Can't access W2003R2 Servers with RDP via VPN

I am running several servers on Win2003 Server, R2 SP1 and can access
them with RDP when I am on the network, but am unable to do this when I
VPN into the network using a Cisco PIX VPN. I can access all the other
computers and servers on the network in this fashion, including other
servers running Win2003 Server SP1, but none of the servers running R2.
The internal addresses of the network are 192.168.42.x and when I VPN
in, I am assigned an IP address of 10.0.0.x. The servers return a ping
when I am on the network, but not when I VPN in.

One server is running Exchange 2003, one is running NAT, and the third
SMTP. I have been through the security config wizard on the Exchange
Server with a fine tooth comb, and have turned off the Windows
firewall, but to no avail. The other two servers are not running a
Firewall.

Any help would be greatly appreciated.

Bob

"Bob Stolzman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I am running several servers on Win2003 Server, R2 SP1 and can access
> them with RDP when I am on the network, but am unable to do this when I
> VPN into the network using a Cisco PIX VPN. I can access all the other
> computers and servers on the network in this fashion, including other
> servers running Win2003 Server SP1, but none of the servers running R2.
> The internal addresses of the network are 192.168.42.x and when I VPN
> in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> when I am on the network, but not when I VPN in.
>
> One server is running Exchange 2003, one is running NAT, and the third
> SMTP. I have been through the security config wizard on the Exchange
> Server with a fine tooth comb, and have turned off the Windows
> firewall, but to no avail. The other two servers are not running a
> Firewall.
>
> Any help would be greatly appreciated.
>
> Bob
>

I have never used the Cisco VPN client but I cannot see how
you can set up a Remote Desktop session to a machine in the
192.168.42 subnet when your own subnet is 10.0.0. I suggest
you try to resolve this addressing issue before attempting to
launch a Remote Desktop session.

You don't really need a VPN for an RDP session. You could
just as well set a specific RDP port number on each internal
PC, then create an appropriate set of tunnels on your firewall
in order to assign to each port number a fixed internal IP
address.

All you have said seems reasonable, as is.
What do you get when attempting RDP connect within the VPN ?
Any response at all (ex. prompting by failed login, no screen at all, etc.)?
Within the VPN session can you connect in any way at all with those R2s ?
(ex. map a share? remote mgmt with an mmc tool?)
AFAIK there is no particularly different port reqs for R2, but the ports
being used could have been redefined (I guess you would know that as
you RDP with them outside of VPN use).
PS. R2 is currently at gold release level, not SP1

"Bob Stolzman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I am running several servers on Win2003 Server, R2 SP1 and can access
> them with RDP when I am on the network, but am unable to do this when I
> VPN into the network using a Cisco PIX VPN. I can access all the other
> computers and servers on the network in this fashion, including other
> servers running Win2003 Server SP1, but none of the servers running R2.
> The internal addresses of the network are 192.168.42.x and when I VPN
> in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> when I am on the network, but not when I VPN in.
>
> One server is running Exchange 2003, one is running NAT, and the third
> SMTP. I have been through the security config wizard on the Exchange
> Server with a fine tooth comb, and have turned off the Windows
> firewall, but to no avail. The other two servers are not running a
> Firewall.
>
> Any help would be greatly appreciated.
>
> Bob
>

Pegasus (MVP) wrote:
> "Bob Stolzman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> > I am running several servers on Win2003 Server, R2 SP1 and can access
> > them with RDP when I am on the network, but am unable to do this when I
> > VPN into the network using a Cisco PIX VPN. I can access all the other
> > computers and servers on the network in this fashion, including other
> > servers running Win2003 Server SP1, but none of the servers running R2.
> > The internal addresses of the network are 192.168.42.x and when I VPN
> > in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> > when I am on the network, but not when I VPN in.
> >
> > One server is running Exchange 2003, one is running NAT, and the third
> > SMTP. I have been through the security config wizard on the Exchange
> > Server with a fine tooth comb, and have turned off the Windows
> > firewall, but to no avail. The other two servers are not running a
> > Firewall.
> >
> > Any help would be greatly appreciated.
> >
> > Bob
> >
>
> I have never used the Cisco VPN client but I cannot see how
> you can set up a Remote Desktop session to a machine in the
> 192.168.42 subnet when your own subnet is 10.0.0. I suggest
> you try to resolve this addressing issue before attempting to
> launch a Remote Desktop session.
>
> You don't really need a VPN for an RDP session. You could
> just as well set a specific RDP port number on each internal
> PC, then create an appropriate set of tunnels on your firewall
> in order to assign to each port number a fixed internal IP
> address.

The subnet issue is handled in the router behind the PIX. I connect to
other computers using VNC and RDP all the time, even to other Win2003
Servers, just not R2. It seems to be an issue with R2.

Roger Abell [MVP] wrote:
> All you have said seems reasonable, as is.
> What do you get when attempting RDP connect within the VPN ?
> Any response at all (ex. prompting by failed login, no screen at all, etc.)?
> Within the VPN session can you connect in any way at all with those R2s ?
> (ex. map a share? remote mgmt with an mmc tool?)
> AFAIK there is no particularly different port reqs for R2, but the ports
> being used could have been redefined (I guess you would know that as
> you RDP with them outside of VPN use).
> PS. R2 is currently at gold release level, not SP1
>
> "Bob Stolzman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> >I am running several servers on Win2003 Server, R2 SP1 and can access
> > them with RDP when I am on the network, but am unable to do this when I
> > VPN into the network using a Cisco PIX VPN. I can access all the other
> > computers and servers on the network in this fashion, including other
> > servers running Win2003 Server SP1, but none of the servers running R2.
> > The internal addresses of the network are 192.168.42.x and when I VPN
> > in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> > when I am on the network, but not when I VPN in.
> >
> > One server is running Exchange 2003, one is running NAT, and the third
> > SMTP. I have been through the security config wizard on the Exchange
> > Server with a fine tooth comb, and have turned off the Windows
> > firewall, but to no avail. The other two servers are not running a
> > Firewall.
> >
> > Any help would be greatly appreciated.
> >
> > Bob
> >
When I attempt to connect with RDP via VPN I get the following message:

"The client could not connect to the remote computer. Remote
connections might not be enabled or the computer might be too busy to
accept new connections. It is also possible that network problems are
preventing your connection. Please try connecting again later. If the
problem continues to occur, contact your administrator."

I cannot map a share, and when I attempt \\servername in Windows
Explorer, I get no response. When I attempt to manage the server via
MMC, it resolves the server name, but it will not connect. These
features all work on all our other computers and servers, including
servers running Win2003, not R2. I have not modified the ports. As I
said, they all work when I am on the LAN.

Also, how can I upgrade from R2 to Gold Release? Thanks.
Bob

It sounds like you do not have basic network connectivity if you can not
even ping. Try pinging by IP also if you have not done that yet and try
using tracert to the destination IP. You also can use the command line port
scanner portqry to see if the needed or any ports or any are available from
your computer. Double check that the firewalls are indeed disabled on those
servers by using the command netsh firewall show state to see if operational
mode shows as being disabled. Check the logs on both the Remote Access
Server and the servers to see if anything is recorded at the times of the
failed logon attempts such as failed logon events in the security log and
for anything that may be helpful in the application log. If it does not put
the servers at risk or disable functionality try to temporarily disable the
ipsec service to check to see if any ipsec policy is blocking access.
Firewall/VPN filtering rules could also be blocking access if for some
reason those server IP addresses are not included in the allowed IP
addresses. --- Steve

http://support.microsoft.com/kb/310099 --- portqry

"Bob Stolzman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I am running several servers on Win2003 Server, R2 SP1 and can access
> them with RDP when I am on the network, but am unable to do this when I
> VPN into the network using a Cisco PIX VPN. I can access all the other
> computers and servers on the network in this fashion, including other
> servers running Win2003 Server SP1, but none of the servers running R2.
> The internal addresses of the network are 192.168.42.x and when I VPN
> in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> when I am on the network, but not when I VPN in.
>
> One server is running Exchange 2003, one is running NAT, and the third
> SMTP. I have been through the security config wizard on the Exchange
> Server with a fine tooth comb, and have turned off the Windows
> firewall, but to no avail. The other two servers are not running a
> Firewall.
>
> Any help would be greatly appreciated.
>
> Bob
>

hmmm - got to think about the meaty issue part, but as quick
clarification Gold means the initial released version, so the
current up-to-date release of R2 is the Gold as SP 1 has not
been released for R2 (W2k3 R2 released simultaneously with
the release of SP 1 for W2k3).

And you said the R2 do not have their firewalls turned on . . .
Do this have multiple nics ?


"Bob Stolzman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>
> Roger Abell [MVP] wrote:
>> All you have said seems reasonable, as is.
>> What do you get when attempting RDP connect within the VPN ?
>> Any response at all (ex. prompting by failed login, no screen at all,
>> etc.)?
>> Within the VPN session can you connect in any way at all with those R2s ?
>> (ex. map a share? remote mgmt with an mmc tool?)
>> AFAIK there is no particularly different port reqs for R2, but the ports
>> being used could have been redefined (I guess you would know that as
>> you RDP with them outside of VPN use).
>> PS. R2 is currently at gold release level, not SP1
>>
>> "Bob Stolzman" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>> >I am running several servers on Win2003 Server, R2 SP1 and can access
>> > them with RDP when I am on the network, but am unable to do this when I
>> > VPN into the network using a Cisco PIX VPN. I can access all the other
>> > computers and servers on the network in this fashion, including other
>> > servers running Win2003 Server SP1, but none of the servers running R2.
>> > The internal addresses of the network are 192.168.42.x and when I VPN
>> > in, I am assigned an IP address of 10.0.0.x. The servers return a ping
>> > when I am on the network, but not when I VPN in.
>> >
>> > One server is running Exchange 2003, one is running NAT, and the third
>> > SMTP. I have been through the security config wizard on the Exchange
>> > Server with a fine tooth comb, and have turned off the Windows
>> > firewall, but to no avail. The other two servers are not running a
>> > Firewall.
>> >
>> > Any help would be greatly appreciated.
>> >
>> > Bob
>> >
> When I attempt to connect with RDP via VPN I get the following message:
>
> "The client could not connect to the remote computer. Remote
> connections might not be enabled or the computer might be too busy to
> accept new connections. It is also possible that network problems are
> preventing your connection. Please try connecting again later. If the
> problem continues to occur, contact your administrator."
>
> I cannot map a share, and when I attempt \\servername in Windows
> Explorer, I get no response. When I attempt to manage the server via
> MMC, it resolves the server name, but it will not connect. These
> features all work on all our other computers and servers, including
> servers running Win2003, not R2. I have not modified the ports. As I
> said, they all work when I am on the LAN.
>
> Also, how can I upgrade from R2 to Gold Release? Thanks.
> Bob
>

afterthough . . .
you have tried pathping or traceroute from XP during VPN ?

"Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
news:Obo%(E-Mail Removed)...
> All you have said seems reasonable, as is.
> What do you get when attempting RDP connect within the VPN ?
> Any response at all (ex. prompting by failed login, no screen at all,
> etc.)?
> Within the VPN session can you connect in any way at all with those R2s ?
> (ex. map a share? remote mgmt with an mmc tool?)
> AFAIK there is no particularly different port reqs for R2, but the ports
> being used could have been redefined (I guess you would know that as
> you RDP with them outside of VPN use).
> PS. R2 is currently at gold release level, not SP1
>
> "Bob Stolzman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>>I am running several servers on Win2003 Server, R2 SP1 and can access
>> them with RDP when I am on the network, but am unable to do this when I
>> VPN into the network using a Cisco PIX VPN. I can access all the other
>> computers and servers on the network in this fashion, including other
>> servers running Win2003 Server SP1, but none of the servers running R2.
>> The internal addresses of the network are 192.168.42.x and when I VPN
>> in, I am assigned an IP address of 10.0.0.x. The servers return a ping
>> when I am on the network, but not when I VPN in.
>>
>> One server is running Exchange 2003, one is running NAT, and the third
>> SMTP. I have been through the security config wizard on the Exchange
>> Server with a fine tooth comb, and have turned off the Windows
>> firewall, but to no avail. The other two servers are not running a
>> Firewall.
>>
>> Any help would be greatly appreciated.
>>
>> Bob
>>
>
>

As other posts say, you have a TCP/IP issue here since you can't even ping
the servers. I had a similar problem trying to connect to servers on a
particular subnet using VNC and Remote Desktop over a Cisco VPN Client
connection from home. It ended-up being a problem with the MTU size set too
high for TCP/IP over the VPN connection.

When you installed the Cisco VPN Client, it probably made an icon on the
Start menu for "Set MTU". If not, just go to the directory where you
installed it and find SetMTU.exe. Run that program, select the virtual
network adapter created by the Cisco VPN Client, and select 1300 as the MTU
size. You must re-boot for the change to take affect.

"Bob Stolzman" wrote:

> I am running several servers on Win2003 Server, R2 SP1 and can access
> them with RDP when I am on the network, but am unable to do this when I
> VPN into the network using a Cisco PIX VPN. I can access all the other
> computers and servers on the network in this fashion, including other
> servers running Win2003 Server SP1, but none of the servers running R2.
> The internal addresses of the network are 192.168.42.x and when I VPN
> in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> when I am on the network, but not when I VPN in.
>
> One server is running Exchange 2003, one is running NAT, and the third
> SMTP. I have been through the security config wizard on the Exchange
> Server with a fine tooth comb, and have turned off the Windows
> firewall, but to no avail. The other two servers are not running a
> Firewall.
>
> Any help would be greatly appreciated.
>
> Bob
>
>

To all who commented on this issue, Thank You. I solved this issue.
It's so simple, I'm almost embarassed. It was a default gateway issue.
Since these servers use the NAT server for their default gateway
instead of the router, packets couldn't find their way back across the
VPN. Adding a persistent route to the 10.0.0.x subnet did the trick.

Bob

Mike Harris wrote:
> As other posts say, you have a TCP/IP issue here since you can't even ping
> the servers. I had a similar problem trying to connect to servers on a
> particular subnet using VNC and Remote Desktop over a Cisco VPN Client
> connection from home. It ended-up being a problem with the MTU size set too
> high for TCP/IP over the VPN connection.
>
> When you installed the Cisco VPN Client, it probably made an icon on the
> Start menu for "Set MTU". If not, just go to the directory where you
> installed it and find SetMTU.exe. Run that program, select the virtual
> network adapter created by the Cisco VPN Client, and select 1300 as the MTU
> size. You must re-boot for the change to take affect.
>
> "Bob Stolzman" wrote:
>
> > I am running several servers on Win2003 Server, R2 SP1 and can access
> > them with RDP when I am on the network, but am unable to do this when I
> > VPN into the network using a Cisco PIX VPN. I can access all the other
> > computers and servers on the network in this fashion, including other
> > servers running Win2003 Server SP1, but none of the servers running R2.
> > The internal addresses of the network are 192.168.42.x and when I VPN
> > in, I am assigned an IP address of 10.0.0.x. The servers return a ping
> > when I am on the network, but not when I VPN in.
> >
> > One server is running Exchange 2003, one is running NAT, and the third
> > SMTP. I have been through the security config wizard on the Exchange
> > Server with a fine tooth comb, and have turned off the Windows
> > firewall, but to no avail. The other two servers are not running a
> > Firewall.
> >
> > Any help would be greatly appreciated.
> >
> > Bob
> >
> >