Access to Terminal Services server via internet RDP

[Guest Steve Booth]

My question is very similiar to a question raised on 4/24/2006 by Barry which

seemed to have no conclusion!

 

However I am fortunate in having more information.

 

I am trying to connect to a Windows 2003 terminal server inside our network.

I am forwarding 3389 through our router and a Windows 2003 Domain Controller

to the terminal server on address 10.0.0.254. Using telnet from the internet

i can see the connection is being refused. I can connect to this terminal

server from inside the network.

 

The interesting additional fact is that i can successfully connect to a

Windows 2000 terminal server running on address 10.0.0.253 from the internet.

 

Any help in resolving this issue would be very gratefully received.

[Guest Jeff Pitsch]

Re: Access to Terminal Services server via internet RDP

 

What do you mean your port forwarding through the router and DC? why

are you not simply going from the router to the terminal server?

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

Steve Booth wrote:

> My question is very similiar to a question raised on 4/24/2006 by Barry which

> seemed to have no conclusion!

>

> However I am fortunate in having more information.

>

> I am trying to connect to a Windows 2003 terminal server inside our network.

> I am forwarding 3389 through our router and a Windows 2003 Domain Controller

> to the terminal server on address 10.0.0.254. Using telnet from the internet

> i can see the connection is being refused. I can connect to this terminal

> server from inside the network.

>

> The interesting additional fact is that i can successfully connect to a

> Windows 2000 terminal server running on address 10.0.0.253 from the internet.

>

> Any help in resolving this issue would be very gratefully received.

>

>

>

>

[Guest Steve Booth]

Re: Access to Terminal Services server via internet RDP

 

Because it seemed simpler at the time for various reasons (no of Cat5 sockets

in the server room) and it worked for Windows 2000 Terminal server. I am just

testing at present to make sure it is worth buying the licences for our US

office to access our server.

 

If you think it would solve the problem I do have a second card in the

Windows 2003 Terminal server i could connect straight to the router. I guess

I will need routing setup on between the cards - I assume it is a stanard

setup.

 

Regards

Steve Booth

 

"Jeff Pitsch" wrote:

> What do you mean your port forwarding through the router and DC? why

> are you not simply going from the router to the terminal server?

>

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> Steve Booth wrote:

> > My question is very similiar to a question raised on 4/24/2006 by Barry which

> > seemed to have no conclusion!

> >

> > However I am fortunate in having more information.

> >

> > I am trying to connect to a Windows 2003 terminal server inside our network.

> > I am forwarding 3389 through our router and a Windows 2003 Domain Controller

> > to the terminal server on address 10.0.0.254. Using telnet from the internet

> > i can see the connection is being refused. I can connect to this terminal

> > server from inside the network.

> >

> > The interesting additional fact is that i can successfully connect to a

> > Windows 2000 terminal server running on address 10.0.0.253 from the internet.

> >

> > Any help in resolving this issue would be very gratefully received.

> >

> >

> >

> >

>

[Guest Jeff Pitsch]

Re: Access to Terminal Services server via internet RDP

 

No, what your describing is not a typical setup.

 

I would not put two NIC's in the terminal server. Windows does not

handle dual homes server well at all and you'll be manually setting up

your routing tables. How are you going through the DC? Is it setup as

a router? If so, I would highly recommend investing in a small scale

router to put in it's place or a new switch. Either way you'll be alot

happier.

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

Steve Booth wrote:

> Because it seemed simpler at the time for various reasons (no of Cat5 sockets

> in the server room) and it worked for Windows 2000 Terminal server. I am just

> testing at present to make sure it is worth buying the licences for our US

> office to access our server.

>

> If you think it would solve the problem I do have a second card in the

> Windows 2003 Terminal server i could connect straight to the router. I guess

> I will need routing setup on between the cards - I assume it is a stanard

> setup.

>

> Regards

> Steve Booth

>

> "Jeff Pitsch" wrote:

>

>> What do you mean your port forwarding through the router and DC? why

>> are you not simply going from the router to the terminal server?

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Server

>> Citrix Technology Professional

>> Provision Networks VIP

>>

>> Forums not enough?

>> Get support from the experts at your business

>> http://jeffpitschconsulting.com

>>

>> Steve Booth wrote:

>>> My question is very similiar to a question raised on 4/24/2006 by Barry which

>>> seemed to have no conclusion!

>>>

>>> However I am fortunate in having more information.

>>>

>>> I am trying to connect to a Windows 2003 terminal server inside our network.

>>> I am forwarding 3389 through our router and a Windows 2003 Domain Controller

>>> to the terminal server on address 10.0.0.254. Using telnet from the internet

>>> i can see the connection is being refused. I can connect to this terminal

>>> server from inside the network.

>>>

>>> The interesting additional fact is that i can successfully connect to a

>>> Windows 2000 terminal server running on address 10.0.0.253 from the internet.

>>>

>>> Any help in resolving this issue would be very gratefully received.

>>>

>>>

>>>

>>>

[Guest Steve Booth]

Re: Access to Terminal Services server via internet RDP

 

Dear Jeff

 

What we have at present is

 

A public IP of 212.xxx.xxx.xxx

 

A Draytek Vigor 2600 ADSL Router with address 192.168.0.1

Forwards appropriate ports to 192.168.0.101

 

A Windows 2003 Server with one card address 192.168.0.101

'internal' card 10.0.0.250

 

Routing and remote access running between these two cards

 

Exchange runs fine on this server.

 

In my initial scenario port 3389 was forwarded using routing to Windows 2000

Terminal Server at 10.0.0.253

 

I then changed to point to Windows 2003 Terminal Server at 10.0.0.254, which

just gets blocked somewhere. As the Windows 2003 Terminal Server is

accessible internally my suspicion was that 2003 machine somehow detetects

packets are from public internet and blocks them from Terminal Server.

 

I can find no references to this problem on Google et al. As the machine is

a demoted Domain Controller I am thinking of re-installing it from scratch.

 

BTW We are only a small company (10 employees) so run everything (currently)

on the single (gateway) server.

 

 

 

"Jeff Pitsch" wrote:

> No, what your describing is not a typical setup.

>

> I would not put two NIC's in the terminal server. Windows does not

> handle dual homes server well at all and you'll be manually setting up

> your routing tables. How are you going through the DC? Is it setup as

> a router? If so, I would highly recommend investing in a small scale

> router to put in it's place or a new switch. Either way you'll be alot

> happier.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> Steve Booth wrote:

> > Because it seemed simpler at the time for various reasons (no of Cat5 sockets

> > in the server room) and it worked for Windows 2000 Terminal server. I am just

> > testing at present to make sure it is worth buying the licences for our US

> > office to access our server.

> >

> > If you think it would solve the problem I do have a second card in the

> > Windows 2003 Terminal server i could connect straight to the router. I guess

> > I will need routing setup on between the cards - I assume it is a stanard

> > setup.

> >

> > Regards

> > Steve Booth

> >

> > "Jeff Pitsch" wrote:

> >

> >> What do you mean your port forwarding through the router and DC? why

> >> are you not simply going from the router to the terminal server?

> >>

> >> Jeff Pitsch

> >> Microsoft MVP - Terminal Server

> >> Citrix Technology Professional

> >> Provision Networks VIP

> >>

> >> Forums not enough?

> >> Get support from the experts at your business

> >> http://jeffpitschconsulting.com

> >>

> >> Steve Booth wrote:

> >>> My question is very similiar to a question raised on 4/24/2006 by Barry which

> >>> seemed to have no conclusion!

> >>>

> >>> However I am fortunate in having more information.

> >>>

> >>> I am trying to connect to a Windows 2003 terminal server inside our network.

> >>> I am forwarding 3389 through our router and a Windows 2003 Domain Controller

> >>> to the terminal server on address 10.0.0.254. Using telnet from the internet

> >>> i can see the connection is being refused. I can connect to this terminal

> >>> server from inside the network.

> >>>

> >>> The interesting additional fact is that i can successfully connect to a

> >>> Windows 2000 terminal server running on address 10.0.0.253 from the internet.

> >>>

> >>> Any help in resolving this issue would be very gratefully received.

> >>>

> >>>

> >>>

> >>>

>

[Guest Steve Booth]

Re: Access to Terminal Services server via internet RDP

 

FYI Out of curiosity I have connected the 192.168.0.102 card in the W2003 TS

to the router. With RRAS activated and port 3389 forwarded i can telnet into

port 3389 from the Internet. However using Remote Desktopn the connection is

refused.

 

In perusing the Internet i have come across the phrase TS Gateway Server.

Not sure what this is but am going to investigate. At present security is

(simply) enforced in router by only allowing connection from single IP.

 

"Steve Booth" wrote:

> Dear Jeff

>

> What we have at present is

>

> A public IP of 212.xxx.xxx.xxx

>

> A Draytek Vigor 2600 ADSL Router with address 192.168.0.1

> Forwards appropriate ports to 192.168.0.101

>

> A Windows 2003 Server with one card address 192.168.0.101

> 'internal' card 10.0.0.250

>

> Routing and remote access running between these two cards

>

> Exchange runs fine on this server.

>

> In my initial scenario port 3389 was forwarded using routing to Windows 2000

> Terminal Server at 10.0.0.253

>

> I then changed to point to Windows 2003 Terminal Server at 10.0.0.254, which

> just gets blocked somewhere. As the Windows 2003 Terminal Server is

> accessible internally my suspicion was that 2003 machine somehow detetects

> packets are from public internet and blocks them from Terminal Server.

>

> I can find no references to this problem on Google et al. As the machine is

> a demoted Domain Controller I am thinking of re-installing it from scratch.

>

> BTW We are only a small company (10 employees) so run everything (currently)

> on the single (gateway) server.

>

>

>

> "Jeff Pitsch" wrote:

>

> > No, what your describing is not a typical setup.

> >

> > I would not put two NIC's in the terminal server. Windows does not

> > handle dual homes server well at all and you'll be manually setting up

> > your routing tables. How are you going through the DC? Is it setup as

> > a router? If so, I would highly recommend investing in a small scale

> > router to put in it's place or a new switch. Either way you'll be alot

> > happier.

> >

> > Jeff Pitsch

> > Microsoft MVP - Terminal Server

> > Citrix Technology Professional

> > Provision Networks VIP

> >

> > Forums not enough?

> > Get support from the experts at your business

> > http://jeffpitschconsulting.com

> >

> > Steve Booth wrote:

> > > Because it seemed simpler at the time for various reasons (no of Cat5 sockets

> > > in the server room) and it worked for Windows 2000 Terminal server. I am just

> > > testing at present to make sure it is worth buying the licences for our US

> > > office to access our server.

> > >

> > > If you think it would solve the problem I do have a second card in the

> > > Windows 2003 Terminal server i could connect straight to the router. I guess

> > > I will need routing setup on between the cards - I assume it is a stanard

> > > setup.

> > >

> > > Regards

> > > Steve Booth

> > >

> > > "Jeff Pitsch" wrote:

> > >

> > >> What do you mean your port forwarding through the router and DC? why

> > >> are you not simply going from the router to the terminal server?

> > >>

> > >> Jeff Pitsch

> > >> Microsoft MVP - Terminal Server

> > >> Citrix Technology Professional

> > >> Provision Networks VIP

> > >>

> > >> Forums not enough?

> > >> Get support from the experts at your business

> > >> http://jeffpitschconsulting.com

> > >>

> > >> Steve Booth wrote:

> > >>> My question is very similiar to a question raised on 4/24/2006 by Barry which

> > >>> seemed to have no conclusion!

> > >>>

> > >>> However I am fortunate in having more information.

> > >>>

> > >>> I am trying to connect to a Windows 2003 terminal server inside our network.

> > >>> I am forwarding 3389 through our router and a Windows 2003 Domain Controller

> > >>> to the terminal server on address 10.0.0.254. Using telnet from the internet

> > >>> i can see the connection is being refused. I can connect to this terminal

> > >>> server from inside the network.

> > >>>

> > >>> The interesting additional fact is that i can successfully connect to a

> > >>> Windows 2000 terminal server running on address 10.0.0.253 from the internet.

> > >>>

> > >>> Any help in resolving this issue would be very gratefully received.

> > >>>

> > >>>

> > >>>

> > >>>

> >