Odd connection problem

  • Thread starter Thread starter P Darrah
  • Start date Start date
P

P Darrah

I have a small home network (linksys router - DSL modem) and a small office
network (Covad DSL router/modem). I have Remote Desktop working between a
home Win98 PC and an XP Pro PC at the office. This has been setup and
working for months. Obviously, I have the Linksys and the Covad router
setup fine (actually, I don't think I had to do anything to the Linksys...)

Now I am trying to setup a Win98 laptop to access the office XP Pro PC. I
initially was working on it separate from the home network (just dial my ISP
and connect using the static IP address of the Covad router which forwards
to the XP Pro PC.) When that wouldn't work, I brought it to my home network
and plugged it into my Linksys. The laptop is getting internet access
without any trouble - I can surf. Much to my surprise, it still won't
connect to the office XP Pro PC. (I have even turned off the laptop's
firewall trying to get this working - no luck.)

I am sitting here with 2 PC's (Win98 PC and Win98 laptop) side by side,
plugged into the same network. One does just fine with RD and the other
fails. Both computers are Win98, both have the RD client installed, both
have the same firewall (pc-cillin 2003) and have the correct port open.

The error message is:
The remote connection has timed out. Please try connecting to the remote
computer again.

Are there different versions of the RD client? How would I know which
version I am using (I don't see a help.About ... menu anywhere.) Any other
ideas? Are they any logs I can look at that might give me a hint?

Thanks for any help

pdarrah
 
One of the most common issues where a Win 9x box can not connect has to do
with DNS:

Go to TCP/IP properties and take a look at the DNS hostname and domain.
Make sure that you are not using a domain name that resolves to someone
else. Example, if you have Bellsouth.net change it to BellSouth or if you
have covad.net change it to covad. Once that is done restart the
workstation and try connecting again. Let me know if this solved your
problem.

Hope this helps,

--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org
 
I have been out of town a lot and am just getting back to this problem now.

I have found that when I have the Win98 PC (notebook) on the LAN with the XP
Pro PC that it can connect using the RD Client. If I dial out to my ISP or
connect via my home LAN, then it will not connect ("The remote connection
has timed out.")

For the dial-up connection (what I am working with right now) - there really
isn't any DNS settings to set. The dial-up properties for the connection in
DUN do not let you set a hostname & domain and if you go to the TCP/IP
properties for DUN, you get a warning that you shouldn't set anything there,
but in the properties for each connection. Also, my ISP (Earthlink) does not
provide DNS info. They instruct that the "server assigned name server
addresses" be used.

I definitely have an internet connection with the notebook via DUN.

I have tried turning off the firewall on the notebook.

Since it is dial-up, there is no router to worry about.

In desperation, I updated DUN to ver 1.4 and reinstalled the RD client.

I know that the XP Pro host is working fine (I actually have 2 of them at
the office that I can connect to from my home PC running Win98. This
required setting one of them to listen to a different port and it still
works great.)

There are no messages in the XP Pro host's firewall log. There are no
messages in the event logs either.

Do you have any other suggestions that I can try? This is driving me nuts!
Would there be any advantage to trying the Web connection version of RD? (I
have hesitated since I hate to open more ports in my router - each open port
is a risk.)

Thanks for any suggestions,

pdarrah
 
The plot thickens....

I have just finished setting up the laptop and the XP Pro PC for the
Microsoft VPN (and the router...). The laptop can VPN into the network
while connected to my home network. Once there, RD works fine. The only
problem with this "Solution" is that I have to turn off my PcCillin Firewall
for this since they do not have the ability to open the correct protocol for
the VPN (I confirmed this with their tech support a month or so ago.) I
also do not think I can use the VPN solution with dial-up (Once I dial into
Earthlink for a net connection I already have a DUN connection - I assume I
can't then open another DUN connection for the VPN. I admit I haven't tried
it, but it sounds unlikely and I would still have the firewall problem.)

I am using the PcCillin firewall partly because I use their virus scan and
they come together and partly because I couldn't get our peer-to-peer office
network to function with the Firewall that comes with XP.

What is so weird about this new information is that it proves that the
laptop is capable of connecting through the routers for the VPN. The other
Win98 here on the home network can connect using RD through the routers
(and, of course, it can also VPN if the XP Pro firewall is turned off!) WHY
does this one PC (the laptop) refuse to connect using RD? I think it must
be seeing the router at the host end since it is a "timed out" error.
Otherwise, the error would have something to do with not finding the
computer.

Any suggestions would be appreciated.

pdarrah
 
I'm not sure I'm going to hit all your questions, so come back with those
I've missed.

That's bad news about PC Cillin's firewall. You do mention ICF at one point
later--you can open ICF for a PPTP VPN connection, just ADD a new
definition, call it pptp vpn, external port 1723, internal port 1723 and
netbios name or internal IP of the host machine. (ICF takes care of opening
GRE automagically.)

Hmm - you mention not getting the peer-to-peer office network functioning
with ICF enabled.

Can you give us a verbal diagram of that network? This sounds as though you
were enabling ICF on an interface used for file/print sharing, which it will
block by default. Usually, it is preferred to enable the ICF only on the
Internet facing interface--hence its name.

You can (and it may be wise to) enable it on all interfaces, though. This
page gives some instruction about how to open ICF for file/print sharing.

http://www.microsoft.com/security/protect/ports.asp

You DON'T want to do this on an Internet-facing interface unless there is
also some second layer of firewall or NAT protecting that interface.

(yes, you need 5 separate entries in the services table to enable file and
print sharing through ICF)

Looking back at the first post--mystifying!

If I understand your current position correctly:

Working directly, out through the Linksys (correct--no configuration needed
for outbound work), and in through the Covad router) you can do RD with one
win98 machine, but not with the second, laptop, one.

Once you've established a VPN (through the router, terminated by the XP Pro
machine??) you can do RD with either machine?

(as an aside, you CAN use the VPN solution with dialup--you can definitely
dial Earthlink and then use a second DUN connectoid to make the VPN
connection.)

My thinking, at this point is that the difference between the two situations
(rd works, rd doesn't work) relates to where you are with regard to the
Covad router.

Is it possible that there is security set in this device that is specific to
the original Win98 machine that works? I'm grasping here, because I'm not
familiar with the equipment--I'll see a new Covad install in Philly on
Friday--and I'm positing a mechanism I've also never seen--perhaps a mac
address filter or something.

At any rate, it seems like 98PC1 can do RD through the covad, but 98PC2
can't. BOTH can do VPN (PPTP??) through the covad, and, once through, both
can do RD.

So, I'd look hard at how the Covad device is set up--but maybe I've got the
picture wrong somewhere.
 
Hi Bill,

I think you do understand the strange problem here.

My original thought when I first installed the RD client on the laptop and
tried accessing the XP Pro host via dial up was that there was some sort of
limitation at the Cisco router (even though I setup the router and don't
remember that.) That was why I first took it home and plugged it into my
home network. I figured that since it is on the same network behind the NAT
router that it would "look to same" to my Cisco router. When that didn't
work I made my first post. Yesterday, I went back into my Cisco router and
can't find anything there that looks like it would be limiting anything.
The menus are rather cryptic, but I am not a novice and I am fairly sure
what I am doing. That one Win98SE PC can connect and the other can't, is
just plain weird. I have repeatedly check the settings and everything looks
the same on the 2 machines. I have even checked all of the laptop's startup
programs and eliminated anything I could. With the message I am getting, I
am fairly sure it is seeing the Cisco router, it just isn't getting a
response and is timing out.

Thank you for the info on the VPN connection. I have tried it and it works!
Once dialed-in and VPN'd in, I was able to connect to both XP Pro hosts that
I have here at the office (although I had to use the local IP address to
reach the second one, but not a big deal.) This is certainly a "solution",
but I am going to have to look at the firewall stuff again.... I will look
at all the info you mentioned on ICF and see if I can set that up to work
for me. Then I could at least have that firewall in place when I need to
use the laptop on the road.

Our office network is a relatively basic peer-to-peer setup. There are 2 XP
Pro computers and 2 Win98SE computers and a lasetjet printer (jetdirect).
They are connected to the Cisco router which has 8 ports and the connection
to the DSL line. One of the XP computers acts as a "virtual server" and we
store all of our documents there to make backups reasonable. That was the
first PC to upgrade to XP and we found that enabling ICF made it so no one
could access the files. I didn't do much research at the time since we
needed to by up and running. I just disabled ICF and installed another
firewall (first Norton and now PcCillin). I will now take the time to look
into ICF since it looks like I need it.

The original problem still bugs me ... why can't a correctly configured
Win98SE laptop just connect to RD without the VPN?

Thank you very much for your help,

P Darrah
 
Well - I _guess_ I am making progress.

I have setup ICF and my file & print sharing is working (thank you for the
info on that) I have the port for the PPTP VPN (1723) open and have checked
the box for RD (opening 3389) and created a second port added for RD for the
other XP Pro computer (3390). On the 2nd XP Pro computer I have also opened
1723, 3389 & 3390. (I would think just 3390 would be OK, but I added the
others to try and get it working.)

I can VPN with the 1st XP Pro as host. I can RD to that same computer. If
I try to RD to the 2nd XP Pro I get the timed out error. If I turn off the
ICF (no firewall at all), then I can RD to the 2nd XP Pro via the VPN (even
with ICF turned on for the 2nd XP Pro).

--- Wow - that is a lot of acronyms in one scentance! Did it make any
sense?---

I have also found that if I have a VPN connection with ICF turned on for the
1st XP Pro, then I cannot connect to any network shares. If I turn ICF off,
then I can. Is there another port that I need to open in ICF that is
causing this?

Thanks again,

p darrah
 
Now that I know more about your network, I think my recommendation of ICF
may not make sense.

ICF isn't doing much for you since you need to open it for file and print.

Cisco routers can be configured in a variety of ways. We need to know
whether your PC's behind the router are using public IP addresses (i.e. you
can directly connect to a given PC from across the Internet) or if they
receive private non-routable IP addresses, in which case the router is
providing NAT which affords some protection against incoming traffic.

I don't understand the problem in using RD between the two machines--you
need to open only the port in use on that machine (3389 OR 3390) on that
machine's firewall, and check that that setting points to that machine's
netbios name or IP address--i.e. not the other machine.

The problem with connecting to shares also leaves me perplexed--is this a
browsing issue, or a real connectivity issue--i.e. you should be able to
connect to \\machinename\sharename, but can't, over the VPN, with ICF
enabled?

Sorry for the delay in responding, I got busy dealing with a Swen infection
on a client's machine and have been spending time in other groups.
 
Back
Top