Server 2012 Firewall is blocking RDP over VPN

Similar Messages

• SNMP server on PIX IOS 7.2 over VPN

  Hi Team,
  I have a simple query for the issues I m facing currently.
  I have @ remote site  remote site PIX firewall which is configurd to get the Snmp poll on the server locate outside via site to site VPN.
  There is another snmp server located also in inside which I’m not managing it .
  ========================================================================
  below are the command for the snmp configured on PIX.
  snmp-server host inside x.x.x.x community XXXXX ---This is not managed by us
  snmp-server host inside x.x.x.x community XXXXX
  snmp-server host outside y.y.y.y (private IP tunneled though VPN)  poll community YYYYY ---Managed by us
  snmp-server host outside y.y.y.y  poll community YYYYY
  snmp-server community XXXXX
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  access-list acl-VPN-tunnel line 2 extended permit ip host z.z.z.z (outside interface of PIX firewall)  host Y.Y.Y.Y (server located outside)
  ==============================================================================
  there are 2 snmp community & server defined in snmp-server host command for 2 different IP address belongs to snmp server  and we can only define one global snmp-server community for any one of them .Question is how the snmp community take a precedence .
  Currently I am able to ping from my snmp server from outside to the PIX firewall outside interface over L2L VPN but somehow the snmp server is not listening when i do port query on 161 por!.
  Appreciate you inputs for the same and let me know if any more details are needed

  What was the resolution?  I am having the same issue.
  Thanks!

• Windows Server 2012 Group Policy Block USB Storage devices @ User Level Not getting applied on a Domain Client machine with Windows Server 2008 R2. Why?

  Hello,
  I have a Windows Server 2012 R2.
  I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
  on it (this machine is also a domain client in the same domain).
  I will really be thankful if anyone can suggest some solution to this issue.
  Please feel free to write back in-case I have missed anything obvious to be shared.
  Thanks!
  -Vinay Pugalia
  If a post answers your question, please click "Mark As Answer" on that post or
  "Vote as Helpful".
  Web : Inkey Solutions
  Blog : My Blog
  Email : Vinay Pugalia

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedbackhere.
  Andy Qi
  TechNet Community Support

• Unable to access local resources or RDP over VPN Connection

  Dear Tech People.
  I have a Windows 7 computer that I have created a VPN service through Windows on.  I am able to connect to the VPN from outside of my network with my Macbook Air.  However, I am unable to connect to the computer via RDP, nor can I ping my PC that
  I am VPN'd into (192.168.1.252).  When I am connected, the IP address that I am assigned, is 192.168.1.150.  When I run ipconfig /all, I can see the "RAS < Dial In> Interface for VPN, and it is setup with an ip address of 192.168.1.151
  with a /32 subnet mask.  There is no default gateway listed, which is why I believe that this is not working.  I cannot determine any way to make this change.
  Basically, I have a VPN connection that I can do nothing with.  I cannot access shared resources, nor can I start a remote desktop session.  The pass through is setup for PPTP with my router, which I believe is working, as I couldn't even connect
  prior to this.  Below is the full results of my ipconfig /all command on my Windows PC:
  C:\Users\Zach>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Serenity
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : Yes
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : att.net
  PPP adapter RAS (Dial In) Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : RAS (Dial In) Interface
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.1.151(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . : att.net
     Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
     Physical Address. . . . . . . . . : BC-5F-F4-85-5E-A8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2602:306:ce94:2570:3144:306c:cdae:d615(Pr
  eferred)
     Temporary IPv6 Address. . . . . . : 2602:306:ce94:2570:bd83:220:80a0:eb1e(Pre
  ferred)
     Link-local IPv6 Address . . . . . : fe80::3144:306c:cdae:d615%11(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.252(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, October 26, 2013 7:27:27 PM
     Lease Expires . . . . . . . . . . : Thursday, October 31, 2013 7:28:28 AM
     Default Gateway . . . . . . . . . : fe80::22e5:64ff:fe0c:5640%11
                                         192.168.1.254
     DHCP Server . . . . . . . . . . . : 192.168.1.254
     DHCPv6 IAID . . . . . . . . . . . : 247226356
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : 192.168.1.254
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet1:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  1
     Physical Address. . . . . . . . . : 00-50-56-C0-00-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d906:32d3:7108:1227%15(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.18.39(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 335564886
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet8:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  8
     Physical Address. . . . . . . . . : 00-50-56-C0-00-08
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::fc76:1de8:a7c3:27dd%16(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.135.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 352342102
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.att.net:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : att.net
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{20B8F51C-F852-41EF-9F9B-1D0107550D1E}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{8CCEC9EC-0685-4C6A-A87A-CED27B6C93E5}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Any thoughts or help would be greatly appreciated.

  Hi,
  I'm so glad you have solved the issue in this way.
  And thanks for your sharing, your solution shared here will provie other people in this forum with a great help!
  Regards,
  Ada Liu
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can't RDP over VPN in metro RDP app

  I have a strange issue.  I recently purchased a Lenovo Tablet 2 running windows 8.1.  My company uses the Cisco 5.0 VPN client.  This client doesn't work with Windows 8 so I found a alternative called Shrewsoft which seemed to work well. 
  My issue is that I can't connect to any computer on my domain when connected to VPN while using the rdp app from metro mode however if I switch to the desktop and launch the rdp app from there I can connect fine.  If I am on the local network (not using
  VPN)  I can connect to computers using the app in metro mode just fine.  This is really baffling me.  Anyone have any ideas why this might be happening?

  Hi,
  I have tested in my workstation:
  1. Set a vpn host.
  2. Use Windows 8.1 client to connect to the VPN connection.
  3. Try to connect the other PCs in my workstation, it worked fine.
  Note, I have no gateway settings and use no VPN client.
  I considered that if there is any Gateway settings in your desktop RDP.
  Please check this:
  If there is any gateway set in your desktop RDP, please open your Store app - Remote desktop -> Swipe to the right corner -> Settings -> Connection settings -> Under Remote desktop gateway, please copy the gateway settings of desktop RDP into
  it.
  Then check the results.
  Also, would you please check the built-in VPN connection in Windows 8.1?
  Kate Li
  TechNet Community Support

• Windows Server 2012 Terminal Services (Client Side)

  I would like to see the interface of the new Windows Server 2012 Terminal Session via RDP.  Reason being, is that users are resistant to change - and if there is no start button like in windows 8, that is a big concern when considering upgrading our
  server to 2012.  Anyone know what it looks like?  Screenshots of being logged in as a user via RDP would be much appreciated!
  Thanks

  Hi,
  Yes, there is a Start Button in Server 2012 R2:
  You may download the preview and test if you like:
  http://technet.microsoft.com/en-US/evalcenter/dn205286.aspx
  -TP

• When is or will there be a SQL Server 2012 R1 SP2 release date?

  SQL Server 2012 SP 1 was released over a year ago on 11/8/2012. When is the next service pack going to be available?  I see announcements for SQL Server 2014 CTP's, but what about fixing 2012?
  SQL Server is now up to CU5. I had a small hand in CU5 after reporting issues with CU4.  One of the fixes found in CU4 broke SSRS multi-value reports, oddly enough.  CU5 continues to have 'unexpected errors' but SSRS is
  fixed.  Where CU's clearly stated to have limited testing and no guarantee to work in all environments, it is essential these cummulative updates are packaged in a hardened Service Pack.
  Is there no SP2 release date in sight?

  Hello,
  I have never seen Microsoft releasing a service pack of SQL Server on January. I think you should
  expect the next SQL Server 2012 service pack between February and April.
  Customers should expect SQL Server service packs every 12-15 months except for the first service
  pack of each new version. The first service pack of each new version comes usually 9 months after RTM has been released.
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Server 2012 NPS Server not authenticating IKEv2 requests

  Hello Experts,I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to...
  This topic first appeared in the Spiceworks Community

  Indeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
  But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
  range in my entire subnet/scope to be assigned to non-compliant clients. 
  It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work. 
  On the other hand you have a valid point there Greg about DNS/DHCP flooding.
  Still hope to hear why this setup will not work and if it is supported or can work tough :-)

• Why does my Cisco router firewall block Windows Server 2012 traffic, but not Windows Server 2008 traffic?

  Hello,
     I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds). 
  The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs.  I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
     All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem.  I have no VLANs setup.  I do have the Firewall on the router configured
  to inspect most traffic.
     Here is my problem:  I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers.  Here is what I already know:
     1.) I can ping the outside world just fine so ICMP is passing to any external host.
     2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
     3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works.  I can also go to a couple other Microsoft websites (though they are very slow).  If I click on any link in Bing, however, it doesn't
  work and gives me a page not available error.  If I connect to a non-MS website like Google or my company website, I get page not available.
      4.) I have tried to telnet to port 80 at Bing and it works.  I have tried to telnet to port 80 at google.com and it won't connect.  The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
  PCs on the network do either.
      5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
  just to see if it could connect after a fresh install and it still cannot.)
      6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
       7.) If I connect the server directly to the modem it has full internet access.
       8.) All internal LAN connectivity is perfectly fine and runs at full speed.
       9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
  worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
  My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with?  I ask because, unlike in these two articles where they were
  running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it.  I have to assume the issue is somehow related to the firewall configuration,
  which I could fix easily, but I don't know what to change.  If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along.  Thanks.

  This is the IP Config for the 2012 DC:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : COMPANYDC02
     Primary Dns Suffix  . . . . . . . : company.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCPv6 IAID . . . . . . . . . . . : 301999504
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
     DNS Servers . . . . . . . . . . . : 10.10.10.202
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  This is the IP Config for the fresh install 2012 VM:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WIN-800299O7ES6
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
     Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCP Server . . . . . . . . . . . : 10.10.10.1
     DNS Servers . . . . . . . . . . . : 10.10.10.220
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.company.local:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network.  One of them is 2012 and one of them is 2008.  They are both functioning correctly for providing DNS services.  The 2012 Virtual DC, however, still has
  the internet connectivity issue that this whole post was about in the first place.
  NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded.   Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
  at 10pm.  Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully...

• Office 2013 over Windows Server 2012 RDP World Add-On Macro/Template Error

  I have a new Windows Server 2012 Remote Desktop environment for about ten users (not R2) with the latest Office 2013 Pro installed.
  The users all have an add-on word template in Word for Office 2013.  That add-on was installed as administrator and ONLY works as administrator.
  When any other user (even if they are local administrators, domain admins, etc.) opens Word, they are immediately prompted with the following message:
  "Could not load some objects because they are not available on this machine."
  If a user "runs as administrator" it runs fine.  Obviously, I don't want that.  I have been searching and searching and thought maybe there was a group policy or Office setting someone may know that I just can't find.
  Any help would be awesome!  Thank you.

  Hi,
  Once you login with the user account which is not getting access, try the below steps and check if it helps fix the issue: 
  Click on start->control panel->programs and features->right click on the Office 2013 program->click on change->add or remove features-> click on the drop down arrow which is before the Microsoft Office->click on Run all from my computer->Continue.
  Once completed restart the computer and then open to check if the issue occurs.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Single server solution for RDS / TS / RDP using Windows Server 2012 R2

  Planning on setting up a small single server and  need this functionality:
  * 3 local users runnnig Windows 7 Home Premium needs to access files on the server
  * The same 3 users should also be able to connect from home (PC, Mac, iPhone) and run an application on the server. (Session-Based Remote Desktop).
  We want to use Windows Server 2012, and found out that Essentials does not support RDP, so that leaves Foundation and Standard versions.
  However, I also found out that in WS 2012 the RDP can not be on the same server as the Domain Controller, and we therefor needs to run 2 server instances on our hardware. I think this starts to look way to complicated for what we want to do, but found out
  that WS 2012 R2 allows a single server to run RDP (See TechNet article 2833839).
  So we will go for Windows Server 2012 R2, either Foundation or Standard to set up our RDP.
  So now the question: Will that solution work with our local machines running Windows 7 Home Premium, as they cannot connect to a domain? Can we set up some kind of simple file share or Workgroup to acces files locally while still keeping the RDP
  functionality on the server?
  And, will WS 2012 Foundation R2 do this as well as WS 2012 Standard R2?
  (I have been asking several locat MS representatives to find a solution to our needs, but no one seems to know how this works....of cause we could just get 2 WS 2012 Standard server instances, run one as DC and on as RDCB and upgrade all our clients to Win
  7 Pro, but we would like a solution with minimal investment in time and money)
  Rgds
  Petter

  Hi Ryan, 
  and thanks for the answer! I do not know how to do "multiple quote" in this forum so I do it this way:
  "have you considered virtualisation, as you can run multiple virtual machines under one licence. I think this would be the cheapest and most efficient use of your money. Upgrading your clients to Windows 7 pro would allow you to have domain control
  Single Sign On SSO. "
  This is the "official" solution I think: Upgrade all clients to Win 7 Pro and run two instances of Win Server 2012 Standard on the server.
  However, I was hoping to get away with something a bit more Quick & Dirty.....;-) We do not have big security issues and will have a good backup system, and I think for 3 users only, it will be more work trying to centralise administration like updating,
  backups etc, than to just go to each machine and do what is needed. 
  We are good with computers/Windows but have no Server experience. A server guy will help us get started, but I dont want him around after that, so it must be a very simple solution.
  Also, installing 2 instances of WS 2012 and upgrading all 3 clients to Win Pro, and then installing all software and settings on the clients into the new domain user accounts on these clients is quite a lot of work. So I was hoping to keep only existing local
  users on the client machines and only have some kind of file share thing going on with the server disks that we need to access. So perhaps use a Workgroup instead of a domain, if that works with the RDS setup?
  "Option 1
  2 virtual machines 1x DC and 1x RDS server."
  So, if we set up RDS this way (so we can log in remote and run our application session-based on the server), can we keep the local clients running Windows Home Premium using our current local user logins (ie no domain user accounts created on the client machines,
  as this is impossible in Home versions) and still access the server disks somehow, or is it impossible? 
  Another question is if it is stupid/a really bad solution...but I still want to know if it is possible....;-)
  "Option 2 
  2 virtual machines 1x DC and 1x RDS server.
  You can configure your RDS solution as a domain joined platform and will still be able to access resources from the local device as you can map local drives to the session host. http://www.serverintellect.com/support/techfaq/drive-rdp/
  Your users would have two sets of credentials, one for the local client and one for the domain."
  I do not want to access files over VPN or RDP, we only want to run an application on the server from remote (Session-Based Remote Desktop). However when we use the local clients we want to access files on the server, and then we access huge image and film files
  on fast RAID drives, so local network speed must be top speed. Also if possible we would like to not upgrade to Win Pro, and then joining a domain is not possible.
  "Option 3
  1x Server
  The second option would be to manually deploy the session host role and licencing role to a work group server. This would limit access to RDP only and you would loose web access functionality."
  I think this is what I was hoping for. It seems that the new R2 release of WS 2012 allows you to rund RDP and Domain Controller roles on the SAME instance of the server. That sounds nice, it limits what we need to keep track on and minimises the load on the
  server that needs to act as a very fast file server locally.
  However, can we do this and still keep file acces with only Windows Home (no domain) in the local clients (same question as above under "Option 1")?
  Rgds
  Petter

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• How to RDP access my Windows server 2012 system with Windows 7 system

  In the VMWARE workstation, I have a " Windows server 2012" & " WIndows 7" OS deployed. I am not able to RDP the " Windows server 2012" from "Windows 7" system even though i have performed the below step.
  1. Enabled the " Allow Remote Connections to this comptuter " in windows server 2012
  2. Disabled the firewall in Windows server 2012.
  Can someone advice me on the below.
  1. How to RDP my windows server 2012 from my Windows 7 with " Firewall disabled" & "Firewall Enabled" conditions

  Hi,
  Just make sure that the firewall is disabled in all three profiles Domain/Private/Public.
  Create a incoming UDP rule on firewall to allow port 3389 and give a try.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/b1ec4602-7120-4660-a1ba-e05289a479cf/windows-2012-r2-firewall-blocking-remote-desktop?forum=winserverTS
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• How can i use ONE server 2012 to be DC for a domain on the WAN only.. NO LAN. and NO VPN..

  I need to run an active directory that is on a WAN (Utah). a server 2012 standard will be the DC with 60Mbps internet speed both up and downstream.
  approximately 100 clients/member systems will be all over the united states. NO VPN. only via internet. I can use SSL certificate for secure ldap.
  I need this setup to use GPO for different permissions and policies instead of manually doing those on each windows 7 or 8 professional system.
  Ideas??

  Daniel,
  I think since this will be the ONLY system that will be running as a DC providing ADDS and the Direct access server, i should follow this advice from the article you sent:
  For users who never connect directly to the Contoso intranet or through a VPN, they must use the DirectAccess
  Offline Domain Join process to initially join the appropriate domain and configure DirectAccess. When this process
  is complete, the users log on normally and have the same experience as if they were directly connected to the Contoso intranet.
  Because remember, no user will ever connect directly to the subnet where the server is. so do an offline join First and then start managing.. Only thing im worried about is: they keep saying that the direct access function has significantly improved in windows
  8. hmmmmm many systems will be using windows 7 Pro 64Bit. Some windows 8.1 Pro 64bit. should i worry?