Re: /remote desktop control suddenly broken - critical
From: Les Connor [SBS Community Member - SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 01/22/05
- Next message: Steve: "Hanging "Applying Computer Settings""
- Previous message: Jimmy: "Help on DNS problem"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: /remote desktop control suddenly broken - critical"
- Next in thread: Rob Pettrey: "Re: /remote desktop control suddenly broken - critical"
- Reply: Rob Pettrey: "Re: /remote desktop control suddenly broken - critical"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 22 Jan 2005 09:54:11 -0600
Try http://
lan, making sure it's working internally. If it is, suspect your router. If
it's not, then we have to tshoot the lan side.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:%23Bqi9nFAFHA.1084@tk2msftngp13.phx.gbl...
> Make sure the Linksys has 4125 open
>
> Rob Pettrey wrote:
>> Susan,
>>
>> My sentiments exactly - how did a pop up get on the server?
>>
>> I was working at the server Thursday, and one solitary pop up ad
>> appeared. I've never seen a pop up ad on any sbs server before. I thought
>> "That's strange - I better nip this in the bud before anything worse
>> happens." That's when I thought I would try the ms anti-spy beta.
>>
>> The server's been up for a month. I haven't had anything weird happen
>> until Thursday. That's when I thought it might be a virus. I also thought
>> since lsass might be questionable, I would replace it, but it was the
>> same size as another sbs install.
>>
>> I forgot to mention in my post - I have already re-run the CEICW and the
>> remote access wizards, and patched until I am blue in the face.
>>
>> The really strange thing here is, everything was working flawlessly, then
>> it broke, it worked again for about 15 minutes tonight after the first
>> reboot, and is now broke. And I don't know why. Well, actually I DO know
>> it's 4125, because I can come in the back door to any pc, but not
>> /remote.
>>
>> Am I on the right track in believing it must be 4125? How to test /
>> proceed?
>>
>> "Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>>
>>
>>>What in the world are "pop ups" doing on the server? Let's first analyze
>>>that statement.. What pop ups? The IE is locked down so there should be
>>>no "pop ups"
>>>
>>>What else is going on in this server?
>>>
>>>In the meantime...try rerunning the CEICW [connect to internet].
>>>
>>>Rob Pettrey wrote:
>>>
>>>>SBS 2003 premium new install, using SQL but not ISA. Cable to linksys
>>>>WRT54G wireless cable router to outside nic, inside nic to switch to
>>>>inside.
>>>>
>>>>Everything working flawlessly perfect until Wednesday night.
>>>>
>>>>Windows update wanted an update, so I updated and rebooted. Thursday
>>>>morning I noticed pop-ups on the server, so I thought I would try the
>>>>new Microsoft Anti-spyware product. I installed it, ran it, thought
>>>>better of it, and de-installed it.
>>>>Thursday afternoon one of the users called to say he couldn't remote
>>>>control his pc. I started troubleshooting, and discovered a process
>>>>camping on 4125 using netstat.
>>>>
>>>>netstat -aon | find ":4125"
>>>>
>>>>there were two lines. I didn't document it, but from my memory there
>>>>were two lines that kind of looked like this:
>>>>
>>>> TCP 192.168.16.2:1025 xxx.xxx.xxx.xxx:4125 ESTABLISHED
>>>> 612
>>>> TCP 192.168.16.2:4125 xxx.xxx.xxx.xxx:1025 ESTABLISHED
>>>> 612
>>>>
>>>>I'm sure about the port numbers, and pretty sure that the first IP was
>>>>the internal NIC, not sure about the second IP.
>>>>
>>>>The process ID matched lsass.exe. I saw some postings about this
>>>>possibly being a virus, so I went to trendmicro and ran an interactive
>>>>scan and came up clean. I also RDP'ed into another SBS install and
>>>>compared lsass.exe and both machines had the same file size.
>>>>
>>>>I coundn't restart lsass, so I rebooted the server. When I rebooted, I
>>>>could /remote and then connect to a client desktop - several times - for
>>>>about 15 minutes. At the same time, I RDP'ed into the server and did a
>>>>netstat and got
>>>>
>>>>netstat -aon | find ":4125"
>>>>
>>>> TCP 192.168.1.2:3468 xxx.xxx.xxx.xxx:4125 TIME_WAIT
>>>> 0
>>>>
>>>>which looked like a remote client coming in. When I logged off /remote,
>>>>it went away.
>>>>
>>>>After that, I got nothing on netstat, but couldn't connect again to any
>>>>desktop and got this message:
>>>>
>>>>The client could not connect to the remote computer. Remote connections
>>>>might not be enabled or the computer might be too busy to accept new
>>>>connections. It is also possible that network problems are preventing
>>>>your connection. Please try connecting again later. If the problem
>>>>continues to occur, contact your administrator.
>>>>
>>>>I rebooted again, and now have no remote control - tried multiple pc's,
>>>>multiple administrative users. Everything else works except remote
>>>>control. I can still RDP to the server and connect to a client pc from
>>>>the inside, just not via /remote.
>>>>
>>>>I'm absolutely sick. The only things that changed: - windows update
>>>>- installing / uninstalling ms anti-spyware
>>>>- new remote user trying to connect
>>>>
>>>>I am clueless. I sold SBS 2003 to this client based on their need for
>>>>remote control, and now it's broke, and they use remote control every
>>>>day.
>>>>
>>>>Rob Pettrey
>>>
>
> --
> An open letter to the Security Community::
> http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
Relevant Pages
... The additional DC at the remote site, could not be the SBS server, as you ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
... Please post the results of an ipconfig /all for the sbs server. ... I did another test after turning off the firewall on the remote. ... If port 4125 was not forwarded on the sbs machine, ...
(microsoft.public.backoffice.smallbiz)
... connectivity issues in SBS Server: ... This newsgroup only focuses on SBS technical issues. ... |> this computer on the Remote tab of properties of My Computer on SBS ...
(microsoft.public.windows.server.sbs)
... please ensure the domain name vpn.XXX.co.uk resolve to the ... As you want to connect the SBS via VPN, I suggest you also perform the ... select Disable Routing and Remote ... You have to rerun the CEICW to make sure your SBS 2003 server have right ...
(microsoft.public.windows.server.sbs)
... For licensing question, the SBS 2003 supports the branch office scenario. ... We need configure licensing on the Windows DC server in the remote site. ...
(microsoft.public.windows.server.sbs)
