Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Server Blues

Status
Not open for further replies.
AJP69

AJP69

IS-IT--Management
Jul 1, 2003
81
0
0
GB
I am replacing a Citrix server with a Terminal Server on our intranet.

The TS server is up and works well except that users cannot connect to it from outside the firewall. The Firewall Manager has assured me that IP address is visible from outside and we can ping it and can scan the TS port 3389 from outside.

Yet users outside get one of the following errors:

"Connection to the server has timed out try connecting to the terminal server again"

or

"The client could not connect to terminal server. The server may be too busy..."

I have checked MS KB articles 260746 and 267834, neither helped.

I can connect inside the firewall and have no problems even on a different subnet.

The old citrix server works from the same sites, so there is no problem there.

Under Citrix one can configure a slower connection and make allowances for the firewall.

Has anyone had a similar problem or know of a really technical explanation of the way TS and RDP work?

Perhaps you know of a way to change the TS timeouts (like the way the TCPIP can be tweaked)

Your suggestions would be appeciated.

AJ






 
Sort by date Sort by votes
- Did you install the Terminal Services Licensing?

You need to install licenses for Terminal Sevices to work, otherwise only Administrators can log on (a limit of 2 concurrent sessions) and that is only if you have enabled it during your installation of the the Terminal Services.

If you don't have any licenses on-hand, you will need to purchase some, although you can test your setup because you can get a 120-day trial period when you register for the first time without a license pack.

Citrix gets around this by installing it's own connector so it manages it's own licenses.




"In space, nobody can hear you click..."
 
Upvote 0 Downvote
Thanks for your reply, I tried that, the DC (License server) has 1000 licences and there are no errors in the event log.

The problem with M$ is that the errors displayed do not always relate to the problem.

BTW in W2k Server you only need licences for pre W2k Pro clients although this has changed in W2k3 Server.

Thanks for the suggestion

AJ
 
Upvote 0 Downvote
The terminal server side for Windows 2000 still needs the licenses. I agree that the CALs for Terminal Services are now included with Windows XP. Unless they just changed it in Service Pack 4 or something :) .

Also, I'm not talking about the DC License Server. I'm talking about the Terminal Licenses Server. They are different things. You must enable them by registering with Microsoft and there are different ways to do it (Open, Enterprise or with License Pack).

If you have the Admin Pak installed, you should have the Terminal Services Licensing icon available and it should browse your domain and find one. If not, you'll need to install one.

If your running Windows 2003 Server, then I'm not sure how the licensing works anymore for Terminal Services.




"In space, nobody can hear you click..."
 
Upvote 0 Downvote
The licensing issue should not interfere for at least 90 days. You have 90 days to setup and test before the temporary licenses will expire and actual license packs are required (for Application mode).
 
Upvote 0 Downvote
I was close.. I said 120 days..hehe.




"In space, nobody can hear you click..."
 
Upvote 0 Downvote
We have four W2k servers with TS installed, my understanding is that you choose one of them to be the licensing server for the domain. This falls into line with our licensing model which is per seat because we have an enterprise agreement for the desktop cals.



 
Upvote 0 Downvote
This thread is getting confusing... Okay, the way I've done it, and my understanding, is that your Terminal Services Licensing server MUST exist on a domain controller, if one is present. Otherwise it doesn't matter.

Okay, I'd double check with your firewall guy. Make sure the port is being fowarded along properly.

The info I'd like to hear, is the type of connection outside users are using. And what are the clients running on (thin clients, windows desktops, etc...)?



Matt J.
 
Upvote 0 Downvote
ther are two versions of setting up Tertminal service as a client application server or as a Administration server.
Determine which you have chosen for starters.


one key is to make sure you have given your user account local logon rights or else you are not getting in. I found creating a second group and adding people to this group, with local login, rights granted to the entire group helped resolve this problem.
I found that by defualt this was not done and that getting into terminal services was some what of a chore.


another few links that may be helpful.

second try the following link.



this one is interesting:

hope something there is helpful.

Olepi
 
Upvote 0 Downvote
Thanks for the replies;

Matt

That is what I thought, hence I installed the licenses on the DC. Our firewall manager assures me that the config is identical for old and new server and has not even put a port restriction.

With citrix we had similar connection problems and these turned out to be firewall config errors, but the firewall is outside my control, I hope to be able to put a portable to test outside the firewall but not for some time.

As this is a new install I wanted to do a sanity check and get to understand the communication process as i do with Citrix.

The config is as follows:

TS server configured with private IP e.g. 192.168.1.1
TS server is first in NLB with cluster IP of 192.168.1.2

Clients tested inside firewall tested include WinNT4 and WinXP, have TS client with connection to either of the above IP addresses login with no problem. One of these clients was in the domain one was not but used a domain login configured in the TS client. Both Work.

External users use win98 and Win2kpro with same TS client, they connect to a real IP address that is NATed by our Cisco firewall.

These clients can ping and trace route to TSserver without problem, but get the errors in my first post when they try to connect using TS Client. I have also tried connecting from different sites outside the firewall with slightly different error as shown in my first post.

OLEPI

Initially access was limited to people in certain groups, but suspecting security, I subsequently allowed anyone to connect just to check it was not that. I will checkout your links.

Any other ideas?

AJ


 
Upvote 0 Downvote
It has all gone very quiet

AJ
 
Upvote 0 Downvote
When the clients try to connect, are they on a dial up connection? Also, I assume they are connecting using a specified IP address in the TS Client, and not by a public domain name?

Matt J.
 
Upvote 0 Downvote
Thanks for the Reply.

No The clients are on a private network that links all of our sites, each site has a firewall and there is a firewall between the private network and internet.

I have tested two sites, one of them from outside their firewall.

Yes you are right about the client config, the TS client points to an IP address that is visible on the firewall.

AJ








 
Upvote 0 Downvote
Firstly I'd say you should do it via a VPN not a straight connection. If that isn't an option then have you just opened port 3389 of the FW or have you also set up a port forwarding rule to the TS server for traffic over that port (assuming the TS doesn't have a public IP address)?
 
Upvote 0 Downvote
dous the firewall allowes your pdc to act as a server?

Swimpy ;)
 
Upvote 0 Downvote
Finally sort this out, it was the firewall, in fact there were two firewalls, one had port 3389 blocked out (it was set up for the citrix ports) and the other firewall was allowing ICMP traffic in but needed explicit authority for the IP's concerned.

Both firewall managers assured me that they had put the permission in, so if this ever happens to you, ask for a meeting to review their firewall settings.

Thanks to all those that tried to help.

AJ
 
Upvote 0 Downvote
I'd like to take this opportunity to mention that the first thing I suggested was...

"Okay, I'd double check with your firewall guy. Make sure the port is being fowarded along properly."

Matt J.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
118
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Question
Server Remote Desktop License
Replies
0
Views
103
MaioMaio
MaioMaio
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
143
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
97
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
117
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top