Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

[Andrew Davis]

Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

I have a Server 2008 Enterprise x86 system sitting at home, which I use
to run various game servers and whatnot. For whatever reason, since I
upgraded (I formatted and re-installed to not leave junk behind during
the upgrade), I have not been able to access Terminal Services from the
Internet. I haven't changed the firewall at all, and the server can
still be accessed for other services but for Terminal Services, it gives
a connection refused. I've even tried connecting to the router's
external IP from inside, and it still gives a connection refused.

I only have Terminal Services and Terminal Services Licensing installed.

I've also looked through the various Remote Desktop and Terminal Services
firewall rules, but they don't hint at a policy to block Internet
connection to terminal services.

What am I missing? What do I need to change to enable this? I'd prefer
it if I didn't have to install the TS gateway because I think that might
be overkill for my server, and I connect from some clients that do not
support the remote desktop client 6.0.

Thanks for the help!

--
Andrew Davis
IT Administrator
WestGate Church

 

[George Yin]

RE: Terminal Services in Windows Server 2008 Default security preventing connection from internet

RE: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Hello,

I am a bit unclear about what do you mean by the "upgrade". Did you use an
Windows Server 2003 before and upgraded it to Windows Server 2008 or
performed a fresh installation?

There are two settings that must be configured before establishing Remote
Desktop sessions, remote connections must be enabled and users must be
granted permission to connect to the server.

To enable Remote Desktop connections using the Server Manager console,
perform the following steps:

1. Open Server Manager.

2. On the Server Summary pane, click Configure Remote Desktop.

3. Select one of the following options:

1). Allow connections from computers running any version of Remote Desktop

Used if any remote clients will be using the Remote Desktop Connection 5.x
client application.

2). Allow connections only from computers running Remote Desktop with NLA.

Used if all remote clients will be using the Remote Desktop Connection 6.x
client application.

4. In the Remote Desktop section, click Select Users¡­

5. In the Remote Desktop Users dialog box, click Add.

6. Add the users that will be allowed to remotely connect to the server.

Besides, please check if the "Remote Desktop" has been selected on the
Exceptions tab of the Windows Firewall Settings. You can do this by opening
the Control Panel, then opening the Windows Firewall.

If this problem remains, please try to log on through the RDC locally from
the terminal server and see how it goes. Please collect the detailed
information on the error box for us to better understand it, or you can
take a snapshot and send it directly to me at v-chayin@microsoft.com
<mailto: v-chayin@microsoft.com>.

I look forward to your reply.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Davis]

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

On Wed, 26 Mar 2008 12:46:05 +0000, George Yin(MSFT) wrote:

> Hello,
>
> I am a bit unclear about what do you mean by the "upgrade". Did you use
> an Windows Server 2003 before and upgraded it to Windows Server 2008 or
> performed a fresh installation?
>
> There are two settings that must be configured before establishing
> Remote Desktop sessions, remote connections must be enabled and users
> must be granted permission to connect to the server.

>
> Besides, please check if the "Remote Desktop" has been selected on the
> Exceptions tab of the Windows Firewall Settings. You can do this by
> opening the Control Panel, then opening the Windows Firewall.
>
> If this problem remains, please try to log on through the RDC locally
> from the terminal server and see how it goes. Please collect the
> detailed information on the error box for us to better understand it, or
> you can take a snapshot and send it directly to me at
> v-chayin@microsoft.com <mailto: v-chayin@microsoft.com>.
>
> I look forward to your reply.
>
> Sincerely,
> George Yin
> Microsoft Online Support
> Microsoft Global Technical Support Center

It is a fresh install. I formatted the drive and installed Server 2008.
I've had bad experiences upgrading, so I always install a fresh copy of
windows. When it was 2003, remote desktop worked from every TS client I
used. I've already configured Remote Desktop, and it works flawlessly,
just only from the local subnet. Remote desktop also works if I connect
from the server itself to the server's netbios name.

If I connect to the external ip for my computer, it says it can't connect
to the remote computer, when I try to connect from the server

I've looked through the Windows Firewall inbound rules and none of the
remote desktop/terminal services firewall rules hint at the fact that it
might only accept connections from the local subnet.

Thanks for the help!
--
Andrew Davis
IT Administrator
WestGate Church

 

[Andrew Davis]

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet


It looks to have started to work out of the blue. I don't know what
happened, I didn't change anything, but it seems to work now.

--
Andrew Davis
IT Administrator
WestGate Church

 

[Andrew Davis]

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

On Wed, 26 Mar 2008 09:36:38 -0700, Andrew Davis wrote:

> It looks to have started to work out of the blue. I don't know what
> happened, I didn't change anything, but it seems to work now.

New issue, I forgot to mention in that message:

Terminal Services on Server 2k8 isn't prompting for a login, it's showing
the active user on the welcome screen, like vista does. How do I setup
the Terminal Services so that it prompts for a username/password instead
of showing active users and letting you click on one to login to?

I have it setup for a user/password entry for the console, but it's not
taking for Terminal Services some reason. Part of my security is i have
obscure usernames which further help me secure my system.

--
Andrew Davis
IT Administrator
WestGate Church

 

[George Yin]

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Hello,

Thank you for the reply.

I am a little unclear about the last question. Do you mean that you don't
want the previous logged on user name to show up on the Remote Desktop
Connection dialog box?

If not, will you please describe this more clearly for us to better
understand it? Or will you please take a snapshot of it and send it
directly to to me at v-chayin@microsoft.com <mailto:
v-chayin@microsoft.com>?

If you don't want the previous user name to show up when another user logs
on using the Remote Desktop Connection, you may need to delete some values
in the following path:

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
Client\Servers\<ServerName>\

The value is UsernameHint, and you should delete all of this type of value
one-by-one.

Beside, here is a workaround to automatically achieve this. Please note, we
do not recommend that you use this method as using this may cause many
potential problems.

Right click the <ServerName> node in the left pane, and click
"Permissions¡­". Choose the specified user or group and deny all the
permissions for them.

I look forward to your reply.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[George Yin]

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Hello,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Davis]

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

On Fri, 28 Mar 2008 10:31:40 +0000, George Yin(MSFT) wrote:

> Hello,
>
> I am just writing to see how everything is going. If you have any
> updates or need any further assistance on this issue, please feel free
> to let me know. I am glad to be of assistance.
>
> Sincerely,
> George Yin


The problem is when I connect to Terminal Services, I'm not using
negotiation, since I have computers that can't use RDP 6.0. That being
the case, I always connect, then enter my password once I'm in my
server. This worked well with Server 2003, since it has a login prompt,
and TS always filled in with what your username is on the computer your
connecting from. The problem is that Server 2008 changed login screens,
so now I have a login screen when I connect to Terminal Services that's
identical to Vista's login screen. I have policies setup to forget the
last username, which works. The console is now always at a login prompt,
but it didn't apply for Terminal Services for whatever reason. I'd like
to know what polices I have to change to get it to work like that.

Thanks!
--
Andrew Davis
IT Administrator
WestGate Church

 

[George Yin]

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Hello,

Do you mean the screen showing the "<DomainName>\Userxx" and "Other User"
which asks you to choose one to log onto the terminal server, after you
click the Connect button of the Remote Desktop Connection?

If so, I would like to suggest that you try the following steps and see if
they work for your situation:

1. On the Windows 2008 terminla server, click Start->Programs->Admin
Tools->Terminal Services->Terminal Services Configuration -> Under
"Connections", select RDP-Tcp-> Right Click -> Properties > Select "Log On
Settings" Tab.

2. Select the Radio Button "Always use the following logon information" -
Leave all the fields blank. Click OK.

Now when clients establish remote desktop connection, he will be prompted
to input user name and password.

I hope this helps. Thank you.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Davis]

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

Re: Terminal Services in Windows Server 2008 Default securitypreventing connection from internet

On Mon, 31 Mar 2008 12:04:46 +0000, George Yin(MSFT) wrote:

> Hello,
>
> Do you mean the screen showing the "<DomainName>\Userxx" and "Other
> User" which asks you to choose one to log onto the terminal server,
> after you click the Connect button of the Remote Desktop Connection?
>
> If so, I would like to suggest that you try the following steps and see
> if they work for your situation:
>
> 1. On the Windows 2008 terminla server, click Start->Programs->Admin
> Tools->Terminal Services->Terminal Services Configuration -> Under
> "Connections", select RDP-Tcp-> Right Click -> Properties > Select "Log
> On Settings" Tab.
>
> 2. Select the Radio Button "Always use the following logon
information"
> - Leave all the fields blank. Click OK.
>
> Now when clients establish remote desktop connection, he will be
> prompted to input user name and password.
>
> I hope this helps. Thank you.
>
> Sincerely,
> George Yin

That worked great!

Thank you!

--
Andrew Davis
IT Administrator
WestGate Church

 

[George Yin]

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Re: Terminal Services in Windows Server 2008 Default security preventing connection from internet

Hello,

Thank you for the reply. It is great to hear that it works!

If you need any further assistance, please feel free to let me know.

Have a nice day!

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.