[Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

Then you can install the TS Licensing Services on a standalone
server (in a workgroup) and point the TS to it.
Or upgrade the TS to 2003, since a 2003 LS can run on a member
server.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05 okt
2007 in microsoft.public.windows.terminal_services:

> I can't install the license service on the TS as it's not a DC.
>
> Thanks for your input anyhow.
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...
>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew
>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>> OK Fixed - sort of.
>>
>> Forgive me, but you screwed the pooch doing this.
>>
>>> I am now pointing the TS in the DMZ to a licensing server we
>>> have on an IPSec site and it communicates with it.
>>
>> And you've exposed the network to compromise in doing so.
>>
>>> What is the best way to have a TS box running in a DMZ? Can a
>>> domain TS server use a workgroup licensing server?
>>> Thsi would make life easier as I could put a workgroup server
>>> with TS liceining in the DMZ with the TS server?
>>
>> Just install the license service on the TS, still not good, but
>> it means that you don't have to compromise your network.
>>
>> --
>>
>> Leythos

 

[Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

I've tried to install the LS in a workgroup, but the TS would not recognise
it, nor could it be seen using LSview.exe.

Thanks anyhow.

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns99C0E00D2EA05veranoesthemutforsse@207.46.248.16...
> Then you can install the TS Licensing Services on a standalone
> server (in a workgroup) and point the TS to it.
> Or upgrade the TS to 2003, since a 2003 LS can run on a member
> server.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05 okt
> 2007 in microsoft.public.windows.terminal_services:
>
>> I can't install the license service on the TS as it's not a DC.
>>
>> Thanks for your input anyhow.
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...
>>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew
>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>>> OK Fixed - sort of.
>>>
>>> Forgive me, but you screwed the pooch doing this.
>>>
>>>> I am now pointing the TS in the DMZ to a licensing server we
>>>> have on an IPSec site and it communicates with it.
>>>
>>> And you've exposed the network to compromise in doing so.
>>>
>>>> What is the best way to have a TS box running in a DMZ? Can a
>>>> domain TS server use a workgroup licensing server?
>>>> Thsi would make life easier as I could put a workgroup server
>>>> with TS liceining in the DMZ with the TS server?
>>>
>>> Just install the license service on the TS, still not good, but
>>> it means that you don't have to compromise your network.
>>>
>>> --
>>>
>>> Leythos

 

[Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

Did you specifically tell the TS to connect to this LS?

279561 - How to Override the License Server Discovery Process in
Windows Server 2003 Terminal Services
http://support.microsoft.com/?kbid=279561

You might also have to configure this local policy setting on the
LS:

Local Security Policy - Security Settings\Local Policies\Security
Options
"Network access: Let Everyone permissions apply to anonymous
users" - Enable

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 08 okt
2007 in microsoft.public.windows.terminal_services:

> I've tried to install the LS in a workgroup, but the TS would
> not recognise it, nor could it be seen using LSview.exe.
>
> Thanks anyhow.
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns99C0E00D2EA05veranoesthemutforsse@207.46.248.16...
>> Then you can install the TS Licensing Services on a standalone
>> server (in a workgroup) and point the TS to it.
>> Or upgrade the TS to 2003, since a 2003 LS can run on a member
>> server.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05
>> okt 2007 in microsoft.public.windows.terminal_services:
>>
>>> I can't install the license service on the TS as it's not a
>>> DC.
>>>
>>> Thanks for your input anyhow.
>>>
>>> "Leythos" <void@nowhere.lan> wrote in message
>>> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...
>>>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew
>>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...
>>>>> OK Fixed - sort of.
>>>>
>>>> Forgive me, but you screwed the pooch doing this.
>>>>
>>>>> I am now pointing the TS in the DMZ to a licensing server we
>>>>> have on an IPSec site and it communicates with it.
>>>>
>>>> And you've exposed the network to compromise in doing so.
>>>>
>>>>> What is the best way to have a TS box running in a DMZ? Can
>>>>> a domain TS server use a workgroup licensing server?
>>>>> Thsi would make life easier as I could put a workgroup
>>>>> server with TS liceining in the DMZ with the TS server?
>>>>
>>>> Just install the license service on the TS, still not good,
>>>> but it means that you don't have to compromise your network.
>>>>
>>>> --
>>>>
>>>> Leythos