TS in DMZ will not allow clients to connect - licensing issue

[Guest Andrew Story]

Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

 

90 days ago (i know) we installed a TS server in a DMZ to allow access via

TS Web Access to an application on the trusted network. All works fine

until now, external clients cannot connect and get a message box with this

text:

 

The remote computer disconnected the session because of an error in the

licensing protocol. Please try connecting to the remote computer again or

contact your server administrator.

 

Internal clients are fine, also there are many event ID: 1004 regarding the

devices unable to connect. Is there a way to test whether your TS server

can actually see a license server? I assumed that due to all clients being

able to logon that they just could? I know that 90 days grace is up, but

would expernal clients have been able to connect if the TS could never see a

licensing server?

 

Any help much appreciated

[Guest Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew Story"

<andrewDOTstoryATjameswalkerDOTbiz> says...

> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

>

> 90 days ago (i know) we installed a TS server in a DMZ to allow access via

> TS Web Access to an application on the trusted network. All works fine

> until now, external clients cannot connect and get a message box with this

> text:

>

> The remote computer disconnected the session because of an error in the

> licensing protocol. Please try connecting to the remote computer again or

> contact your server administrator.

>

> Internal clients are fine, also there are many event ID: 1004 regarding the

> devices unable to connect. Is there a way to test whether your TS server

> can actually see a license server? I assumed that due to all clients being

> able to logon that they just could? I know that 90 days grace is up, but

> would expernal clients have been able to connect if the TS could never see a

> licensing server?

>

> Any help much appreciated

 

What's the point of putting a server in the DMZ if it has to

authenticate and share with the LAN?

 

If you are going to have to punch gaping holes in the firewall to allow

DMZ>LAN access there really isn't any point in having a DMZ.

 

--

 

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

[Guest Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

Thanks for your input Leythos, very valid.

 

But, can you help with the original question please?

 

"Leythos" <void@nowhere.lan> wrote in message

news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...

> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew Story"

> <andrewDOTstoryATjameswalkerDOTbiz> says...

>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

>>

>> 90 days ago (i know) we installed a TS server in a DMZ to allow access

>> via

>> TS Web Access to an application on the trusted network. All works fine

>> until now, external clients cannot connect and get a message box with

>> this

>> text:

>>

>> The remote computer disconnected the session because of an error in the

>> licensing protocol. Please try connecting to the remote computer again or

>> contact your server administrator.

>>

>> Internal clients are fine, also there are many event ID: 1004 regarding

>> the

>> devices unable to connect. Is there a way to test whether your TS server

>> can actually see a license server? I assumed that due to all clients

>> being

>> able to logon that they just could? I know that 90 days grace is up, but

>> would expernal clients have been able to connect if the TS could never

>> see a

>> licensing server?

>>

>> Any help much appreciated

>

> What's the point of putting a server in the DMZ if it has to

> authenticate and share with the LAN?

>

> If you are going to have to punch gaping holes in the firewall to allow

> DMZ>LAN access there really isn't any point in having a DMZ.

>

> --

>

> Leythos

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address)

[Guest Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

You can run the Resource Kit utility lsview on the TS to check if

it can locate the TS Licensing Server.

Where is the TS Licensing Server located?

Have you checked in the TS Licensing Manager on the TS Licensing

Server which licenses have been issued, both to your internal and

external clients?

Have your internal clients received a free license from the built-

in pool of "Existing Windows 2000 TS CALs"? Have you external

clients been issued temporary licenses, which now have expired?

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt

2007 in microsoft.public.windows.terminal_services:

> Thanks for your input Leythos, very valid.

>

> But, can you help with the original question please?

>

> "Leythos" <void@nowhere.lan> wrote in message

> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...

>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew

>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

>>>

>>> 90 days ago (i know) we installed a TS server in a DMZ to

>>> allow access via

>>> TS Web Access to an application on the trusted network. All

>>> works fine until now, external clients cannot connect and get

>>> a message box with this

>>> text:

>>>

>>> The remote computer disconnected the session because of an

>>> error in the licensing protocol. Please try connecting to the

>>> remote computer again or contact your server administrator.

>>>

>>> Internal clients are fine, also there are many event ID: 1004

>>> regarding the

>>> devices unable to connect. Is there a way to test whether

>>> your TS server can actually see a license server? I assumed

>>> that due to all clients being

>>> able to logon that they just could? I know that 90 days grace

>>> is up, but would expernal clients have been able to connect if

>>> the TS could never see a

>>> licensing server?

>>>

>>> Any help much appreciated

>>

>> What's the point of putting a server in the DMZ if it has to

>> authenticate and share with the LAN?

>>

>> If you are going to have to punch gaping holes in the firewall

>> to allow DMZ>LAN access there really isn't any point in having

>> a DMZ.

>>

>> --

>>

>> Leythos

>> - Igitur qui desiderat pacem, praeparet bellum.

>> - Calling an illegal alien an "undocumented worker" is like

>> calling a

>> drug dealer an "unlicensed pharmacist"

>> spam999free@rrohio.com (remove 999 for proper email address)

[Guest Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

Thanks Vera,

 

External clients cannot get licenses issued so I assume the TS in the DMZ

cannot see the Licesning server on the trusted network.

 

You can ping the license server, and it issues licenses to ther TS clients,

just not the external ones.

 

I will run LSview on the TS and report back.

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns99BEF36A7FA8Averanoesthemutforsse@207.46.248.16...

> You can run the Resource Kit utility lsview on the TS to check if

> it can locate the TS Licensing Server.

> Where is the TS Licensing Server located?

> Have you checked in the TS Licensing Manager on the TS Licensing

> Server which licenses have been issued, both to your internal and

> external clients?

> Have your internal clients received a free license from the built-

> in pool of "Existing Windows 2000 TS CALs"? Have you external

> clients been issued temporary licenses, which now have expired?

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt

> 2007 in microsoft.public.windows.terminal_services:

>

>> Thanks for your input Leythos, very valid.

>>

>> But, can you help with the original question please?

>>

>> "Leythos" <void@nowhere.lan> wrote in message

>> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...

>>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew

>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

>>>>

>>>> 90 days ago (i know) we installed a TS server in a DMZ to

>>>> allow access via

>>>> TS Web Access to an application on the trusted network. All

>>>> works fine until now, external clients cannot connect and get

>>>> a message box with this

>>>> text:

>>>>

>>>> The remote computer disconnected the session because of an

>>>> error in the licensing protocol. Please try connecting to the

>>>> remote computer again or contact your server administrator.

>>>>

>>>> Internal clients are fine, also there are many event ID: 1004

>>>> regarding the

>>>> devices unable to connect. Is there a way to test whether

>>>> your TS server can actually see a license server? I assumed

>>>> that due to all clients being

>>>> able to logon that they just could? I know that 90 days grace

>>>> is up, but would expernal clients have been able to connect if

>>>> the TS could never see a

>>>> licensing server?

>>>>

>>>> Any help much appreciated

>>>

>>> What's the point of putting a server in the DMZ if it has to

>>> authenticate and share with the LAN?

>>>

>>> If you are going to have to punch gaping holes in the firewall

>>> to allow DMZ>LAN access there really isn't any point in having

>>> a DMZ.

>>>

>>> --

>>>

>>> Leythos

>>> - Igitur qui desiderat pacem, praeparet bellum.

>>> - Calling an illegal alien an "undocumented worker" is like

>>> calling a

>>> drug dealer an "unlicensed pharmacist"

>>> spam999free@rrohio.com (remove 999 for proper email address)

[Guest Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

OK Fixed - sort of.

 

I am now pointing the TS in the DMZ to a licensing server we have on an

IPSec site and it communicates with it.

 

What is the best way to have a TS box running in a DMZ? Can a domain TS

server use a workgroup licensing server?

Thsi would make life easier as I could put a workgroup server with TS

liceining in the DMZ with the TS server?

 

 

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message

news:%23gorJTlBIHA.3916@TK2MSFTNGP02.phx.gbl...

> Thanks Vera,

>

> External clients cannot get licenses issued so I assume the TS in the DMZ

> cannot see the Licesning server on the trusted network.

>

> You can ping the license server, and it issues licenses to ther TS

> clients, just not the external ones.

>

> I will run LSview on the TS and report back.

>

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

> news:Xns99BEF36A7FA8Averanoesthemutforsse@207.46.248.16...

>> You can run the Resource Kit utility lsview on the TS to check if

>> it can locate the TS Licensing Server.

>> Where is the TS Licensing Server located?

>> Have you checked in the TS Licensing Manager on the TS Licensing

>> Server which licenses have been issued, both to your internal and

>> external clients?

>> Have your internal clients received a free license from the built-

>> in pool of "Existing Windows 2000 TS CALs"? Have you external

>> clients been issued temporary licenses, which now have expired?

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 03 okt

>> 2007 in microsoft.public.windows.terminal_services:

>>

>>> Thanks for your input Leythos, very valid.

>>>

>>> But, can you help with the original question please?

>>>

>>> "Leythos" <void@nowhere.lan> wrote in message

>>> news:MPG.216d99b2c4da336d989a1c@adfree.Usenet.com...

>>>> In article <OC1SdfdBIHA.1208@TK2MSFTNGP03.phx.gbl>, "Andrew

>>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>>>> Hello NG, - Win2k TS with a mix and XP pro and 2k pro clients.

>>>>>

>>>>> 90 days ago (i know) we installed a TS server in a DMZ to

>>>>> allow access via

>>>>> TS Web Access to an application on the trusted network. All

>>>>> works fine until now, external clients cannot connect and get

>>>>> a message box with this

>>>>> text:

>>>>>

>>>>> The remote computer disconnected the session because of an

>>>>> error in the licensing protocol. Please try connecting to the

>>>>> remote computer again or contact your server administrator.

>>>>>

>>>>> Internal clients are fine, also there are many event ID: 1004

>>>>> regarding the

>>>>> devices unable to connect. Is there a way to test whether

>>>>> your TS server can actually see a license server? I assumed

>>>>> that due to all clients being

>>>>> able to logon that they just could? I know that 90 days grace

>>>>> is up, but would expernal clients have been able to connect if

>>>>> the TS could never see a

>>>>> licensing server?

>>>>>

>>>>> Any help much appreciated

>>>>

>>>> What's the point of putting a server in the DMZ if it has to

>>>> authenticate and share with the LAN?

>>>>

>>>> If you are going to have to punch gaping holes in the firewall

>>>> to allow DMZ>LAN access there really isn't any point in having

>>>> a DMZ.

>>>>

>>>> --

>>>>

>>>> Leythos

>>>> - Igitur qui desiderat pacem, praeparet bellum.

>>>> - Calling an illegal alien an "undocumented worker" is like

>>>> calling a

>>>> drug dealer an "unlicensed pharmacist"

>>>> spam999free@rrohio.com (remove 999 for proper email address)

>

>

[Guest Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

In article <#QfArfeBIHA.5980@TK2MSFTNGP04.phx.gbl>, "Andrew Story"

<andrewDOTstoryATjameswalkerDOTbiz> says...

>

> Thanks for your input Leythos, very valid.

>

> But, can you help with the original question please?

 

I did, you just didn't understand the implication and cause of your

failure.

 

You don't run a Windows authenticating server in the DMZ that

authenticates with the LAN. It's that simple. You need to open to many

holes to make it secure, so move it to the LAN and you won't have a

problem.

 

--

 

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

[Guest Leythos]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew Story"

<andrewDOTstoryATjameswalkerDOTbiz> says...

> OK Fixed - sort of.

 

Forgive me, but you screwed the pooch doing this.

> I am now pointing the TS in the DMZ to a licensing server we have on an

> IPSec site and it communicates with it.

 

And you've exposed the network to compromise in doing so.

> What is the best way to have a TS box running in a DMZ? Can a domain TS

> server use a workgroup licensing server?

> Thsi would make life easier as I could put a workgroup server with TS

> liceining in the DMZ with the TS server?

 

Just install the license service on the TS, still not good, but it means

that you don't have to compromise your network.

 

--

 

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

[Guest Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

I can't install the license service on the TS as it's not a DC.

 

Thanks for your input anyhow.

 

"Leythos" <void@nowhere.lan> wrote in message

news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...

> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew Story"

> <andrewDOTstoryATjameswalkerDOTbiz> says...

>> OK Fixed - sort of.

>

> Forgive me, but you screwed the pooch doing this.

>

>> I am now pointing the TS in the DMZ to a licensing server we have on an

>> IPSec site and it communicates with it.

>

> And you've exposed the network to compromise in doing so.

>

>> What is the best way to have a TS box running in a DMZ? Can a domain TS

>> server use a workgroup licensing server?

>> Thsi would make life easier as I could put a workgroup server with TS

>> liceining in the DMZ with the TS server?

>

> Just install the license service on the TS, still not good, but it means

> that you don't have to compromise your network.

>

> --

>

> Leythos

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address)

[Guest Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

Then you can install the TS Licensing Services on a standalone

server (in a workgroup) and point the TS to it.

Or upgrade the TS to 2003, since a 2003 LS can run on a member

server.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05 okt

2007 in microsoft.public.windows.terminal_services:

> I can't install the license service on the TS as it's not a DC.

>

> Thanks for your input anyhow.

>

> "Leythos" <void@nowhere.lan> wrote in message

> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...

>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew

>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>> OK Fixed - sort of.

>>

>> Forgive me, but you screwed the pooch doing this.

>>

>>> I am now pointing the TS in the DMZ to a licensing server we

>>> have on an IPSec site and it communicates with it.

>>

>> And you've exposed the network to compromise in doing so.

>>

>>> What is the best way to have a TS box running in a DMZ? Can a

>>> domain TS server use a workgroup licensing server?

>>> Thsi would make life easier as I could put a workgroup server

>>> with TS liceining in the DMZ with the TS server?

>>

>> Just install the license service on the TS, still not good, but

>> it means that you don't have to compromise your network.

>>

>> --

>>

>> Leythos

[Guest Andrew Story]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

I've tried to install the LS in a workgroup, but the TS would not recognise

it, nor could it be seen using LSview.exe.

 

Thanks anyhow.

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns99C0E00D2EA05veranoesthemutforsse@207.46.248.16...

> Then you can install the TS Licensing Services on a standalone

> server (in a workgroup) and point the TS to it.

> Or upgrade the TS to 2003, since a 2003 LS can run on a member

> server.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05 okt

> 2007 in microsoft.public.windows.terminal_services:

>

>> I can't install the license service on the TS as it's not a DC.

>>

>> Thanks for your input anyhow.

>>

>> "Leythos" <void@nowhere.lan> wrote in message

>> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...

>>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew

>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>>> OK Fixed - sort of.

>>>

>>> Forgive me, but you screwed the pooch doing this.

>>>

>>>> I am now pointing the TS in the DMZ to a licensing server we

>>>> have on an IPSec site and it communicates with it.

>>>

>>> And you've exposed the network to compromise in doing so.

>>>

>>>> What is the best way to have a TS box running in a DMZ? Can a

>>>> domain TS server use a workgroup licensing server?

>>>> Thsi would make life easier as I could put a workgroup server

>>>> with TS liceining in the DMZ with the TS server?

>>>

>>> Just install the license service on the TS, still not good, but

>>> it means that you don't have to compromise your network.

>>>

>>> --

>>>

>>> Leythos

[Guest Vera Noest [MVP]]

Re: TS in DMZ will not allow clients to connect - licensing issue

 

Did you specifically tell the TS to connect to this LS?

 

279561 - How to Override the License Server Discovery Process in

Windows Server 2003 Terminal Services

http://support.microsoft.com/?kbid=279561

 

You might also have to configure this local policy setting on the

LS:

 

Local Security Policy - Security Settings\Local Policies\Security

Options

"Network access: Let Everyone permissions apply to anonymous

users" - Enable

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 08 okt

2007 in microsoft.public.windows.terminal_services:

> I've tried to install the LS in a workgroup, but the TS would

> not recognise it, nor could it be seen using LSview.exe.

>

> Thanks anyhow.

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns99C0E00D2EA05veranoesthemutforsse@207.46.248.16...

>> Then you can install the TS Licensing Services on a standalone

>> server (in a workgroup) and point the TS to it.

>> Or upgrade the TS to 2003, since a 2003 LS can run on a member

>> server.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote on 05

>> okt 2007 in microsoft.public.windows.terminal_services:

>>

>>> I can't install the license service on the TS as it's not a

>>> DC.

>>>

>>> Thanks for your input anyhow.

>>>

>>> "Leythos" <void@nowhere.lan> wrote in message

>>> news:MPG.216ef25784cb2581989a25@adfree.Usenet.com...

>>>> In article <eBoeF1mBIHA.3940@TK2MSFTNGP05.phx.gbl>, "Andrew

>>>> Story" <andrewDOTstoryATjameswalkerDOTbiz> says...

>>>>> OK Fixed - sort of.

>>>>

>>>> Forgive me, but you screwed the pooch doing this.

>>>>

>>>>> I am now pointing the TS in the DMZ to a licensing server we

>>>>> have on an IPSec site and it communicates with it.

>>>>

>>>> And you've exposed the network to compromise in doing so.

>>>>

>>>>> What is the best way to have a TS box running in a DMZ? Can

>>>>> a domain TS server use a workgroup licensing server?

>>>>> Thsi would make life easier as I could put a workgroup

>>>>> server with TS liceining in the DMZ with the TS server?

>>>>

>>>> Just install the license service on the TS, still not good,

>>>> but it means that you don't have to compromise your network.

>>>>

>>>> --

>>>>

>>>> Leythos