Remote Desktop Services over NAT

2011-04-14

Question

_{Thursday, April 14, 2011 7:01 PM}

Hello.

This is the scenario, there are two remote desktop servers both on the same static IP.To distinguish them I was given a different external port NATed to the corresponding internal server IPs.To make it more clearer:

RDS1> 10.10.10.1:3389 (internal) <--NAT--> 195.48.12.34:3389

RDS2> 10.10.10.3:3389 (internal) <--NAT--> 195.48.12.34:3390

That was given by my ISP.I have no control over the external IPs or the router.

Now when dialing RDS1 either by IP or Socket, locally or remotely, all is good.

RDS2 is ok when is dialed from the LAN but fails to reply when is being dialed over then Internet.I would like some help to identify where the problem is.Is it configuration I need to make, or is it the ISP that should check his configuration?

Thank you in advance.

All replies (23)

_{Monday, April 18, 2011 4:23 PM ✅Answered}

Problem solved.

The cause was an access list /per internal host (in the ISP router) blocking outgoing traffic in all private ports (49152+).So when a remote host initiated a rdp request (normally using a private port) and the server used that same port to send the reply back, it was blocked by the router's firewall.

Ace - If I had change the IP as you suggested it would work (the RDS1 was already allowed through the ACL) ;-)

Thanks both for your help.

_{Thursday, April 14, 2011 7:20 PM}

When accessing RDS2 from the internet you will have to specify the port where it does not use the default. Are you doing so?

such as mstsc -v:195.48.12.34:3390

or mstsc -v:server2.mydomain.com:3390

Rob Williams

_{Thursday, April 14, 2011 8:00 PM}

Hello Rob.

Yes I dial with the port (195.48.12.34:3390).

What puzzles me is that this server when accessed from the LAN responds just fine.So the service is up and running.

If the ISP configuration is correct, when I call the router IP/port 3390 I should be forwarded to the RDS2/ port 3389.That's what the NAT rule states.

Confusing aint't it? :-P

_{Thursday, April 14, 2011 9:17 PM}

Odd. If you log onto RDS2 and go to http://www.canyouseeme.org and test for port 3390, does it show as open?Rob Williams

_{Friday, April 15, 2011 10:21 AM}

I can not troubleshoot directly on the Server because I connect to it via NAT.

RemotePC rdp> ISP private routerNAT>internal network Server

Let me put it in detail:

I am home and want to access my server, so I use the "RemotePC" initiate an rdp session, to our company's router which is provided and managed by our ISP (ISP private router) and then the router translates my "call" (via NAT) to the internal machine that the NAT rule states.

For example in the case of 195.48.12.34:3389, I am forwarded to 10.10.10.1:3389 and the remote desktop service "answers" my request fine.

But the 10.10.10.1 machine has another PUBLIC IP (82.38.148.202) thus it is not directly controllable from the outside.In any scenario I need to "call" the router first.

Sorry for the excessive detail but the site you gave me recognizes (correctly) the Public IP of the server machine, which finds the ports closed (even for RDS1).

_{Friday, April 15, 2011 3:33 PM}

It sounds like either 3390 has not been opened and allowed for 195.48.12.34 to go to 10.10.10.3, or the port translation in NAT was incorrectly created. It appears that also possibly the firewall/NAT device may not be able to handle the translation from 3390 to 3389 possibly it may be looking at it as a conflict. But I am not sure, it all depends on the firewall device and it's feature set.

You could remote into one server, then remote into the other after you've connected to it. I do this with my customer sites where I remote into one machine, then remote into the others as needed.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, April 15, 2011 5:03 PM}

Hey Ace :-)

Well the two machines are both DCs (RDS2 is Replica) and configuration on the RDS2 is factory, except of course the RDS enable.

What puzzles me is that if it was a windows policy then the machine shouldn't answer when rdp called, locally, right?

Today I called the ISP to see if the 3390 to 3389 NAT works and had them put this rule:

195.48.12.3:3390 NAT> 10.10.10.1:3389 (practically RDS1)

it worked :-S

So now I am supposed to check the RDS2 configuration, but I am in the dark.I am possibly missing something but cant figure it out.

This is supposed to be further configured as a remote app server, so company users in other locations have access to our programms.

_{Friday, April 15, 2011 7:18 PM}

Have you tried disabling the Windows firewall as a test? The default RDP exception usually only allows connections from the local LAN. If this is seen as a public/external connection the firewall will block access until you reconfigure it.Rob Williams

_{Friday, April 15, 2011 7:29 PM}

Hello Rob, yes already did that.All firewalls profiles are disabled as we speak.

Please help with me in this.If I can RDP through the LAN shouldnt I do the same over the internet? Windows configuration speaking.

Thanks.

_{Friday, April 15, 2011 8:35 PM}

Yes if LAN access is possible, any software firewalls are disabled, and NAT/Port forwarding is properly enabled you should be able to access. It still sounds like an external routing issue between the Modem and NAT router configuration.

You are certain they did translate the port correctly:

195.48.12.3:3390 NAT> 10.10.10.1:3389

not 195.48.12.3:3390 NAT> 10.10.10.1:3390

Rob Williams

_{Friday, April 15, 2011 8:54 PM}

I know it gets confusing so please bear with me :-)

The proper configuration is:

RDS1> 10.10.10.1:3389 <--NAT--> 195.48.12.34:3389

RDS2> 10.10.10.3:3389 <--NAT--> 195.48.12.34:3390

practically changing only the external port to define the internal host.

To test if it was a NAT translation problem, we deleted one rule and left only this:

10.10.10.1:3389 <--NAT--> 195.48.12.34:3390

so calling port 3390 from outside and tranlslating to RDS1 (3389) who already worked - and it did.

Maybe I should do the same for RDS2 to see if it is NAT conflict issue as Ace suggests.I might do this, because this is really weird.

Rob - thanks for verifying my thoughts because these "hybrid administration scenarios" is what can get you crazy with ease :-)

Yes I am certain because I asked the NAT configuration in e-mail.

_{Friday, April 15, 2011 9:31 PM}

It is very odd. Though this is a common configuration I wonder if your router cannot support the same protocol on two ports? Just a thought.Rob Williams

_{Friday, April 15, 2011 10:13 PM}

JSOF,

I agree with Rob that this should work, but it may be the NAT device just can't handle it and thinks it's a conflict. What type of device is it? Have you searched on that type of device if it supports this type of config?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Saturday, April 16, 2011 12:24 AM}

It's this one and it says it supports NAPT in its datasheet.Now if it can handle same protocol over two ports it's a question for experts and I plan to ask them tommorow.

Still I thought of this: Let's assume that there is a conflict in the NAT table config for rdp.

1. I initiate a remote session to RDS1, the router NATs my request to the internal server (working scenario).

At the same time I initiate a second rdp session to RDS2.It is unclear up to now, but this is **NOT working.Should it work? Probably yes.
**

2. Now if I wait for some time (for the rdp session to RDS1, to close) shouldn't I be able to access RDS2? Since only one active rdp session exists and doesn't conflict? >tested NOT working either.

3. If we delete the RDS1 NAT rule and let only the RDS2 rule, what should be the outcome? > remains to be seen :-)

...to be continued

_{Sunday, April 17, 2011 5:16 PM}

It's not about NAT :-/

Running Wireshark on RDS2 the request from the external host arrives normally.

127 11.228839000 79.xxx.xxx.xxx (external host) 10.10.10.3 TCP 60165 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1388 WS=8 SACK_PERM=1

128 11.228934000 10.10.10.3 79.xxx.xxx.xxx TCP ms-wbt-server > 60165 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1

I can record three sequences of the above frames and then get an rdp error on the remote computer.

It seems that the service doesn't reply.But why?

Checked the RDP-tcp properties:

it is configured for administration at the moment, and allowing 2 sessions, so even if I am logged in locally, I could simultaneously rdp externally.

I am really confused.

_{Sunday, April 17, 2011 5:53 PM}

I'm not sure where the issue is, but it seems that when the machine is replying to the session, the router is not re-translating it back to 3389 to the original requestor. Not sure, and maybe contacting the router vendor or experts, as you mentioned earlier, may be helpful.

Have you thought about just changing the RDP port on that one machine to 3390 and use the connection method you've been using, mstsc -v:195.48.12.34:3390?

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, April 17, 2011 7:16 PM}

I'm not sure where the issue is, but it seems that when the machine is replying to the session, the router is not re-translating it back to 3389 to the original requestor. Not sure, and maybe contacting the router vendor or experts, as you mentioned earlier, may be helpful.

Have you thought about just changing the RDP port on that one machine to 3390 and use the connection method you've been using, mstsc -v:195.48.12.34:3390?

The request comes from ext.host:60165, calling 195.48.12.34:3390 (router) which NATs to RDS2:3389 (internal).Then a connection between RDS2:3389 and ext.host:60165 directly should be initiated.

*Sorry for the detail but I want to be sure I am not misunderstanding something.

In fact I thought of that and we already tried it, to no result. :-/
I am in contact with the ISP as we speak.They also find it very strange and verified that they have done this setup (two different ports, same protocol) many times.

Thanks Ace.

_{Sunday, April 17, 2011 10:45 PM}

Just to confirm, where the packet is being received, but no reply, the RDS2 server does have the same gateway assigned as the RDS1 server/Rob Williams

_{Monday, April 18, 2011 2:45 AM}

Rob yes, same gateway.

Running wireshark on the remote PC noticed that comparing two negotiations, one to RDS1 (succesful) and one to RDS2 (fail) the difference is:

4 2.507980 192.168.1.89 195.48.12.34 TCP 49409 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1

From here the following frames are recorded for RDS1 only

5 2.558981 195.48.12.34 192.168.1.89 TCP ms-wbt-server > 49409 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1388 WS=8 SACK_PERM=1

6 2.559049 192.168.1.89 195.48.12.34 TCP 49409 > ms-wbt-server [ACK] Seq=1 Ack=1 Win=66624 Len=0

7 2.559675 192.168.1.89 195.48.12.34 X.224 Connection Request (0xe0)

8 2.615747 195.48.12.34 192.168.1.89 X.224 Connection Confirm (0xd0)

9 2.822223 192.168.1.89 195.48.12.34 TCP 49409 > ms-wbt-server [ACK] Seq=20 Ack=20 Win=66604 Len=0 (> connection starts)

As if the remote host never receives a reply from RDS2.Strange.

Still the machine is the same in both cases and event viewer both in remote host and RDS2 doesn't log anything!

_{Monday, April 18, 2011 4:31 AM}

Swap the two servers IP address and retest. If it does the same on the swapped machine, then it's a router issue.

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, April 18, 2011 1:38 PM}

Ace thanks this is a good idea ;-)

Still I 'd prefer to take this step as a last resort measure, because it would cause a small mess, in AD DS, DNS, DHCP services.These are production machines so I need to be careful.

To exclude any possibility of RDS or Windows problem, I installed Ultra VNC called my ISP and opened the relevant port.Playing a bit more with wireshark on the server while trying a VNC call, I noticed that:

- the initial SYN message from the remote host, is delivered to the server - so NAT is working

- the server is immediately returning a SYN,ACK - so the service is up and working fine

but this 2nd datagramm is never received by the remote host, so the handshake never gets completed, hence the session doesn't (normally) initiate.

So something must be blocking or not trasnporting this "message" to the destination it is supposed to.

Thanks for your support so far.

_{Monday, April 18, 2011 4:18 PM}

I quite understand being a prod machine.

From what you're saying, it sounds like the ports aren't being translated through your firewall.

Any possibility of changing your ISP service to muliple static IPs?

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, April 18, 2011 7:36 PM}

Glad you figured it out! And no problem for the help!

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Remote Desktop Services over NAT

Question

All replies (23)

Additional resources