Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Alan » Wed, 29 Mar 2006 13:16:47



Hi All,

I am having trouble with a specific remote user not being able to
establish an RDP connection through a VPN.

Our remote users connect to our server using the VPN, and then run a
Remote Desktop session (or TS session as appropriate) and this works
fine. However, I have one user who has just gone on maternity leave
who needs to be able to do this, and we are having problems.

The VPN connection works fine, and I can see her client connected via
VPN in the ISA Server Management console, Monitoring tab). However,
when she tries to initate the RDP connection it fails every time.

She is running WinXP SP2 (Home edition), and we are running SBS 2003
Premium / ISA Server 2004. I have other people also connecting using
the same setup and it is all fine for them. Could it be something
about her broadband router? If the VPN (tunnel?) is established,
shouldn't everything else work find automatically through that tunnel?

I have pasted the output from her PC from an "IPConfig / All" command
below (bottom).

Thanks for any ideas you may have!

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

XXXX@XXXXX.COM

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb




+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Windows IP Configuration



Host Name . . . . . . . . . . . . : FamilyPC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet

Physical Address. . . . . . . . . : [Mac Address Removed for
Posting to Usenet]

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.1.1.3

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.1

DHCP Server . . . . . . . . . . . : 10.1.1.1

DNS Servers . . . . . . . . . . . : [DNS IP Removed for
Posting to Usenet]


Lease Obtained. . . . . . . . . . : Tuesday, 28 March 2006
9:46:27 a.m.

Lease Expires . . . . . . . . . . : Tuesday, 28 March 2006
9:51:27 a.m.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Robert L [ » Wed, 29 Mar 2006 14:33:55

his is a multi-part message in MIME format.


Assuming she can ping the remote desktop, it could be the MTU issue. this links may help,

Can't access RDC over VPN I would check the MTU first. Or check this link: vpn drop connection ... Then he can use RDC over VPN. Related Topics. How to change MTU ... ...
www.chicagotech.net/Q&A/vpn47.htm


vpn drop connection The both offices can browse over the VPN without problem. ... VPN client to the Server. Resolution: modify the MTU. Related Topics. How to modify the MTU ...
www.chicagotech.net/vpnissues/vpndorp1.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Alan" < XXXX@XXXXX.COM > wrote in message news: XXXX@XXXXX.COM ...

Hi All,

I am having trouble with a specific remote user not being able to
establish an RDP connection through a VPN.

Our remote users connect to our server using the VPN, and then run a
Remote Desktop session (or TS session as appropriate) and this works
fine. However, I have one user who has just gone on maternity leave
who needs to be able to do this, and we are having problems.

The VPN connection works fine, and I can see her client connected via
VPN in the ISA Server Management console, Monitoring tab). However,
when she tries to initate the RDP connection it fails every time.

She is running WinXP SP2 (Home edition), and we are running SBS 2003
Premium / ISA Server 2004. I have other people also connecting using
the same setup and it is all fine for them. Could it be something
about her broadband router? If the VPN (tunnel?) is established,
shouldn't everything else work find automatically through that tunnel?

I have pasted the output from her PC from an "IPConfig / All" command
below (bottom).

Thanks for any ideas you may have!

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

XXXX@XXXXX.COM

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb




+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Windows IP Configuration



Host Name . . . . . . . . . . . . : FamilyPC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet

Physical Address. . . . . . . . . : [Mac Address Removed for
Posting to Usenet]

Dhcp Enabled. . . . . . . . . . . : Yes

 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Joe » Thu, 30 Mar 2006 02:53:57


Your ipconfig shows 'DNS removed'. Which means you're not using the
SBS for DNS. Which means all kinds of things won't work. Set the VPN
connection to get its DNS from the server, rather than a manual
setting. This will override while the link is up, but allow the
computer's NIC DNS settings to work otherwise.

The remote end router should not need configuration for a VPN to be
initiated through it, and even a domestic one really ought to be capable
of handling the GRE protocol.
 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Alan » Thu, 30 Mar 2006 12:20:38


Hi Robert,

I checked and the VPN connection is made (according to both the client
and the ISA Server 2004), but she cannot ping the Terminal Server
(either as 10.0.0.5 or as FandPServer).

Is there another direction of inquiry I can make?

Thanks,

Alan.

--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

XXXX@XXXXX.COM

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb
 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Leonid S. » Fri, 31 Mar 2006 17:49:26

Alan" < XXXX@XXXXX.COM > wrote in message
news:u2r% XXXX@XXXXX.COM ...

Alan,

Is the user's local network by chance also numbered starting with 10? If so,
the VPN connection never gets used because it has a very broad netmask of
255.0.0.0 that tells the local machine to not route the traffic over VPN
because that traffic is local as far as this netmask is telling it. The 255
portion of the netmask tells the TCP stack that 10.0.0.0/8 is the network
address and 1.1.1 is actually the host address. Yes, host addresses can be
over 8 bits long that you are used to in the 192.168.x.0/24 networks.

In other words...

10.1.1.1 is my local gateway
10.1.1.3 is my local IP
24.x.x.x is my VPN server

So far, the 10.1.1.3 client sees the VPN server on the separate network, so
it connects to it and authenticates to it.

Here is what happens next!

10.0.0.5/8 is what you think an entirely different network (after all
10.0.0.0/24 is different from 10.0.1.0/24, right?) - while in fact it is on
the same network because 10 is the network number, not 10.0.1 or 10.0.2. You
have a host address of 1.1.3 trying to contact host at 0.0.5 on the same
network, which means that the traffic never has to go through VPN. This
would be like 192.168.1.3/24 trying to reach 192.168.1.5/24 - you would not
expect that to go over a VPN, right?

By the way, that's 255.0.0.0 netmask means that 2^24-1 hosts can be on that
network, which equals 16,777,215 machines that don't have to talk to each
other over a VPN. That -1 is due to a broadcast address. Those who argued
that the number should be -2 don't know about the "ip subnet-zero" Cisco
command that has been on by defaults since the IOS12 release train.

The entire base of Comcast cable subscribers who have IP addresses that
begin with 24, base are on the same 24/8 network because there are fewer
than 16.8 million of us. My current Comcast netmask is 255.255.248.0 which
means that my network address is 21 bits long and that there are 2046 (2^11)
IP addresses (based on an 11-bit host address) on my local network. A 24 bit
network address would indicate that only 8 bits are available for a host
address (the total IPV4 address is 32 bits), which makes a maximum of 256
hosts on my local network.

So when I ping 10.0.0.5/8 from 10.1.1.3/8 instead of rerouting that traffic
as foreign over VPN, my system thinks it's local so it looks for the machine
on my local home network instead.

THE FIX

Your solution, should you want to stay with the 10/8 network range is to
apply a netmask of 255.255.255.0 or stricter such as 255.255.255.240 for
example (don't try this as it's quite restrictive).

BETTER SOLUTION

Get back to the 192.168.x.0/24 network range. You will need to run the
Change IP wizard on SBS and then the CEICW wizard to reconfigure your DHCP
scope. I number my clients networks by the 3rd octet in sequential order
starting at 17. This is so I can login to multiple networks through VPNs.
When you want to maintain VPNs to multiple clients at the same time, this
gets to be really handy.

Why can't you people keep things simple with 192.168.x.0/24 segmented
networks that automatically assign correct 24-bit IP netmasks...?

IMPORTANT NOTE

Never ever make your office network 192.168.0.0/24 or 192.168.1.0/24 as
those are default ranges for home networks and will bring you a lot of pain
as users attempt to connect throug
 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Alan » Sat, 01 Apr 2006 05:41:44

"Leonid S. Knyshov" < XXXX@XXXXX.COM > wrote in
message news: XXXX@XXXXX.COM ...


WOW!!!

I have just read your post three times and I am truly impressed.

I will give it a go, and post back with a success (or otherwise)
report.

Thanks,

Alan.



--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

XXXX@XXXXX.COM

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb




 
 
 

Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Post by Alan » Fri, 07 Apr 2006 19:30:10

"Leonid S. Knyshov" < XXXX@XXXXX.COM > wrote in
message news: XXXX@XXXXX.COM ...

Hi Leonid,

You were bang on - the issue is that the client has an IP address
locally of 10.1.1.3 and a subnet mask of 255.0.0.0.

Therefore, when the VPN connecton is made, and it goes looking for
10.0.0.5 it is looking on its local area network, rather than using
the VPN connection.

My next question is therefore, how do I change the subnet mask on that
client to, say, 255.255.0.0 (or 255.255.255.0)?


As a note, I need to keep our business LANs as they are since I have
two isolated LANs (totally isolated subnets) behind a single router
that routes traffic according to the subnet (LAN1 is a 10.0.0.0/24
network and LAN2 is a 192.168.0.0/16 network).

Thanks again!

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

XXXX@XXXXX.COM

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb