I recently took over the role of Systems Administrator for a small music company. We have 3 servers running Windows Server 2003. One is exchange and the Active Directory, one is a staging and testing ground for the developers of our website, the third no one really knows what it is for. I have discovered it manages Symantec Security and propagates Windows Updates to the workstations.
I have been asked to setup a remote desktop solution for the developers workstations. I have set up the computers for remote desktop by turning it on in the remote tab of computer properties I have changed the port to ensure that it is not blocked, as well I have configured the firewall on the local machine and the router as well I have opened up Nat. I cannot connect to remote computer. that is the error when i try to remote from another workstation in the office. I am the admin and have a local admin user setup as well. I have tried turning off all the firewalls to try to narrow down the issue. This did not help. group policy for remote desktop has a no beside it but remote assistance and offer remote assistance are grayed out and part of group policy.
The Workstation is running windows Xp Pro SP3.
Is this even possible on a workstation under the domain control of Windows Server 2003?
Any suggestions where I'm going wrong?
Any settings I have missed?
If you need more info I am happy to provide it.
- Follow via:
- RSS
- Email Alert
Question
0
Votes
Remote Desktop
25th Mar 2009
Answers (2)
0
Votes
Can you ping the RDP port on other computer?
Make sure the windows firewall on other computers is allowing those ports. Try pinging that port from other computer.
25th Mar 2009
0
Votes
RDP
Are you going from XP to the Servers or Servers to XP?
If you are trying to RDP into the servers the users you want to have access need to be a member of the Remote Desktop Users OU. If you are trying to RDP into XP the user needs to be added to the allowed users and make sure they are not limited to which machines they can log on to in their AD profile. Personally I leave XP Firewall disabled in the services since my entire network is behind one, but if you leave it on make sure there is an exception in the settings. Since you didn't specify what router you're using I'll give you both. For a Cisco, NAT will point any traffic associated to that IP to the internal IP regardless of port number unless you have port filtering configured. For an off the shelf router you'll need to set up either port forwarding or virtual server depending on the brand. It needs to be TCP 3389 for the internal and external port, and the IP of the machine you want to connect to. That machine has to have a static IP and that's the only one from the outside world you can access. Once inside you can always RDP to a different box. Hope that helps.
If you are trying to RDP into the servers the users you want to have access need to be a member of the Remote Desktop Users OU. If you are trying to RDP into XP the user needs to be added to the allowed users and make sure they are not limited to which machines they can log on to in their AD profile. Personally I leave XP Firewall disabled in the services since my entire network is behind one, but if you leave it on make sure there is an exception in the settings. Since you didn't specify what router you're using I'll give you both. For a Cisco, NAT will point any traffic associated to that IP to the internal IP regardless of port number unless you have port filtering configured. For an off the shelf router you'll need to set up either port forwarding or virtual server depending on the brand. It needs to be TCP 3389 for the internal and external port, and the IP of the machine you want to connect to. That machine has to have a static IP and that's the only one from the outside world you can access. Once inside you can always RDP to a different box. Hope that helps.
25th Mar 2009
Replies
Thanks for the reply
The Exchange server is already setup for RDP on port 4111 it is a DMZ and works perfect. I want to setup a RDP for a local machine so a developer can access it outside of the office (i.e. the machines local drive) we have reverse DNS setup so my understanding is i can type exchange.companyname.com:4111 for the exchange server (this works perfect) or exchange.companyname.com:4145 (or whatever port) for the developer machine. I would rather not use 3389 for security reasons though this should not cause any issues. Is this possible. The machine is running win xp pro sp3 and the server is win 2003. The router is a lynksis/cisco RV042.
Hope that is a little clearer.
The Exchange server is already setup for RDP on port 4111 it is a DMZ and works perfect. I want to setup a RDP for a local machine so a developer can access it outside of the office (i.e. the machines local drive) we have reverse DNS setup so my understanding is i can type exchange.companyname.com:4111 for the exchange server (this works perfect) or exchange.companyname.com:4145 (or whatever port) for the developer machine. I would rather not use 3389 for security reasons though this should not cause any issues. Is this possible. The machine is running win xp pro sp3 and the server is win 2003. The router is a lynksis/cisco RV042.
Hope that is a little clearer.
jordan@...
26th Mar 2009
So if I understand you correctly you are wanting to let people rdp to their work machine from a machine outside the network correct?
If so I would strongly urge you to implement a VPN solution first. Your regular machines should NOT be directly accessible from the internet unless they are on a DMZ and the number of machines on the DMZ should be kept to a minnimum.
Probably the simplest solution would be to run the Server 2003 RRAS VPN on one of the servers that's already in the DMZ, then have the developers VPN into the company network and then proceed to RDP into their workstations.
There are other ways of doing this, but in your case I think this will be the cheapest and easiest solution.
Let us know if you need any help setting up a VPN
If so I would strongly urge you to implement a VPN solution first. Your regular machines should NOT be directly accessible from the internet unless they are on a DMZ and the number of machines on the DMZ should be kept to a minnimum.
Probably the simplest solution would be to run the Server 2003 RRAS VPN on one of the servers that's already in the DMZ, then have the developers VPN into the company network and then proceed to RDP into their workstations.
There are other ways of doing this, but in your case I think this will be the cheapest and easiest solution.
Let us know if you need any help setting up a VPN
Kjell_Andorsen
26th Mar 2009
That is correct.
The server is already setup as a DMZ with RDP access. This is how I manage the server remotely. I know there was a VPN setup and I agree that it is a more secure solution. My issue is that it is slow. I have setup RDP on my machine but cannot even access it locally. I definitely have proper permission as I am the Admin and have full access. If a user were to VPN into the server would I need to setup Terminal Services? I would really just prefer to give each user RDP access to their local machine. The company is quite small and not too worried about security.
I am definitely keen on VPN though I have never set one up. I was hoping to get a little more detail about the RDP issues i am having. I do not understand why I cannot at the very least RDP my machine from another machine on the local network. I believe this would need to be setup before a VPN solution could be implemented. Please correct me if I am incorrect.
I am looking for the easiest and fastest solution, security would also be nice. That requires little intervention from me who really does not have a lot of time for these sorts of issues.
Thanks for all the help.
The server is already setup as a DMZ with RDP access. This is how I manage the server remotely. I know there was a VPN setup and I agree that it is a more secure solution. My issue is that it is slow. I have setup RDP on my machine but cannot even access it locally. I definitely have proper permission as I am the Admin and have full access. If a user were to VPN into the server would I need to setup Terminal Services? I would really just prefer to give each user RDP access to their local machine. The company is quite small and not too worried about security.
I am definitely keen on VPN though I have never set one up. I was hoping to get a little more detail about the RDP issues i am having. I do not understand why I cannot at the very least RDP my machine from another machine on the local network. I believe this would need to be setup before a VPN solution could be implemented. Please correct me if I am incorrect.
I am looking for the easiest and fastest solution, security would also be nice. That requires little intervention from me who really does not have a lot of time for these sorts of issues.
Thanks for all the help.
jordan@...
26th Mar 2009
Ok, before we tackle the whole VPN issue \ let's work on getting RDP to work locally on your network.
First thing we'll need is the exact error message you get when you try to RDP from one workstation to another on the smae network.
First thing we'll need is the exact error message you get when you try to RDP from one workstation to another on the smae network.
Kjell_Andorsen
26th Mar 2009
Although I wouldn't leave anything mission critical, like a PDC, out in the DMZ.
The beauty of RRAS is you'll only need to set up one configuration in your router, then you'll be able to remote to whatever machine you want via IP or NetBios name.
I'm going to have to disagree with you about 3389 being a security risk though. It's no more so than any other known port. With the proper security groups and password complexity requirements the chances of getting compromised are nil.
The beauty of RRAS is you'll only need to set up one configuration in your router, then you'll be able to remote to whatever machine you want via IP or NetBios name.
I'm going to have to disagree with you about 3389 being a security risk though. It's no more so than any other known port. With the proper security groups and password complexity requirements the chances of getting compromised are nil.
tardcart
26th Mar 2009
I can now RDP a Local Machine on port 4145 if i log in physically to the server and RDP the Local Machine. I.E exchange.companyname.com:4145
So now I just need to allow the Internet to do the same.
Though can we entertain the RRAS solution as well.
Whatever you guys feel is the best way that is how I can proceed. This is a bit of an unknown realm for me.
Again thanks for the help.
So now I just need to allow the Internet to do the same.
Though can we entertain the RRAS solution as well.
Whatever you guys feel is the best way that is how I can proceed. This is a bit of an unknown realm for me.
Again thanks for the help.
jordan@...
26th Mar 2009
Thanks for all the help. Its working now.
jordan@...
31st Mar 2009
