locked
W2008 R2 x64 - RDP - clients cannot connect from another subnet! RRS feed

  • Question

  • Hi all,

    I have a new server with Windows Server 2008 R2 Enterprise x64, only computers (XP/Vista/W2003) from the same subnet (192.168.0.x/255.255.255.0) can establish connection! Another users from branch office - obviously another subnet - cannot connect!

    Why???

    I read the following post (http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/2429ff4d-0211-44a9-9361-6208d92ac3ca) talking the RDP on W2008 block connections for other subnets to prevent attacks 'Man In the Middle'.
    How to enable to receive connections from another subnets??

    How to fix!?!?!?


    ** I have only one NIC and WINDOWS FIREWALL service is disabled.
    ** I can ping each other between subnets
    Friday, March 12, 2010 11:04 PM

Answers

All replies

  • Hi!

    I don't think it has anything to do with the RD Server itself because clients from the same subnet can connect. The first thing I would look at, is the routing. If you can ping the server from a machine from an other subnet, it will not be the routing itself. Maybe there is a FW in between which blocks RDP or port 3389? I would look for a firewall in the way. Are you sure that the RDP protocol is routed correctly?

    let us know if you need further help!

    kr,
    Andreas
    Monday, March 15, 2010 7:13 AM
  • Andreas,

    tks for your reply, but all pc´s located at other office´s can access another W2003 R2 - TSServers... So, the problem is not firewall or block with TCP 3389...
    The only server that cannot be accessed from another subnet is this with W2008R2 with TS role enabled.

    --------------------------------------
    I think that this problem is so related with TS (like Attack Man In the Middle preventions), because another server with W2008R2 - with RemoteDesktop = Enabled but without TS role - can be accessed from another subnet like a charm!!
    --------------------------------------

    * I´m still waiting for a fix...

    tks,

    Renato Pereira
    Monday, March 15, 2010 1:22 PM
  • The problem is NLA.  See what happens if you turn onff NLA on the R2 server in RDP-tcp properties General Tab in RD Session HOst COnfigurtation tool (right click on RDP-tcp, pick Properties..)

    See if that works.
    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 

    I finally started my blog: blog.kristinlgriffin.com
    Wednesday, March 17, 2010 10:27 PM
    Moderator
  • The checkbox “Allow connections only from computers running Remote Desktop with Network Level Authentication” is clear and unavailable to modify...

    Why???
    • Proposed as answer by Renato Jr Monday, June 14, 2010 5:51 PM
    Monday, June 14, 2010 5:46 PM
  • The problem is related with network routing, only to this server!!!

     

    I post a new thread about this problem:

     

    Wk28 R2 Ent (TS SERVER) - not routing to SUBNET but routing to internet (linux firewall)... Why
    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/22005618-8f33-43e6-8f04-b7aba75d420a

    • Proposed as answer by Renato Jr Friday, June 18, 2010 3:22 PM
    Friday, June 18, 2010 3:22 PM
  • On the 2008 terminal server/Remote desktop server, if you do a "route print" at the command prompt, are the other subnets routable from the server ?

    If you do not have valid routes to these subnets to a valid gateway, you can get this issue.

    To fix, "Route Add -p X.X.X.X mask Y.Y.Y.Y W.W.W.W"

    X.X.X.X is the subnet IP network address

    Y.Y.Y.Y is the subnet mask for that network

    W.W.W.W is the gateway at the terminal server end.

     

    Thanks 


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) *5 times Microsoft MVP award winner *MacWorld Australia contributer *APAC Vice Chairman Culminis (Pro IT User group support system) *Director Business Technology Partners Microsoft Small Business Specialist
    Monday, June 21, 2010 3:48 PM