RDP 6.1 v\s 6.3
I have some Windows 7 clients. Some have RDP6.1 and others have RDP6.3. I use a product to make SSL VPN connections between machines. When I use 6.1 it works just fine but 6.3 does not even connect. Can someone tell me what they changed between the 2 versions?
The SSL VPN gets established but when I try to RDP through it using 6.3 - Nothing but 6.1 is golden.
Hi,
Is there any error message when remote failed? This problem may not caused by RDP version problem. While, you can try to upgrade your system RDP as workaround method for test.
Roger Lu
TechNet Community Support
Similar Messages
-
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Cannot find dashboard and reports after upgrading rdp from 10g to 11g OBIEE
Hi all
I am trying to upgrade from OBIEE 10g to 11g. These two products are installed on different servers. I have followed the guide: http://www.oracle.com/technetwork/issue-archive/2011/11-jul/o41bi-402913.html and everything seems to work fine.
So i have taken a copy of rdp from the server where was installed OBIEE 10g and took it in the server where OBIEE 11g is installed.
Ran the upgrade tool and upgrade finished successfully. Restarted the BI Servers in core application on Enterprise Manager.
Now when i access the upgraded rpd, the layers and the fields are fine but I cannot find all the reports and dashboards that i had created.
Am I missing any upgrade steps?
Please suggest
Thank you and best regardsHi Deepak,
Thanks for your response.
Oracle also came back to me and looks like my method is not valid:
Hi Jim,
Thanks a lot for the information. First of all I would like to inform you that upgrade CANNOT be performed across two machine. So, if 10g installation is on Host A, then upgrade to 11g will be on Host A.
So, in your scenario this is what you can do:
1. On Host A running Forms/Discoverer 10g on Windows 2003, install Forms/Discoverer/Reports 11g (11.1.1.6.0)
2. Run the upgrade Assistant to perform the upgrade from 10g to 11g.
3. Now upgrade OS of Host A to Windows 2008
In short, I would like to inform you that upgrades across machines does not work. Source instance which is 10g and destination instance which is 11g must exist on same box.
Here is the documentation which you can follow:
http://docs.oracle.com/cd/E23943_01/upgrade.1111/e10130/toc.htm
(Oracle® Fusion Middleware Upgrade Guide for Oracle Portal, Forms, Reports, and Discoverer)
11g Release 1 (11.1.1)
Let me know if you have any further questions.
Thanks,
Rishi -
Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2
1. Client Os : Windows 7 Pro
2. Server OS : Windows Server 2012R2 with RDS broker and RDS Gateway server with 3.part Certificate with friendly name sky.mti-itservice.no activated.
The main problem is following: The RDP logon session never ends
Any ideas ?
Regards
Kenneth Knudsen
Email : [email protected]
mvh Kenneth Knudsen MCSE 2003 HP ASEHi Kenneth,
Here for your case suggest you to configure RDP session time limit so that your user can disconnect\log off once the specific time limit reached.
You can setup the session time limit in different method.
1. Open the Server Manager, select Remote Desktop Services.
2. In Remote desktop Services, in right side you can drop down to collections.
3. Select the collection which you want to edit the settings.
4. Under collections Properties, select Task and then Edit Properties.
5. In Properties dialog box, select Session.
6. You can find all thetimeout settings under session collection properties; edit according to your requirements and then OK.
And apart also by group policy setting as below.
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
- Set time limit for disconnected sessions
- Set time limit for active but idle Remote Desktop Services sessions
- Set time limit for active Remote Desktop Services sessions
- End session when time limits are reached
Please check which setting suitable for your environment and you can apply for your case.
[Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2
https://social.technet.microsoft.com/Forums/en-US/00c2252b-8ec0-489f-8da2-07a434a9b5a2/forum-faq-restrict-number-of-active-sessions-in-rds-2012-and-2012-r2?forum=winserverTS
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Disabling RDP Compression on Windows Server 2012 R2
Hi
On Windows 2008 R2, we could disable RDP compression via GPO by configuring "Do not use an RDP compression algorithm" in the following GPO
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Set compression algorithm for RDP data
It seems like with the Windows Server 2012 R2 GPO's, this setting is no longer available? How do we disable RDP compression so that we can use it with Riverbed products?
ThanksHi,
How is the issue going now? Is there any update?
Thanks.
Jeremy Wu
TechNet Community Support -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Problem Summary:
A UTF-8 without BOM Web RoE XML file output from a line of business application will not drag and drop copy nor copy/paste from a Server 2012 R2 RD Session Host running RD Gateway to a Windows 7 Remote Desktop client over an RDP 8.1 connection and the Drive
Redirection virtual channel hangs. The same issue affects a test client/server with only Remote Desktop enabled on the server.
Other files copy with no issue. See below for more info.
Environment:
Server 2012 R2 Standard v6.3.9600 Build 9600
the production server runs RDS Session Host and RD Gateway roles (on the same server). BUT,
the issue can be reproduced on a test machine running this OS with simply Remote Desktop enabled for Remote Administration
Windows 7 Pro w SP1v6.1.7601 SP1 Build 7601 running updates to support RDP 8.1
More Information:
-the file is a UTF-8 w/o BOM (Byte Order Marker) file containing XML data and has a .BLK extension. It is a Web Record of Employment (RoE) data file exported from the Maestro accounting application.
-the XML file that does not copy does successfully validate against CRA's validation XML Schema for Web RoE files
-Video redirection is NOT AFFECTED and continues to work
-the Drive Redirection virtual channel can be re-established by disconnecting/reconnecting
-when the copy fails, a file is created on the client and is a similar size to the original. However, the contents are incomplete. The file appears blank but CTRL-A shows whitespace
-we can copy the contents into a file created with Notepad and then that file, which used to copy, will then NOT copy
-the issue affects another Server 2012 R2 test installation, not just the production server
-it also affects other client Win7 Pro systems against affected server
-the issue is uni-directional i.e. copy fails server to client but succeeds client to server
-I don't notice any event log entries at the time I attempt to copy the file.
What DOES WORK
-downgrading to RDP 7.1 on the client WORKS
-modifying the file > 2 characters -- either changing existing characters or adding characters (CRLFs) WORKS
-compressing the file WORKS e.g. to a ZIP file
-copying OTHER files of smaller, same, and larger sizes WORKS
What DOES NOT WORK?
-changing the name and/or extension does not work
-copying and pasting affected content into a text file that used to have different content and did copy before, then does not work
-Disabling SMB3 and SMB2 does not work
-modifying TCP auto-tuning does not work
-disabling WinFW on both client and server does not work
As noted above, if I modify the affected file to sanitize it's contents, it will work, so it's not much help. I'm going to try to get a sample file exported that I can upload since I can't give you the original.
Your help is greatly appreciated!
Thanks.
KevinHi Dharmesh,
Thanks for your reply!
The issue does seem to affect multiple users. I'm not fully clear on whether it's multiple users and the same employee's file, but I suspect so.
The issue happens with a specific XML file and I've since determined that it seems to affect the exported RoE XML file for one employee (record?) in the software. Other employees appear to work.
The biggest issue is that there's limited support from the vendor in this scenario. Their app is supported on 2012 R2 RDS.
What I can't quite wrap my head around are
why does it work in RDP 7.1 but not 8.1? What differences between the two for drive redirection would have it work in 7.1 and not 8.1?
when I examine the affected file, it really doesn't appear any different than one that works. I used Notepad++ and it shows the encoding as the same and there doesn't appear to be any invalid characters in the affected file. I wondered
if there was some string of characters that was being misinterpreted by RDP or some other operation and blocked somehow but besides having disabled AV and firewall software on both ends, I'm not sure what else I could change to test that further
Since it seems to affect only the one employee's XML file AND since modifying that file to change details in order to post it online would then make that file able to be copied, it seems I won't be able to post a sample. Too bad.
Kevin -
ASA 5505 + ASA 5540 static VPN, ssh and rdp problems
Greetings!
I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
Everything works fine, but there is a small problem that is really annoying me.
From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
What can I do to get rid of this problem?
Thanks in advance.Dear Fedor,
You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
class-map TCP_TIMEOUT
match access-list rdp_ssh
policy-map global_policy
class TCP_TIMEOUT
set connection timeout idle 0:30:00
set connection timeout half 0:30:00
* Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
Let me know.
Portu.
Please rate any post you find useful. -
RDP from inside to outside using PAT?
I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT. Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance
Hello Sandeep,
In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
Hope it helps
Harish. -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
Howto to use CSCO_WEBVPN_PASSWORD in rdp:// bookmark, SSL VPN
Hi all
I got an ASA5510 (8.4.4, ASDM 6.4(7) with WEBVPN access.
Now I'm facing the problem, that the customer uses an OTP authentication.
I've changed the SSL portal login page with username / password (OTP) / internal password ( the AD-user password).
So the idea is, that those variables
- CSCO_WEBVPN_USERNAME
- CSCO_WEBVPN_INTERNAL_PASSWORD
are used for SSO purpose.
Here my bookmark:
rdp2://<IP>/?keymap=de&bpp=16&geometry=1024x768&FullScreen=true&RedirectDrives=true&domain=<DOMAIN>&username=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_INTERNAL_PASSWORD
The problem is, that the password will not be sent to the rdp session. When I enter the password hardcoded (e.g. passwort=secret) it works.
So, how can a variable be sent for the password? Or it's by design, that only a hardcoded password can be used?
Thanks a lot,
NorbertDear Norbert,
To get this to work, you must configure the bookmark as following:
server/?csco_sso=1&Parameter&Parameter
server/?Parameter&Parameter&csco_sso=1
Please notice that the key is csco_sso=1 to provide java plug-in SSO feature.
For example:
rdp://10.198.29.26/?geometry=1024x768&csco_sso=1&username=CSCO_WEBVPN_USERNAME
&password=CSCO_WEBVPN_PASSWORD
I just tested this locally
Please let me know.
Thanx.
Portu. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
I am not an IT manager, but I am trying to set up an additional route through our router for RDP using NAT. I have successfully set up two other workstations doing this, but the third is not working. I set the first two up by forwarding the public IP address on a port to the internal IP address on the RDP port 3389. The two other workstations are set up this way and work great. The third is set up the same way, but I cannot get in from outside. I can RDP to the workstation from inside the local network. Our network has no it manager.Hello,
from what I can see in your non-working configuration, you are using the same address space on two different interfaces:
interface FastEthernet0/0
ip address 63.245.89.83 255.255.255.248
interface FastEthernet1/0
description connected to metrored
ip address 63.245.89.82 255.255.255.248
The router should actually generate an error message telling you that there is an overlapping address space once you try and 'no shut' the FastEthernet1/0 interface.
Regards,
GP -
Strange problem with RDP and mouse, only solved after minimize/maximize
Good day,
We have this very annoying problem with a RDP Terminal Server. It is Windows Server 2008 R2 SP1.
This server has the Session Host role installed, with local RDP user licenses.
We only have this issue when running a certain application.
This application is called Rockwell FactoryTalk View and this in an application to display industrial processes.
It will take the Full Screen in a fixed resolution and will display buttons, objects, values... The application also uses Internet Explorer cache so I think it uses ActiveX, Flash or Java, I don't know.
What sometimes happens is this:
- The mouse point is able to move in the entire screen (good)
- The mouse button will only work in 1 certain area of the screen (which is a small rectangle)
- The mouse "hovering" above objects will also only highlight items that are in this rectangle
- The keyboard remains functional and with alt-tab other objects or other applications can get focus, but still no mouse clicking
The problem can be solved by:
- Minimizing the RDP window and maximizing it again
- Or: Sending a message to the session using task manager, after clicking "OK" on that message the problem is gone
Normally, about 5 users will have this application opened in their session, the "crash" is only effecting 1 session.
The problem seems to happen randomly and we don't know if we should point to the FactoryTalk application, or to Terminal Services/RDP. The end users have no rights to minimize/maximize, this is not the solution.
Is it possible to have any input on this please?
Thank you.Hi,
Thank you for posting in Windows Server Forum.
Firstly please check with the application support team whether the application is fully supported by Windows Server 2008 R2 in remote session. In addition, suggest you to update the client RDP version to RDP 8.1 and check the result for better feature and functionality.
Apart from this, there is Hotfix for the issue. Please download, install and check the result.
Cause:
The issue occurs because the remote desktop ActiveX object does not deactivate the focus of the remote desktop session when the focus is lost. Because the focus is still activated, the remote desktop ActiveX object cannot set the focus of the remote desktop
session again when you change the focus back to the session.
A remote desktop session does not respond to keyboard input or mouse input after it loses the focus in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2579381
Hope it helps!
Thanks.
Dharmesh Solanki -
Hi, when I open RDP on my iMac, it reads "cannot open default.rdp" and it never saves my preferences or connections. It resets after each launch.
How do I go about fixing this?
UPDATE and FIX
I went to the Finder menu, clicked on GO, held down Option (Alt) to bring up the Library.
In the Library, I browsed to Preferences, found the com.microsoft.rdp plist and deleted it. Then I emptied my Trash. If you get an error saying rdp plist is in use and cannot be deleted, quit out of RDP or reboot the machine (if quitting RDP doesn't work).
Also, there was a permissions issue. I browsed to the Applications folder, located the Microsoft Office folder, right clicked the folder (or CTRL click) and selected GET INFO. First--In order to make any changes, authenticate with admin privileges using the lock icon (put in your username and password). From there (under Sharing & Permissions), I made sure my username (account currently logged in) and everyone had Read & Write privileges, then I clicked on the little gear icon (drop-down) and selected Apply to Enclosed items.
Voila!
This worked for me.Actually, I still receive an error when I try to save the connections.
I get an error that reads
"Make sure that you have permission to write to the location where you want to save the file"
Any help with this would be great!
ah, RDP on a mac -
How to create a group policy for a group not to logout from rdp
there is already a global policy for all users in OU which will disconnect a rdp session after 15 min of inactivity and log user out in another 15 min, (logout 30minutes)
how do I create another policy for a group in that OU so that group user will not be logged out ( executives are asking for this)?Hi,
In addition to Martin’s suggestions, we can also choose to change the scope of the existing GPO with Security Filtering.
Regarding Security Filtering, the following article can be referred to for more information.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
Filter Using Security Groups
http://technet.microsoft.com/en-us/library/cc752992.aspx
Best regards,
Frank Shen -
We would like to request Microsoft Remote Desktop (MRD) to behave the same as the open source CoRD.app on OS X with respect URL resolution.
Example:MRD will resolve from Terminal rdp://full%20address=s:<IP or DNS Name>, but not rdp://<IP or DNS Name>
As the OS will respect any of the following protocols in Terminal or browser:
afp://<username>@<IP or DNS Name>
cifs://<username>@<IP or DNS Name>
ftp://<username>@<IP or DNS Name>
ftps://<username>@<IP or DNS Name>
http://<username>@<IP or DNS Name>
https://<username>@<IP or DNS Name>
smb://<username>@<IP or DNS Name>
ssh://<username>@<IP or DNS Name>
vnc://<username>@<IP or DNS Name>
(<username> can be omitted to force authentication at connection) it seems slightly redundant to force "full%20address=s:" in the URL.
Can Version 8.0.1.6 be modified address this request?
What is the proper way to report an enhancement request or bug?
Thank you for your consideration.Hi,
From your description it appears that you want to modify the pattern for assigning the rdp full address but this doesn’t support as per your requirement. That is the default string which we need to have for passing full address.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Error in BAPI_MATERIAL_SAVEDATA
Hello all. Im trying to update a material using BAPI_MATERIAL_SAVEDATA, I have to update the field PLANTDATA-VARIANCE_KEY among others. But the BAPI returns with the following error: <i>Key fields for user data PLANTDATA and checkbox structure PLANTD
-
My Distribution Profile is grayed out in Code Signing Provisioning Profile
Fellow developers, has anyone experienced this problem when you tried to compile your app for distribution: Did everything as suggested in this forum, including: - copying a distribution profile to the right folder and also draging over the Xcode ico
-
Can't group Lost Season 1 with Season 2 in genre
On the videos tab in the source window, when I click on TV shows selection at the top of the browse window, only the season 2 episodes that i've bought show up. However, i've ripped the entire first season already but why can't I get it to group toge
-
I dont see software update or usage in my general setting tab. help!
-
HT201210 what is unknown error 11
My iphone 3gs home button stopped working and then the whole phone started doing strange things and then stopped working and froze altogether. so I tried to restore my phone, but after a while it came up saying the iphone can not be restored, unknow