locked
Offer remote assistance to a VPN client RRS feed

  • Question

  • I'm working with TMG and a Windows 7 VPN client connected via L2TP.

    If the client is connected to the LAN I can offer remote assistance to it no problem, but when connected to the VPN I am unable to connect. As a test, in TMG I've tried allowing all outbound traffic both ways, internal to vpn clients and vpn clients to internal, but I am still seeing the problem. In the monitor, I see some RPC connects and disconnects, but no denials. Anyone else have this working?

    Tuesday, September 28, 2010 6:39 PM

Answers

  • Remote assistance uses DCOM from memory, so you may need to disable the 'Strict RPC Compliance' option on your outbound firewall policy rules related to VPN client management traffic...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by ZorkFan Wednesday, September 29, 2010 1:52 PM
    • Unmarked as answer by ZorkFan Friday, October 1, 2010 2:33 PM
    • Marked as answer by ZorkFan Friday, October 1, 2010 2:36 PM
    • Unmarked as answer by ZorkFan Friday, October 1, 2010 4:18 PM
    • Marked as answer by ZorkFan Wednesday, October 6, 2010 5:58 PM
    Tuesday, September 28, 2010 11:39 PM

All replies

  • Local Windows Firewall configuration?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, September 28, 2010 7:18 PM
  • Hi Jason,

    I turned the client firewall off just to make sure it was not causing the problem and got the same results.

    Whats strange is.. if i try to connect using of the host name, it fails immediately.. but if I try to connect using the IP it gets further, but never prompts on the client end and eventually times out. I am able to use RDP, hit the admin share, etc.. seems to be directly related to something remote assistance is doing. 

     

    Tuesday, September 28, 2010 7:48 PM
  • Remote assistance uses DCOM from memory, so you may need to disable the 'Strict RPC Compliance' option on your outbound firewall policy rules related to VPN client management traffic...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by ZorkFan Wednesday, September 29, 2010 1:52 PM
    • Unmarked as answer by ZorkFan Friday, October 1, 2010 2:33 PM
    • Marked as answer by ZorkFan Friday, October 1, 2010 2:36 PM
    • Unmarked as answer by ZorkFan Friday, October 1, 2010 4:18 PM
    • Marked as answer by ZorkFan Wednesday, October 6, 2010 5:58 PM
    Tuesday, September 28, 2010 11:39 PM
  • Hi Jason,

    'Strict RPC Compliance' was indeed the culprit. Thanks again!

    • Edited by ZorkFan Wednesday, September 29, 2010 3:16 PM
    Wednesday, September 29, 2010 1:52 PM
  • Cool!
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, September 29, 2010 2:32 PM
  • Unfortunately, I was wrong about 'strict rpc compliance' being the solution. It is very inconsistent, and only works sporadically. For testing I have created a rule that allows all outbound traffic from internal to vpn clients and have the 'strict rpc compliance' disabled. I do not see any denials in the monitor.  Any other ideas?

    Friday, October 1, 2010 4:23 PM
  • Well, it looks like it is probably unrelated to TMG as it performs the same using a cisco vpn solution. Thanks for your help.
    Wednesday, October 6, 2010 5:59 PM
  • No problem!
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 6, 2010 11:01 PM