Re: Remote Desktop failing acces from the internet

3389 (TS) with scope=ALL could be the problem. You may want to try NAT one to one on port 3389.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Marcus" <marcus@xxxxxxxxxxxxxxxxxx> wrote in message news:ccKdnYeiiqos8InUnZ2dnUVZ_ojinZ2d@xxxxxxxxxxxxxxxx
Hi there,
I'm trying to help a friend of mine with the following problem: Remote Desktop cannot access computers from the Internet.

The computer being tested is running XP + SP3 and:
- has terminal services running
- has the firewall configured to enable ports 80,443, and 3389 (TS) with scope=ALL

- The computer above can be accessed from the LAN with RD and telnetting port 3389
- The computer above IS visible over the internet on ports 80 & 443 only
- There are no rules or filters on the router, just a static NAT mapping (8 public IPs map to local 192.168.1.xxx address)

The only strange thing I have noticed is that the network admin (currently on holidays) has enforced some group policies on the computers belonging to the domain (W2k3); as a result some exceptions on the firewall, the firewall service itself, plus some other domain-controlled services aren't modifiable.

I'm wondering if there could be some domain policy preventing access from the Internet, however I can't understand why the port 3389 isn't visible from the Internet whil 80 & 443 yes.

Could it be that the group policy shows with scope=ALL while it is working with scope=subnet? Or that the firewall is scrambled and not working properly?

As the network admin will note be available for a week or so, I asked the friend of mine to bring his notebook into his office and plug it on the LAN to check out if it is visible from the Internet. This test would point out if the computers affected from domain policies are currently restricted by a group-policy firewall rule.

Any thoughts



.

Relevant Pages

  • Re: [Firewalls] Checkpoint FW-1 - Static NAT
    ... These services perform port mapping. ... destination port and IP address of a connection can be changed. ... After installing the new policy on the target Firewall Module, ... One to the internet, and the other to ...
    (comp.security.firewalls)
  • Re: Inaccessible Port 80 - Pentest
    ... donot think a firewall would block be blocking. ... A mixture of layer 3 port filtering to restrict you to port 80 would seem to ... Internet, open one port on it and then block it from public use? ...
    (Pen-Test)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.windowsxp.general)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.windowsxp.basics)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.security.virus)