RDP blocked to XP Pro except via Windows Server 2003

[ebnetguy]

Odd problem here on a network that I inherited: a Domain Admin can VPN into this network, and then RDP to this Windows XP Pro machine and login with this account that is already logged in on the machine, running apps, etc.

But a Domain User VPNs in, and cannot RDP to the XP Pro machine.

Running PortQry from MS, shows the port is blocked just like it would be by a firewall... BUT...

EXCEPT, this same Domain User can RDP to a Windows 2003 server and FROM the server RDP session, RDP into this XP Pro box, and login with the user account running on it, etc.!

And this Domain User also is in the Remote Desktop Full user group, no firewall stuff in the way on XP Pro.. so Group Policy...?

-Ed

 

[GrimR]

sounds like a permissions issue

 

[ebnetguy]

But which group simply stops a person from even telnetting to port 3389 on a computer when they VPN in? The Domain User is not even getting to the login prompt when VPN'ed in and trying to RDP directly to it.

-Ed

 

[FilthPig]

Have you done any other basic connectivity tests? Are you able to ping the XP Pro box while connected to VPN?

Are all machines in question on the same subnet?

Marc Creviere

 

[TheLad]

Could it also be that there are firewall rules that only allow a particular IP address to use RDP when VPN'd in?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[tfg13]

Both FilthPig and TheLad are on to something here. It is usually the most basic issues that cause problems. Find out if you can ping first, then start using a network sniffer to find out what/where is being denied (suggestion would be to use it at both systems that the issue is occuring).

You should also answer the other basic question. Can a domain admin log in via RDP on the same VPN'd computer that a domain user is logged into?

Something else that needs to be looked at are the ACL's on the VPN. Do certain accounts have more permissions than others?

 

[ebnetguy]

When the Domain User VPNs in, you CANNOT telnet to port 3389 or even ping the machine. A Domain Admin CAN ping and telnet port 3389.

The Domain User in question is also part of the Remote Desktop Full group as well.

The Domain User can VPN to the server though, and VPN into the machine in questions JUST FINE, and ping it from the server, etc.

The server and the computer are local to each other -- on the same LAN.

And what ACL's are you referring to that I should check into? I have check TCP/IP filtering in Windows, turned off the firewall, checked for 3rd party firewalls on this XP Pro machine, too, and nada. Because I thought they might just allow the server to RDP to it or something.

That is why I am thinking Group Policy. Is that a possibility?

-Ed

 

[ebnetguy]

I feel like I should apologize for wasting everyone's time, I track it down. It was Remote Access Policies. A previous IT guy had set it up to restrict packets and RDP to ONE computer if the person was part of a particular group.

Thanks for all of your pointers.

-Ed