Re: Remote Desktop from LAN not working
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Fri, 06 Jun 2008 04:10:17 GMT
Hello Customer,
Thank you for posting here.
According to your description, I understand that you unable to connect
external RDP thru VPN connection. If I have misunderstood the problem,
please don't hesitate to let me know.
Based on my research, the ISA Server policies that are created by the SBS
connection wizard require user authentication. The ISA Firewall Client
provides user credentials for non-HTTP traffic. To create the PPTP
connection, the PPTP client must use TCP (IP protocol 17) on port 1723 and
the GRE (IP protocol 47) protocol. The ISA Server Firewall Client only
processes TCP and UDP traffic that is handled by Winsock. Because the ISA
Server Firewall Client cannot process the GRE traffic, it cannot
authenticate this traffic to ISA Server. Therefore, the GRE connections are
denied, and the PPTP connection attempts are blocked.
Therefore, I think your outbound VPN connection is not established properly
behind ISA server 2004. I suggest we try the following steps to see if we
can resolve this issue:
I. Ensure the VPN client default gateway is pointing to ISA server 2004
internal IP address.
II. Create a new access rule in the ISA 2004 firewall policy that lets
client computers on the internal network make outgoing connections by using
PPTP. To do this, follow these steps:
1. Click Start, point to All Programs, click Microsoft ISA Server, and
then click ISA Server Management.
2. In the left pane of the ISA Server Management MMC snap-in, click
Firewall Policy.
3. In the right pane of the ISA Server Management MMC snap-in, click
Create a new access rule
4. On the Welcome to the New Access Rule Wizard page, type a name for the
access rule, and then click Next.
5. On the Rule Action page, click Allow, and then click Next.
6. On the Protocols page, under This rule applies to, select Selected
Protocols from the list, and then click Add.
7. On the Add Protocols page, expand VPN and IPSec, select PPTP, click
Add, click Close, and then click Next.
8. On the Access Rule Sources page, click Add.
9. On the Add Network Entities page, expand Networks, select Internal,
click Add, click Close, and then click Next.
10. On the Access Rule Destinations page, click Add.
11. On the Add Network Entities page, expand Networks, select External,
click Add, click Close, and then click Next.
12. On the User Sets page, click Add.
13. On the Add Users page, click All users, click Add, click Close, and
then click Next.
14. Click Finish.
15. In the ISA Management MMS snap-in, click Apply, and then click OK.
Note: Make sure that this new rule comes before "SBS Internet Access Rule".
III. Ensure the remote VPN server network is running under different IP
schema with your local LAN. For example, we usually run SBS LAN under
192.168.16.0/24. Please ensure the remote VPN server network is not running
under same IP 192.168.16.0/24. Please note the same IP schema will cause
network traffic routing issue.
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
1. Please capture screenshots on the RDP error messages and send the
pictures to me at v-terliu@xxxxxxxxxxxxx
2. Once the VPN connection is established, run command "ipconfig /all >
c:\ipconfig_client.txt" and "route print > c:\route_client.txt" on VPN
client, send the files c:\ipconfig_client.txt and c:\route_client.txt to me
at v-terliu@xxxxxxxxxxxxx
3. Can you ping the remote network from VPN client after the VPN connection
is established?
4. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/tools/isainfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
5. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
I hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Remote Desktop from LAN not working<1h4e445nuajfprjtjmss8ng1og5trq1noh@xxxxxxx>
thread-index: AcjHU3S4f2C0dpypRJmSxubaRYFr8g==
X-WBNR-Posting-Host: 207.46.193.207
From: =?Utf-8?B?R3JheXNhaWxvcg==?= <Graysailor@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <91493B1B-A6E2-4DDD-BD19-55A1E113BDBB@xxxxxxxxxxxxx>
Subject: Re: Remote Desktop from LAN not workingexternal
Date: Thu, 5 Jun 2008 14:31:03 -0700
Lines: 23
Message-ID: <E9D39741-4F5F-4F5C-93DF-C9BABB9D60CA@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGHUB02.phx.gbl
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:110895
NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
X-Tomcat-NG: microsoft.public.windows.server.sbs
The sites are on different networks, different companies, sometimes
different city's.
"Jim Behning SBS MVP" wrote:
Are the sites on different networks? If every site you manage is on
192.168.16.x then you are going to have a hard time reaching out.
On Wed, 4 Jun 2008 07:43:01 -0700, Graysailor
<Graysailor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
SBS 2003 Premium, with ISA 2004. I can use RWW to access desktops from
outside the LAN. I can establish a VPN connection from the LAN to an
connection. Ilocation, but then I cannot RDP to a workstation on that VPN
behindcan use VPN and RDP to these sites when I use a computer that isn't
what dothe ISA Firewall. I have reviewed all doc's I can find and messages -
I need to set up on the ISA firewall? Thanks!See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx
.
- Follow-Ups:
- Re: Remote Desktop from LAN not working
- From: Terence Liu [MSFT]
- Re: Remote Desktop from LAN not working
- References:
- Re: Remote Desktop from LAN not working
- From: Jim Behning SBS MVP
- Re: Remote Desktop from LAN not working
- Prev by Date: Re: SBS2K3 Migrating to new hardware - Fax/Sharepoint
- Next by Date: Re: SBS 2008 Upgrade Dealbreakers?
- Previous by thread: Re: Remote Desktop from LAN not working
- Next by thread: Re: Remote Desktop from LAN not working
- Index(es):
Relevant Pages
|
