XP Remote Desktop over VPN problem

  • Thread starter Thread starter Stew
  • Start date Start date
S

Stew

OS: XP Pro V2002 SP2.
Trying to use XP Remote Desktop within VPN (using XP inbuilt VPN
Client/Server) between two standalone PCs. Each work fine on their own ie.
VPN connects OK or RDT connects and works OK, but once I setup VPN connection
and try and run RDT over it, it fails to connect. I have used this solution
successfully between two XP PCs, but with domains defined (using Computer
Name in the RDT Connection 'Computer:' field). The PCs I have the problem
with both have a workgroup defined, not domain, (Windows default of
WORKGROUP). I have tried both the Computer Name and the hostname, neither
work.
Can anyone help with a solution?
 
When you connect with the VPN can you ping the target Remote Desktop (RDC)
host PC by IP?

Note that if the PPTP VPN server network and the remote network your
accessing the server on are using the same address scope, ie. both in the
192.168.0.X range for example, you will have trouble connecting to the RDC
host. Its a good idea for the server network and the remote network to be in
different address ranges, ie. PPTP VPN server on 192.168.0.X and the remote
client on 102.168.1.X for example. Note the third octet.

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Correction..."client on 192.168.1.X for example. Note the third octet."

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375


The last should read .... "
 
The PC I'm remoting into is unmanned (telemetry PC) and uses a Wireless
Broadband modem with dynamic IP address. Often I am using the same config on
my local PC. Therefore the IP addresses are allocated from the ISPs pool and
appear to be across the various Public IP address ranges and I assume have no
control over this (they don't offer a static IP service). I have have just
noted in another thread on another site that VPN allocates it's own separate
set of IP addresses inside of this. They tend to be in the 169.254.x.x range.
I have also just found I can see the client/server addresses at the local end
and can use the server IP address in RDT to connect. However these addresses
seem to be dynamic as well and I was trying to find a way to use a consistent
connection name in RDT (like Computer Name) as I have a number of different
remote PCs to connect into. I tried putting the VPN server IP address in the
HOST file of the remote PC with a text name, but it didn't work.
Fundamentally I'm trying to keep it simple and just wanted to use a hostname
to establish VPN and Computer Name for RDT.
 
So your basic connection is like this if you ignore the desktop and laptop
on the VPN servers network. You only have the VPN client and the VPN server
which is also the PC you want to access with Remote Desktop (RDC), right?

http://theillustratednetwork.mvps.org/Vista/PPTP/VPN-HomeUser.html

As far as dynamically assigned IPs from an ISP you could use a service like
No-IP.com to map a fully qualified domain name (FQDN) to the ISP assigned
IP. That way you simply call the remote VPN server or Remote Desktop (RDC)
host PC by the FQDN.

The 169.254.X.X address is not assigned by the VPN or DHCP server. That
simply means the client PC your seeing it on is not getting a valid IP from
the local DHCP server.

If your running the built-in PPTP VPN server on an XP box you can manually
configure what the address is the client will receive. In the case of an XP
box acting as both a PPTP VPN server and the RDC host use the first address
in the example, ie. the From: address. The client gets the To: address.

http://theillustratednetwork.mvps.org/WM2003/VPN_Server/IncomingConnectionsTCPIP.JPG

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Yes it's just two XP PCs connected to each other with the internet in
between, no private LAN, servers or routers etc. I already use a hostname
service via DynDNS.com to manage the dynamic IP address issue of the remote
PC. So yes I establish the VPN connection by using the FQDN.
But here's the thing, once I've got the VPN tunnel established I thought I
could use the 'Computer Name' to make the RDT connection because this works
with PCs that have a common domain defined in Control Panel/System/Computer
Name. However these PCs actually have no domain but a workgroup defined and
the Computer Name connection method fails.
Why is this so????
If I use the FQDN again in the RDT it also fails. Fyr if I try the latter
with PCs that have identical domains it sets up two parallel paths: 1 x VPN,
1 x RDT and I used a Protocol Analyser to confirm that the RDT traffic is
outside the VPN tunnel ie. it's not encrypted.
Re yor last paragraph... I think this is going to be a good alternate
solution. I'll do some testing and get back to you.

Thanks heaps.
 
See the inline replies...

Stew said:
Yes it's just two XP PCs connected to each other with the internet in
between, no private LAN, servers or routers etc. I already use a hostname
service via DynDNS.com to manage the dynamic IP address issue of the
remote
PC. So yes I establish the VPN connection by using the FQDN.
But here's the thing, once I've got the VPN tunnel established I thought I
could use the 'Computer Name' to make the RDT connection because this
works
with PCs that have a common domain defined in Control
Panel/System/Computer
Name. However these PCs actually have no domain but a workgroup defined
and
the Computer Name connection method fails.
Why is this so????
Click to expand...

I am not sure if NetBIOS names are propagated through a PPTP VPN tunnel. I
used a lmhosts or hosts file to map NetBIOS names through a PPTP VPN tunnel
when I used one in the past. Use of the IP works all the time. In your case
use the From: IP that you setup in the PPTP VPN server config to call the PC
using RDC since your trying to connect to the same PC through the VPN
tunnel.
If I use the FQDN again in the RDT it also fails.
Click to expand...

Right because you probably don't have TCP Port 3389 open on any software
firewall the remote PC is running. As an alternative to VPN just open TCP
Port 3389 up and forget about the VPN. You can then use the FQDN to call the
PC. The RDC connection is natively encrypted. Make sure you use a *strong*
password.
Fyr if I try the latter
with PCs that have identical domains it sets up two parallel paths: 1 x
VPN,
1 x RDT and I used a Protocol Analyser to confirm that the RDT traffic is
outside the VPN tunnel ie. it's not encrypted.
Click to expand...

RDC is natively encrypted. I don't know why your analyzer says otherwise.
Re yor last paragraph... I think this is going to be a good alternate
solution. I'll do some testing and get back to you.

Thanks heaps.
Click to expand...

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
I forgot to add here is how to configure the XP Windows Firewall on your
headless PPTP VPN/RDC server/host machine if you just want to use RDC
without going through the VPN tunnel. Obviously its similar if your using a
different software firewall on the PC.

http://theillustratednetwork.mvps.o...pSetupandTroubleshooting.html#Port_forwarding

You also might consider changing the default encryption level to "High" from
the default. That is done via a group policy setting on your RDC host
machine. The following was written for a Vista host but its the same for XP.

http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html#host

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Thanks for all the extra info, it's been interesting reading.

I've got good news (as you would expect). I used your suggested alternative
to manually configure what address the client/host will receive. To keep it
simple I used 11.11.11.11 - 11.11.11.12 for PC1, 22.22.22.22 - 22.22.22.23
for PC2 etc. This makes the connection setup more user friendly.
For example the VPN is established using a FQDN, via a hostname service,
which has recognisable text pertanent to the host (telemetry) PC. Once the
VPN is connected the RDT is connected using 11.11.11.11, if it's PC1 we're
connecting to. For certain applications TightVNC is more suitable than XP RDT
and this method ensures the payload is encrypted. Once a successful
connection has been made then the addresses are stored in the RDT drop down
list and helps the user setup the connection without having to
remember/retyping the addresses.

A great outcome, thanks.
 
Sorry for disturb your discussion, but I have a similar problem maybe you
could help.
I have a normal LAN, connected to internet and with a PC running SQL-Server
express. I need to connect a external PC via VPN to the LAN. For security
reasons I can not use de SQL PC as a VPN server, but maybe I could use one of
the others as a VPN server and connect through it to the SQL-PC. This is the
idea: the LAN is in the 192.168.16.x range, I use an internte router with
the needed ports open and the VPN server PC with 2 NICs (network cards).
What is the configuration method I should use? Thank you for your help.
 
Jose,

Since the LAN is behind a router there really is no need to use two NICs in
the VPN server. Your network would then look close to this example. In this
example the VPN server is Ashtabula.

http://theillustratednetwork.mvps.org/Vista/PPTP/ExampleVistaVPNNetwork.pdf

....with the VPN server on one desktop and the SQL server on the other
desktop. In the above example the SQL server would be running on Norman. Use
addresses in the 192.168.16.X range versus the 192.168.1.X range in this
example.

http://theillustratednetwork.mvps.org/Vista/PPTP/VPNSetup06.jpg

You should be able to access the SQL server by IP or name once you connect
through the VPN. You may need to use an lmhosts file on the client to map
names to LAN IP addresses. Here is an example based on the above example
network. You would change the addresses to the 192.168.16.X range.

http://theillustratednetwork.mvps.org/Vista/PPTP/Examplelmhosts.txt

Make sense?

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Thank you for your help. It makes sense. Only one question please. How
many computers can I connect to this VPN?
Thank you again.
 
An XP or Vista PPTP server will only accept one incoming VPN connection at a
time. If you need more you should look at a server class OS like Windows
2003 or SBS or use another type of VPN like OpenVPN for example.

Good luck...

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Thank you for your help Al. I been checking the OpenVPN software and seems
too complicated for me. I would like a simpler solutions like the one I'll
try to explain. If a have a network with 5 PCs and configure 3 of them to
receive VPN, is it posible to connect 3 external PCs to them?
Thank you again for your help.
 
Back
Top