RD works on LAN not across Internet

[Guest]

Running XP Pro SP2 on both host (desktop) & client (laptop). Windows Firewall
running on host, Remote Desktop enabled through System Properties and users
assigned (I've also verfied that the Firewall allows exceptions and Remote
Desktop is checked, and the 'Advanced' tab shows Remote Desktop enabled and
pointing to itself by computer name).

Remote Desktop works flawlessly when connecting within the LAN.

At one time RD worked just fine across the Internet using port forwarding
through my router. Now it refuses to connect across the Internet.

I've tried numerous things, up to and including switching from cable to DSL,
rebuilding the router settings after doing a factory reset - - and even
by-passing the router and connecting the host directly to the DSL modem.

I can ping the host PC without problem, so I know I've got the correct IP
address.

I've seen suggestions for rolling the terminal services .dll on the host
back to the SP1 version. Before doing that, is there something I've missed?
For example, an MS Hotfix?

 

[Sooner Al [MVP]]

Well, if you can connect to the Remote Desktop host across your LAN then its obviously an issue with
port forwarding through your firewall/NAT/router device or an addressing issue.

What router? Are you using a static IP for the PC on your LAN? Are you calling the correct public IP
for the router?

There is some troubleshooting help on this page...

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Guest]

I was using a static IP behind the router, and yes the public IP was
verified. I have verified that the Windows Firewall's scope for Remote
Desktop includes all computers, even those with public IP addresses. No
policies have been implemented on the host. My attempted login is with an
administrator group account (actually the same account to which I login
locally).

For last test, I physically by-passed the router altogether and connected
the host directly to the DSL modem - along with changing the host's IP
settings to fully use DHCP to access the Internet. In other words, the host
is no longer part of the LAN (and no other PC on the LAN can connect to the
Internet).

I *still* cannot make a RD connection across the Internet. Both my former
ISP (Charter Cable) and my new ISP (SBC/Yahoo DSL) claim they do not block
port 3389. However, using web-based port checking tools, my PC cannot be seen
at port 3389. I *am* able to successfully ping the public IP address of the
host across the Internet.

So, within a LAN using private IP addressing, RD works fine. Using a direct
connection to the Internet (no local router in the circuit) and public IP
addressing, RD fails.

By the way, I had also tested using the router and port forwarding to a
static private IP address (no changes from what used to work), AND disabling
all software firewall protection at the host (relied on the router's
firewall). The result was identical.

*Something* within the host simply does not like doing RD across the
Internet. I am leary of dredging up a SP1 copy of trmserv.dll - but may
experiment if no one has a better suggestion.

thanks,

Jim Johnson

 

[mobief]

I think I have the same problem... somebody does solve it ?


"Jim Johnson - Serenity Consulting"

 

[Sooner Al [MVP]]

If you setup port forwarding for TCP Port 3389 on your router to the private LAN IP of the PC you
want to connect to remotely using Remote Desktop, then run this test...

http://www.canyouseeme.org/

If it fails then you have an issue with port forwarding on the router.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Guest]

I have a similar problem. RD works fine within my LAN but not across the
Internet.

I turned off Windows Firewall and NIS on all computers. Going to
www.canyouseeme.org still does not see my host computer, or any other
computer for that matter. I tried forwarding the 3389 to each individual
PC's and none worked.

Strange thing I see happening. Even with all the firewalls turned off, when
I run Symantec's security check everything checks as secured... how can this
be?

Eduardo

 

[Guest]

I have also tried canyouseeme and other web-based scanning tools with a
report that the PC cannot be seen.

Keep in mind, that I also tried connecting the RD host directly to the DSL
modem - no router involved (reconfigured IP settings naturally) with the same
result. My XP Pro PC simply does not acknowledge anything on port 3389 when
coming from a non-private IP address.

For yesterday's test, I substituted the SP1 version of termsrv.dll, and used
Zone Alarm's free firewall behind the router with port forwarding (note that
I discovered you cannot open specific ports with the free version). Web-based
scanning tools still see nothing, BUT Zone Alarm did see and warn me about
one rogue port scan for port 3389 FORWARDED BY MY ROUTER TO MY STATIC PRIVATE
IP ADDRESS.

I shut down all firewalls on my PC (relying on the router's firewall - and
knowing the router IS correctly doing port forwarding), then again tried
web-based port scans of 3389 - again, in no case was port 3389 detected from
outside my LAN.

Obviously the issue is not simply SP1 vs. SP2 of termsrv.dll - but some
deeper, greater issue in XP Pro that is blocking RD access from non-private
IP addresses.

 

[Guest]

I was finally able to be seen by "canyouseeme" tool. I just opened the 3389
port in the cable modem. I didn't have it open there; I never thought it
would make a difference. I am not using a router, I use a HPNA network and
my "host" PC is the DHCP.

Now I will try it accessing my XP Pro PC from the outside world to see if it
really works.

Eduardo

 

[Guest]

Please post your results.
When the trouble started I was using a D-link cable modem - it worked, then
the next time I tried it a week or so later, it didn't.

This and other reasons caused me to switch to DSL - specifically SBC/Yahoo
using the SBC supplied Speedstream 5100b PPPoE modem (no router
capabilities). This modem is currently configured to operate as a pure
DSL/ethernet bridge with all PPPoE functions controlled by a Belkin wireless
router (the XP Pro host is using a wired ethernet connection). Port
forwarding to the host IS working (see earlier message).

Everything seems to be working the same as it did with the cable connection
INCLUDING that I cannot get to the host across the Internet using Remote
Desktop. It continues to work perfectly from within the LAN.

canyouseeme.org and other web-based port scans haven't been able to see me
at all.

 

[Guest]

PROBLEM FIXED?:

I activitated various event logs, and found this error...
ID: 20106
Source: RemoteAccess
Version: 5.2
Symbolic Name: ROUTERLOG_COULDNT_ADD_INTERFACE
Message: Unable to add the interface %1 with the Router Manager for the %2
protocol. The following error occurred: %3

Explanation
Possible causes include:

The interface type is not dedicated
The loopback and router is configured in Lanonly mode
======================
I then checked Services in the Adminstrative Tools and found that the
following services where in manual mode and not started:
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager

Changing these services to 'automatic' (and starting the Remote Access
services) now allows port 3389 to be seen using the web-based port scanner,
www.canyouseeme.org. Without these services running, Remote Desktop will only
work on a LAN.

How they got changed to manual and turned off in the first place is beyond me.

 

[Guest]

Thanks for the feedback...

Al

PROBLEM FIXED?:

I activitated various event logs, and found this error...
ID: 20106
Source: RemoteAccess
Version: 5.2
Symbolic Name: ROUTERLOG_COULDNT_ADD_INTERFACE
Message: Unable to add the interface %1 with the Router Manager for the %2
protocol. The following error occurred: %3

Explanation
Possible causes include:

The interface type is not dedicated
The loopback and router is configured in Lanonly mode
======================
I then checked Services in the Adminstrative Tools and found that the
following services where in manual mode and not started:
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager

Changing these services to 'automatic' (and starting the Remote Access
services) now allows port 3389 to be seen using the web-based port scanner,
www.canyouseeme.org. Without these services running, Remote Desktop will only
work on a LAN.

How they got changed to manual and turned off in the first place is beyond me.

 

[Guest]

Yes it is fixed, just tested from remote location outside the LAN and Remote
Desktop is again fully operational.

As both Remote Assistance and Remote Desktop are checked to allow in System
Properties/Remote, Windows Firewall was set to allow Remote Desktop, and
Remote Desktop "suddenly" stopped working outside the LAN, I suspect one of
Microsoft's security updates turned off the Remote Access services.

 

[Guest]

Problem fixed. I tested it from the outside world and it worked.

It seems as if the only reason was that the network card connected to the
cable modem did not have Port 3389 open. I don't recall reading anything
regarding opening this port for the network card connected to the modem. I
remember always referring to the LAN only.

My next situation is to allow access only from one location. The person who
will be accessing my PC is using DSL and it appears as if her DSL provider
assigns a different IP address every time it connects. If that's the case I
may have to use VPN or some other tool.

Eduardo

 

[Sooner Al [MVP]]

That's interesting because I just looked at my XP Pro desktop and all of those services are listed
as both "Manual" and the status is "Stopped". In my case I can access my XP Pro desktop using Remote
Desktop just fine from the public internet through a SSH tunnel...

Weird...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Guest]

Al,
I'll bet most VPN's will work because the remote connection appears to be
part of the local subnet; i.e., part of the LAN.

My LAN access worked fine (although I have few needs to manipulate the host
from another PC when I am sitting right next to it <g>). For the few times I
need to access my home-office PC remotely, I don't want to deal with setting
up a VPN. Remote Desktop alone has sufficient security for my needs. It was
when I was logging in across the Internet with an IP in a different subnet
that Remote Desktop would no longer work. It USED to work fine.

Without changing any of your Remote Access related services on your Remote
Desktop host, and without setting up a VPN tunnel, try launching the Remote
Desktop from outside the host's subnet.

By turning off Remote Access, Microsoft did indeed make many PCs more
secure. However, I contend that it is the rough equivalent of curing a
headache with a guillotine. The security issues would be better addressed in
the firewall through a close link between port 3389 and Terminal Services.

Jim Johnson
Serenity Consulting

 

[Sooner Al [MVP]]

Well, I tried with out going through a SSH tunnel and I connected just fine from a remote PC. The
RDP host is a fully patched XP Pro SP2 machine on my local LAN. So, there is something else going on
here, but I can't say what.

By the way, AFAIK, SSH does not assign a local subnet IP to the remote PC when you connect. I could
be wrong about that though and need to look into that further...

Bottom line though is as long as it works for you then that's good...

Later...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Sooner Al [MVP]]

This KB article was just released. I wonder if it pertains in your case...

http://support.microsoft.com/default.aspx?scid=898060

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...