1

The exact scenario where it fails: I am unable to RDP into any Windows 7 or 2008 R2 servers within a certain subnet, while connected to the network via VPN.

Windows 7 Client connected through the internet via Cisco VPN Client 5.0.00.0340. I want users to be able to VPN into the network, then RDP into their own PC's to work from home. Multiple sites and subnets are involved. The fact that XP is successful leads me to believe all settings are correct, but some sort of additional security in Windows 7 and 2008 are preventing a successful connection.

In troubleshooting I changed my GPO from "Allow RDP only with Network Level Authentication", to "Allow RDP with any version" as suggested, but that did not help. I've looked at a lot of forums and haven't located the exact situation or a successful fix. I already have a GPO in place that allows RDP through Windows Firewall, I even tried disabling the firewall on a Windows 7 host.

Specifics: Site1 subnet = 10.5.0.0 Site2 subnet = 192.168.90.0 Site1 VPN subnet = 192.168.57.0 Sites connected via MLPS WAN link.

Routing: Admittedly when I first connected to the VPN I was unable to even ping any of Site2. Adding the appropriate MLPS gateway to the routing table of the client fixed this. In any case, I can RDP into XP machines at Site2, why not Win7/2008? Yet I am able to RDP into Win7/2008 at Site1 just fine. This doesn't add up to me. Ideas? Need more info, just ask.

edit: RDP failure specifics = It asks for credentials, then attempts to connect, hangs for a long time, then gives the error "An internal error has occurred".

Nate
  • 31
  • 1
  • 4
  • As a start, try connecting from a computer in the same subnet to rule out routing and the MPLS connection as the problem. – joeqwerty Jan 28 '15 at 18:00
  • The issue is that the VPN connection is a different subnet. There is no way for me to try within the same subnet while connected via VPN. If you are asking whether RDP works from within the same subnet, and not connected to VPN, then the answer is yes, but that is not the issue anyway and would prove nothing in the way of routing. Also, can't it be said that routing is not an issue because I can connect to XP just fine? – Nate Jan 28 '15 at 19:13
  • You hadn't yet narrowed down the problem to the Windows 7 machines or the VPN/routing as being the source of the problem. My point was that by testing from a computer in the same subnet you could narrow your troubleshooting search. If it works from the same subnet then the problem is not with the Windows 7 clients. If it doesn't work from the same subnet then the VPN/routing are not the problem. If it doesn't work from the same subnet then yes that does prove something in the way of routing. It proves that the problem is likely the Windows 7 clients and not the VPN or routing. – joeqwerty Jan 28 '15 at 19:28
  • 1
    Oh, I understand narrowing the search, and appreciate the input for sure, but in this case it isn't possible as the VPN connection IS a different subnet. Taking VPN connection out of the equation, I am easily able to RDP to any computer, from any computer, within the two main Sites/Subnets. – Nate Jan 28 '15 at 19:33
  • That's what I was getting at. – joeqwerty Jan 28 '15 at 19:35
  • So, to clarify for others reading: I can connect from within and without the subnet to both Windows 7 and XP, it's only from the VPN subnet to Site#2's subnet where the host is a Windows 7/2008. Rather specific and odd circumstances considering it works other ways. – Nate Jan 28 '15 at 19:46
  • What about DNS - can you resolve the targets name through vpn? – Tobias Sep 10 '15 at 06:09

1 Answers1

1

Are the users in question part of the "Remote Desktop Users" Group on the windows 7 Box's?

There are also several other GPO's that will limit this, but my test domain is de-constructed ATM, and I'm not at work for a few hours so i have no system to look up the settings on :(.

If my above check did not point you in the right direction, and if someone else does not answer your question by the time i'm at work. I will dig through my domain settings and give you some things to check.

Gravy
  • 780
  • 1
  • 5
  • 17
  • When looking at the workstation it tells me my username is already allowed, likely due to being part of the Domain Admins group. (I am using my own credentials to test. I am a member of Domain Admins which is a member of the built-in Remote Desktop Users security group.) – Nate Jan 28 '15 at 19:20