can't rdp to a terminal server over vpn

[Omer Barel]

hello all.

I have a windows server 2003 enterprise x64 that is used as a dc and another
one, a member server, that is used as a terminal server. the terminal server
is in the domain.

my client computer is a windows vista ultimate.

all updates, hot-fixes and latest service-packs are installed on all the
machines.

my problem is that i can't rdp to the terminal server when I'm outside the
office and using VPN connection. inside the LAN everything works great.

i can rdp to the dc and then, from within the dc, rdp to the terminal
server. i can't to the rdp directly to the terminal.

I'm using the same credentials as from within the network, so i don't think
it's the issue. i think it's something with the terminal server itself.

any ideas?

best regards,

Omer Barel,
NSGroup

 

[jolteroli]

Re: can't rdp to a terminal server over vpn

check the subnet-mask of the TS ip-interface. if it's halfed
(255.255.255.128), the TS may be together with the DC, but foreign to the
VPN router. so packets will reach the TS, but no packet will find the route
back to the VPN router and hence to you workstation at home.

e.g.
DC: 192.168.0.1/255.255.255.0
TS: 192.168.0.2/255.255.255.128
VPN: 192.168.0.254/255.255.255.0

our VPN router has reserved as much IP addresses as connection are
allowed/possible. if you dial in, u'll probably act as one of this IP
addresses. you could use one of this VPN-reserved-addresses for the vista
workstation in the office and check if the RDP connect still succeeds.

also, the TS might accept only RDP connections from specific IP addresses
and not from any IP on the network. the system firewall can be configured
this way as well as by the IP-policies.

-jolt (out of ideas)

"Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im Newsbeitrag
news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> hello all.
>
> I have a windows server 2003 enterprise x64 that is used as a dc and
> another
> one, a member server, that is used as a terminal server. the terminal
> server
> is in the domain.
>
> my client computer is a windows vista ultimate.
>
> all updates, hot-fixes and latest service-packs are installed on all the
> machines.
>
> my problem is that i can't rdp to the terminal server when I'm outside the
> office and using VPN connection. inside the LAN everything works great.
>
> i can rdp to the dc and then, from within the dc, rdp to the terminal
> server. i can't to the rdp directly to the terminal.
>
> I'm using the same credentials as from within the network, so i don't
> think
> it's the issue. i think it's something with the terminal server itself.
>
> any ideas?
>
> best regards,
>
> Omer Barel,
> NSGroup

 

[Omer Barel]

Re: can't rdp to a terminal server over vpn

hi jolteroli

the subnet is the same for all devices (both servers and the vista client) -
a regular class c.
the dc is also the dns, dhcp and RRAS server, and handles all connections.

the firewall is turned off in the terminal server.

when i open the rdp port in the router i can connect to the terminal server
directly from outside the network (through NAT)

any other ideas?
"jolteroli" wrote:

> check the subnet-mask of the TS ip-interface. if it's halfed
> (255.255.255.128), the TS may be together with the DC, but foreign to the
> VPN router. so packets will reach the TS, but no packet will find the route
> back to the VPN router and hence to you workstation at home.
>
> e.g.
> DC: 192.168.0.1/255.255.255.0
> TS: 192.168.0.2/255.255.255.128
> VPN: 192.168.0.254/255.255.255.0
>
> our VPN router has reserved as much IP addresses as connection are
> allowed/possible. if you dial in, u'll probably act as one of this IP
> addresses. you could use one of this VPN-reserved-addresses for the vista
> workstation in the office and check if the RDP connect still succeeds.
>
> also, the TS might accept only RDP connections from specific IP addresses
> and not from any IP on the network. the system firewall can be configured
> this way as well as by the IP-policies.
>
> -jolt (out of ideas)
>
> "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im Newsbeitrag
> news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> > hello all.
> >
> > I have a windows server 2003 enterprise x64 that is used as a dc and
> > another
> > one, a member server, that is used as a terminal server. the terminal
> > server
> > is in the domain.
> >
> > my client computer is a windows vista ultimate.
> >
> > all updates, hot-fixes and latest service-packs are installed on all the
> > machines.
> >
> > my problem is that i can't rdp to the terminal server when I'm outside the
> > office and using VPN connection. inside the LAN everything works great.
> >
> > i can rdp to the dc and then, from within the dc, rdp to the terminal
> > server. i can't to the rdp directly to the terminal.
> >
> > I'm using the same credentials as from within the network, so i don't
> > think
> > it's the issue. i think it's something with the terminal server itself.
> >
> > any ideas?
> >
> > best regards,
> >
> > Omer Barel,
> > NSGroup
>
>

 

[thundergod255]

Re: can't rdp to a terminal server over vpn

Can you remote to the terminal server across the VPN through a console session?

"Omer Barel" wrote:

> hi jolteroli
>
> the subnet is the same for all devices (both servers and the vista client) -
> a regular class c.
> the dc is also the dns, dhcp and RRAS server, and handles all connections.
>
> the firewall is turned off in the terminal server.
>
> when i open the rdp port in the router i can connect to the terminal server
> directly from outside the network (through NAT)
>
> any other ideas?
> "jolteroli" wrote:
>
> > check the subnet-mask of the TS ip-interface. if it's halfed
> > (255.255.255.128), the TS may be together with the DC, but foreign to the
> > VPN router. so packets will reach the TS, but no packet will find the route
> > back to the VPN router and hence to you workstation at home.
> >
> > e.g.
> > DC: 192.168.0.1/255.255.255.0
> > TS: 192.168.0.2/255.255.255.128
> > VPN: 192.168.0.254/255.255.255.0
> >
> > our VPN router has reserved as much IP addresses as connection are
> > allowed/possible. if you dial in, u'll probably act as one of this IP
> > addresses. you could use one of this VPN-reserved-addresses for the vista
> > workstation in the office and check if the RDP connect still succeeds.
> >
> > also, the TS might accept only RDP connections from specific IP addresses
> > and not from any IP on the network. the system firewall can be configured
> > this way as well as by the IP-policies.
> >
> > -jolt (out of ideas)
> >
> > "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im Newsbeitrag
> > news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> > > hello all.
> > >
> > > I have a windows server 2003 enterprise x64 that is used as a dc and
> > > another
> > > one, a member server, that is used as a terminal server. the terminal
> > > server
> > > is in the domain.
> > >
> > > my client computer is a windows vista ultimate.
> > >
> > > all updates, hot-fixes and latest service-packs are installed on all the
> > > machines.
> > >
> > > my problem is that i can't rdp to the terminal server when I'm outside the
> > > office and using VPN connection. inside the LAN everything works great.
> > >
> > > i can rdp to the dc and then, from within the dc, rdp to the terminal
> > > server. i can't to the rdp directly to the terminal.
> > >
> > > I'm using the same credentials as from within the network, so i don't
> > > think
> > > it's the issue. i think it's something with the terminal server itself.
> > >
> > > any ideas?
> > >
> > > best regards,
> > >
> > > Omer Barel,
> > > NSGroup
> >
> >

 

[Omer Barel]

Re: can't rdp to a terminal server over vpn

i don't know how to do that... i log using normal rdp, and that's a user
session i think...

how can i log on to the console session?

"thundergod255" wrote:

> Can you remote to the terminal server across the VPN through a console session?
>
> "Omer Barel" wrote:
>
> > hi jolteroli
> >
> > the subnet is the same for all devices (both servers and the vista client) -
> > a regular class c.
> > the dc is also the dns, dhcp and RRAS server, and handles all connections.
> >
> > the firewall is turned off in the terminal server.
> >
> > when i open the rdp port in the router i can connect to the terminal server
> > directly from outside the network (through NAT)
> >
> > any other ideas?
> > "jolteroli" wrote:
> >
> > > check the subnet-mask of the TS ip-interface. if it's halfed
> > > (255.255.255.128), the TS may be together with the DC, but foreign to the
> > > VPN router. so packets will reach the TS, but no packet will find the route
> > > back to the VPN router and hence to you workstation at home.
> > >
> > > e.g.
> > > DC: 192.168.0.1/255.255.255.0
> > > TS: 192.168.0.2/255.255.255.128
> > > VPN: 192.168.0.254/255.255.255.0
> > >
> > > our VPN router has reserved as much IP addresses as connection are
> > > allowed/possible. if you dial in, u'll probably act as one of this IP
> > > addresses. you could use one of this VPN-reserved-addresses for the vista
> > > workstation in the office and check if the RDP connect still succeeds.
> > >
> > > also, the TS might accept only RDP connections from specific IP addresses
> > > and not from any IP on the network. the system firewall can be configured
> > > this way as well as by the IP-policies.
> > >
> > > -jolt (out of ideas)
> > >
> > > "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im Newsbeitrag
> > > news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> > > > hello all.
> > > >
> > > > I have a windows server 2003 enterprise x64 that is used as a dc and
> > > > another
> > > > one, a member server, that is used as a terminal server. the terminal
> > > > server
> > > > is in the domain.
> > > >
> > > > my client computer is a windows vista ultimate.
> > > >
> > > > all updates, hot-fixes and latest service-packs are installed on all the
> > > > machines.
> > > >
> > > > my problem is that i can't rdp to the terminal server when I'm outside the
> > > > office and using VPN connection. inside the LAN everything works great.
> > > >
> > > > i can rdp to the dc and then, from within the dc, rdp to the terminal
> > > > server. i can't to the rdp directly to the terminal.
> > > >
> > > > I'm using the same credentials as from within the network, so i don't
> > > > think
> > > > it's the issue. i think it's something with the terminal server itself.
> > > >
> > > > any ideas?
> > > >
> > > > best regards,
> > > >
> > > > Omer Barel,
> > > > NSGroup
> > >
> > >

 

[Jeff Pitsch]

Re: can't rdp to a terminal server over vpn

Can you telnet to port 3389? Can you ping the server? Can you connect to
any shares or printers on the server (especially the default admin shares)?
In other words, beyond RDP is there any connectivity to this server
whatsoever. The telnet will tell you if you are actually able to get to the
rdp listener on the server.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Omer Barel" <OmerBarel@discussions.microsoft.com> wrote in message
news:0FE3EDF2-9F54-4FFE-95DF-9562BD5E9DB6@microsoft.com...
>i don't know how to do that... i log using normal rdp, and that's a user
> session i think...
>
> how can i log on to the console session?
>
> "thundergod255" wrote:
>
>> Can you remote to the terminal server across the VPN through a console
>> session?
>>
>> "Omer Barel" wrote:
>>
>> > hi jolteroli
>> >
>> > the subnet is the same for all devices (both servers and the vista
>> > client) -
>> > a regular class c.
>> > the dc is also the dns, dhcp and RRAS server, and handles all
>> > connections.
>> >
>> > the firewall is turned off in the terminal server.
>> >
>> > when i open the rdp port in the router i can connect to the terminal
>> > server
>> > directly from outside the network (through NAT)
>> >
>> > any other ideas?
>> > "jolteroli" wrote:
>> >
>> > > check the subnet-mask of the TS ip-interface. if it's halfed
>> > > (255.255.255.128), the TS may be together with the DC, but foreign to
>> > > the
>> > > VPN router. so packets will reach the TS, but no packet will find the
>> > > route
>> > > back to the VPN router and hence to you workstation at home.
>> > >
>> > > e.g.
>> > > DC: 192.168.0.1/255.255.255.0
>> > > TS: 192.168.0.2/255.255.255.128
>> > > VPN: 192.168.0.254/255.255.255.0
>> > >
>> > > our VPN router has reserved as much IP addresses as connection are
>> > > allowed/possible. if you dial in, u'll probably act as one of this IP
>> > > addresses. you could use one of this VPN-reserved-addresses for the
>> > > vista
>> > > workstation in the office and check if the RDP connect still
>> > > succeeds.
>> > >
>> > > also, the TS might accept only RDP connections from specific IP
>> > > addresses
>> > > and not from any IP on the network. the system firewall can be
>> > > configured
>> > > this way as well as by the IP-policies.
>> > >
>> > > -jolt (out of ideas)
>> > >
>> > > "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im
>> > > Newsbeitrag
>> > > news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
>> > > > hello all.
>> > > >
>> > > > I have a windows server 2003 enterprise x64 that is used as a dc
>> > > > and
>> > > > another
>> > > > one, a member server, that is used as a terminal server. the
>> > > > terminal
>> > > > server
>> > > > is in the domain.
>> > > >
>> > > > my client computer is a windows vista ultimate.
>> > > >
>> > > > all updates, hot-fixes and latest service-packs are installed on
>> > > > all the
>> > > > machines.
>> > > >
>> > > > my problem is that i can't rdp to the terminal server when I'm
>> > > > outside the
>> > > > office and using VPN connection. inside the LAN everything works
>> > > > great.
>> > > >
>> > > > i can rdp to the dc and then, from within the dc, rdp to the
>> > > > terminal
>> > > > server. i can't to the rdp directly to the terminal.
>> > > >
>> > > > I'm using the same credentials as from within the network, so i
>> > > > don't
>> > > > think
>> > > > it's the issue. i think it's something with the terminal server
>> > > > itself.
>> > > >
>> > > > any ideas?
>> > > >
>> > > > best regards,
>> > > >
>> > > > Omer Barel,
>> > > > NSGroup
>> > >
>> > >

 

[James]

Re: can't rdp to a terminal server over vpn

See if the console session works. If it doesn't work, then you may have a
firewall/VPN issue.

Go to the command prompt and try typing:
-mstsc -v:<Ip address of server> /f -console

Here is a walkthrough:
http://support.microsoft.com/kb/278845


"Omer Barel" wrote:

> i don't know how to do that... i log using normal rdp, and that's a user
> session i think...
>
> how can i log on to the console session?
>
> "thundergod255" wrote:
>
> > Can you remote to the terminal server across the VPN through a console session?
> >
> > "Omer Barel" wrote:
> >
> > > hi jolteroli
> > >
> > > the subnet is the same for all devices (both servers and the vista client) -
> > > a regular class c.
> > > the dc is also the dns, dhcp and RRAS server, and handles all connections.
> > >
> > > the firewall is turned off in the terminal server.
> > >
> > > when i open the rdp port in the router i can connect to the terminal server
> > > directly from outside the network (through NAT)
> > >
> > > any other ideas?
> > > "jolteroli" wrote:
> > >
> > > > check the subnet-mask of the TS ip-interface. if it's halfed
> > > > (255.255.255.128), the TS may be together with the DC, but foreign to the
> > > > VPN router. so packets will reach the TS, but no packet will find the route
> > > > back to the VPN router and hence to you workstation at home.
> > > >
> > > > e.g.
> > > > DC: 192.168.0.1/255.255.255.0
> > > > TS: 192.168.0.2/255.255.255.128
> > > > VPN: 192.168.0.254/255.255.255.0
> > > >
> > > > our VPN router has reserved as much IP addresses as connection are
> > > > allowed/possible. if you dial in, u'll probably act as one of this IP
> > > > addresses. you could use one of this VPN-reserved-addresses for the vista
> > > > workstation in the office and check if the RDP connect still succeeds.
> > > >
> > > > also, the TS might accept only RDP connections from specific IP addresses
> > > > and not from any IP on the network. the system firewall can be configured
> > > > this way as well as by the IP-policies.
> > > >
> > > > -jolt (out of ideas)
> > > >
> > > > "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im Newsbeitrag
> > > > news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> > > > > hello all.
> > > > >
> > > > > I have a windows server 2003 enterprise x64 that is used as a dc and
> > > > > another
> > > > > one, a member server, that is used as a terminal server. the terminal
> > > > > server
> > > > > is in the domain.
> > > > >
> > > > > my client computer is a windows vista ultimate.
> > > > >
> > > > > all updates, hot-fixes and latest service-packs are installed on all the
> > > > > machines.
> > > > >
> > > > > my problem is that i can't rdp to the terminal server when I'm outside the
> > > > > office and using VPN connection. inside the LAN everything works great.
> > > > >
> > > > > i can rdp to the dc and then, from within the dc, rdp to the terminal
> > > > > server. i can't to the rdp directly to the terminal.
> > > > >
> > > > > I'm using the same credentials as from within the network, so i don't
> > > > > think
> > > > > it's the issue. i think it's something with the terminal server itself.
> > > > >
> > > > > any ideas?
> > > > >
> > > > > best regards,
> > > > >
> > > > > Omer Barel,
> > > > > NSGroup
> > > >
> > > >

 

[jolteroli]

Re: can't rdp to a terminal server over vpn

if you netcat

# nc -nvz 3.1.33.7 3389

the output should tell you either

(o) open: tcp/ip transport ok. syn sent, syn-ack received.
packet corrupted on the round trip? bad vpn firmware?

(o) timeout: no answer. syn sent, nothing came back.
did the syn ever reach the server?
firewall/filter silently dropped the packet.

(o) blocked/denied: packet filtered. syn sent, icmp error came back.
firewall/filter dropped the packet, but told you that.

-jolt

 

[OS360_ITMAN]

Re: can't rdp to a terminal server over vpn

Firstly check all the stuff that Jeff has said below, but do not use the FQDN
but rather the normal IP address, I had a similar issue and it was nothing to
do with the VPN but more a DNS problem with the DHCP addressing when I came
in via the VPN.

"Jeff Pitsch" wrote:

> Can you telnet to port 3389? Can you ping the server? Can you connect to
> any shares or printers on the server (especially the default admin shares)?
> In other words, beyond RDP is there any connectivity to this server
> whatsoever. The telnet will tell you if you are actually able to get to the
> rdp listener on the server.
>
> --
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "Omer Barel" <OmerBarel@discussions.microsoft.com> wrote in message
> news:0FE3EDF2-9F54-4FFE-95DF-9562BD5E9DB6@microsoft.com...
> >i don't know how to do that... i log using normal rdp, and that's a user
> > session i think...
> >
> > how can i log on to the console session?
> >
> > "thundergod255" wrote:
> >
> >> Can you remote to the terminal server across the VPN through a console
> >> session?
> >>
> >> "Omer Barel" wrote:
> >>
> >> > hi jolteroli
> >> >
> >> > the subnet is the same for all devices (both servers and the vista
> >> > client) -
> >> > a regular class c.
> >> > the dc is also the dns, dhcp and RRAS server, and handles all
> >> > connections.
> >> >
> >> > the firewall is turned off in the terminal server.
> >> >
> >> > when i open the rdp port in the router i can connect to the terminal
> >> > server
> >> > directly from outside the network (through NAT)
> >> >
> >> > any other ideas?
> >> > "jolteroli" wrote:
> >> >
> >> > > check the subnet-mask of the TS ip-interface. if it's halfed
> >> > > (255.255.255.128), the TS may be together with the DC, but foreign to
> >> > > the
> >> > > VPN router. so packets will reach the TS, but no packet will find the
> >> > > route
> >> > > back to the VPN router and hence to you workstation at home.
> >> > >
> >> > > e.g.
> >> > > DC: 192.168.0.1/255.255.255.0
> >> > > TS: 192.168.0.2/255.255.255.128
> >> > > VPN: 192.168.0.254/255.255.255.0
> >> > >
> >> > > our VPN router has reserved as much IP addresses as connection are
> >> > > allowed/possible. if you dial in, u'll probably act as one of this IP
> >> > > addresses. you could use one of this VPN-reserved-addresses for the
> >> > > vista
> >> > > workstation in the office and check if the RDP connect still
> >> > > succeeds.
> >> > >
> >> > > also, the TS might accept only RDP connections from specific IP
> >> > > addresses
> >> > > and not from any IP on the network. the system firewall can be
> >> > > configured
> >> > > this way as well as by the IP-policies.
> >> > >
> >> > > -jolt (out of ideas)
> >> > >
> >> > > "Omer Barel" <Omer Barel@discussions.microsoft.com> schrieb im
> >> > > Newsbeitrag
> >> > > news:CFCE2235-5435-4EB4-8367-CFEE4E5AA7AC@microsoft.com...
> >> > > > hello all.
> >> > > >
> >> > > > I have a windows server 2003 enterprise x64 that is used as a dc
> >> > > > and
> >> > > > another
> >> > > > one, a member server, that is used as a terminal server. the
> >> > > > terminal
> >> > > > server
> >> > > > is in the domain.
> >> > > >
> >> > > > my client computer is a windows vista ultimate.
> >> > > >
> >> > > > all updates, hot-fixes and latest service-packs are installed on
> >> > > > all the
> >> > > > machines.
> >> > > >
> >> > > > my problem is that i can't rdp to the terminal server when I'm
> >> > > > outside the
> >> > > > office and using VPN connection. inside the LAN everything works
> >> > > > great.
> >> > > >
> >> > > > i can rdp to the dc and then, from within the dc, rdp to the
> >> > > > terminal
> >> > > > server. i can't to the rdp directly to the terminal.
> >> > > >
> >> > > > I'm using the same credentials as from within the network, so i
> >> > > > don't
> >> > > > think
> >> > > > it's the issue. i think it's something with the terminal server
> >> > > > itself.
> >> > > >
> >> > > > any ideas?
> >> > > >
> >> > > > best regards,
> >> > > >
> >> > > > Omer Barel,
> >> > > > NSGroup
> >> > >
> >> > >
>
>
>