Question Remote Desktop issues after Modem replacement

[jacktheripper88]

I've been beating my head off the wall most of the day about this one...

I have a business client who, without thinking everything through, has had the ISP replace their fibre op modem without giving me time to look the old modem over to see if there were any custom settings in place.

This client has a number of remote offices that were using a remote desktop connection to access all the things they need.

Normally they would use the address remote.########.ca:3400 to log in and do what they need. Now if they use that connection they get an error stating that it couldn't connect due to one of three things:
1)Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network.
If I drop the :3400, I can connect with an administrator account, but not as the users who need this access.
I looked into the new modem and created some port forwarding rules for 3400 (TCP and UDP) to direct to the right internal IP, but if I check this port on canyouseeme.org, it shows as being blocked.
The client has a GOTDNS account that connects the IP to the DNS name and from what I can see the IP and DNS have refreshed properly.
They had another person who set this up for them initially but left on bad terms, so they're out of the picture to contact.
Now I've gotten my hands on the old modem, but the GUI doesn't appear to be functional anymore, I can ping it and get a response but no luck on the GUI. It's an Actiontec R1000 and the ISP is Bell.

Any tips or suggestions would be fantastic.

 

[Johnny Ringo]

See below

 

[Johnny Ringo]

Check to see if they are Windows 7, or Windows 2008 Servers. If so, it may be the January 2019 patches just released.

https://www.neowin.net/news/patch-tuesday-update-for-windows-7-is-breaking-access-to-smbv2-shares/

I had issues with my 3 Windows 7 workstations, where fileshares, and Remote Desktop stopped working. I uninstalled the patch, and problem solved.

 

[jacktheripper88]

That was installed yesterday, I will give that a try right away!

 

[jacktheripper88]

No luck with uninstalling KB4480968, still have the same issue.

 

[mxnerd]

Apparently a terrible bug created by MS like what @Johnny Ringo and news described.

When I try to remote desktop using administrator account, it didn't work. I'll receive a message like the following message.

The credentials that were used to connect to xxx.xxx.xxx.xxx did not work.
Please enter new credentials.

or

1)Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network.

depending on different Windows client

If I created a new account and give it Remote Desktop rights, it works perfectly, but only via LAN network.

Remote desktop through WAN would not works at all! Whether Administrator account or a new account.

Unfortunately, I can't unistall KB4480968.

After running recommended registry fix,

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ​

it still didn't work for administrator! YMMV.

Non administrator account works though, LAN and WAN!

All test done using default port 3389.

==

https://support.microsoft.com/en-us/help/4480968/windows-server-2008-update-kb4480968

Known issues in this update

Symptom
Local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows Server 2008 SP2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local "Administrators" group.

Workaround
To work around this issue use either a local account that is not part of the local “Administrators” group or any domain user (including domain administrators).

We recommend this workaround until a fix is available in a future release.

==

You probably have to find alternative solutions at the moment if your client have to use account that's in administrator group.

 

[jacktheripper88]

Just to reiterate (because I know I should have structured my initial post better), I am able to connect through the WAN using an admin account. Its the non-admin group accounts that can no longer connect even though they could previously without issue. If I use RD locally, those accounts are fine.
I believe its some security/firewall setting that is causing the problem but I figured the port fowards would fix the issue. Not sure what to try next short of moving this server out in a DMZ

 

[mxnerd]

Do they have multiple machines running remote desktop using different ports? Maybe one uses 3400, another uses 3389, etc?
Probably need multiple port forwarding?

==
Online port scanning doesn't always work. Tried several online scanners and none detected open port 3389. (https://geekflare.com/port-scanner-server/)

==
Could still caused by the patch. I tested the remote desktop in a non domain environment.

 

[QuietDad]

the address remote.########.ca:3400 gives it away. Willing to bet the modem change changed the IP and ########., which would be the IP address is different.

Edit: My bad. I see now its a group permission problem

 

[QuietDad]

https://administrator.de/wissen/win...kb4480970-kb4480960-nicht-möglich-397594.html

 

[mxnerd]

*Update*

Uninstalled the KB448970 (for Windows 7, not KB448968 for Windows 2008)

with command line wusa /uninstall /kb:4480970 /quiet (administrative rights), reboot

and it worked now, LAN & WAN, even users in administrators group!

==
*** Need to turn off automatic Windows Update. ***

 

[jacktheripper88]

I uninstalled that Windows update last night without any success on getting connected but I will try the registry entry edit when I get onsite later today.
The WAN IP did indeed change, but the GOTDNS utility installed on the Server these user RD into has already refreshed with the new IP, so it and the cname are coming up right.
All of their branch offices use 3400, would there be something within the Remote desktop settings on the server that would also need changed?

 

[mxnerd]

Make sure automatic Windows Update is turned off first or the patch probably will be re-applied automatically.

I also deleted that registry and it still works. YMMV.

So all of their branch offices exhibit same problem?

Use NIRSOFT Currports https://www.nirsoft.net/utils/cports.html to check exactly what port Remore Desktop or Terminal Service is running on. They probably didn't change the port on sever/workstation, instead they just forward port 3400 on router/modem/ to port 3389 on server or workstation.



This is how you change Remote Desktop port if you need to.
https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

==
* Windows Update will still show the patch was successfully installed even if you uninstalled it correctly. *

 

[jacktheripper88]

I will try deleting that reg entry over the weekend while they're closed. I've gotten my self a little breathing room for the time being as I've gotten these branch users to use a vpn connection and then RD to get past this hurdle. But in doing this my client has revealed another bit of weirdness to add to the mixture...
So at their head office they have two servers:
The one I've been speaking of so far is an SBS (2008) that is acting as the DC, holds the AD, and runs their Exchange server. It also has the DynDNS utility running on it keep the remote.##########.ca connected to the WAN IP.
The other server (Server 2012 r2 standard) contains the server software for their dispatch program and their accounting program, on top of also hosting their personal user data and "public" shared data for common use documents and resources.
From the way this client had been describing the setup for the remote users I had understood that going through the remote.#########.ca:3400 was connecting them to the SBS but it is suppose to connect them to the one running 2012 r2. Dropping the 3400 and using an admin account this is taking me into the SBS rather than the 2012.
I've set up simple RDs for people before but this setup has me perplexed.

 

[mxnerd]

Like I said, use CurrPorts utility to check what TCP port RD service is using to confirm the the setup.

If you have more than one machine behind NAT router running Remote Desktop service, then you have to setup multiple port forwarding. Since there are 2 machines in the headquarter running RD service, one of the machine has to run RD at another port other than 3389. So maybe that's why one was using TCP port 3400 and another was using default port 3389 so no need to specify the port number when connecting.

But no matter what current config is, for better security reasons, you can change the setup so that 1st machine uses port 3401, 2nd machine uses port 3402 and so on.

So in HQ case, SBS 2008 should be using TCP port 3401 and Server 2012 should be using TCP port 3402. In this case, both machines need to change their registries.

For branches that has only one machine running RD, you can just forward TCP 3400 to 3389 and no registry modification required.

 

[jacktheripper88]

Thank you for pointing me in that direction, the S2012 was listening on port 3389. I've made the change in the registry so this should take effect when this machine restarts tonight, so I'll be able to check while I'm at work tomorrow to see if that change worked properly (fingers crossed).
I appreciate the help guys, my RD setup experience has been pretty sterile so I'm gonna keep some notes on this for the future and develop some sort of package to refer back to for future issues with this site and turn it over if they ever get their own in-house IT.

 

[mxnerd]

Forgot to mention that you have to add a Windows Firewall Inbound Rule to allow TCP port 34xx or it won't work.

 

[jacktheripper88]

So I got poking around in the modem again today and found a section that I hadn't noticed under the Firewall settings. Found that PPTP was disabled in the ALG/Pass-Through, enabled it and got backup and going on the proper server for the RD sessions.

Now I've got a semi-seperate issue to figure out. The email on their phones work while connected locally, but when external it will not get new email but throws no errors. The address they use to connect to exchange is basically the same address as before, remote.##########.ca with no port designated

 

[mxnerd]

So they used PPTP to establish VPN connection first then use Remote Desktop?

==

Exchange ports to open, depends what functionality you want to work with outside world.

https://docs.microsoft.com/en-us/ex...oyment-ref/network-ports?view=exchserver-2019

Open one by one and test until all functions.

I believe at least port 25 SMTP(to communicate with outside world), and usually port 443 Outlook remote access needs to be open for employees who need to access company exchange server using Outlook client.

Don't understand why phones will get emails?

==

Or do you mean smartphones? If that's the case, same here. You have to know or tell us what email clients & protocol/method the employees use to access the emails from Exchange server. It could be POP3, IMAP or Outlook Web Access or a combination of them and open the ports accordingly.

 

[jacktheripper88]

From I've seen on the only phone I've been able to look at (iphone), its using the same remote.##########.ca and has SSL enabled. So I'm guessing its OWA?
Is there somewhere in the Exchange 2007 console to find what the current port settings are?
Not sure if this is related or not, they had me look into an inhouse workstation for someone who is going to be on vacation later this week. They wanted to give his Out of Office a test, but it spits back that the server is unavailable. I have a copy of the exchange connection test report I ran from the exchange console if thats any help

 

[mxnerd]

You should focus on the public side. I don't have access to an exchange server.

https://eightwone.com/2011/04/05/exchange-2010-sp1-network-ports-diagram-v03/

https://eightwone.files.wordpress.com/2011/04/visio-exchange-2010-ports-diagram-v31.pdf

Like I said, you have to know what email client company employees use and what their config are. There are so many ways to send/receive emails and each method/protocol use different ports. Most IT guys won't change the ports (there are too many) Exchange running on , it's pretty standard.

Open the ports in the following diagram and see.

 

[mxnerd]

Installed a trial version Exchange.

To configure port numbers Exchange listen on, open Exchange Management Console, Server Configuration, Client Access.

However, strongly against changing these ports, it's almost ubiquitous. Same with OWA. (IIS 80 & 443)

https://social.technet.microsoft.co...ok-web-app-port-breaks-owa?forum=exchange2010

IMAP & POP3 services by default are not started automatically. MS assume Exchange users will use Outlook as email client.
If you don't have any legacy email client using POP3/IMAP, don't open related ports.

 

[jacktheripper88]

Becoming a Mennonite is looking more and more inviting every day!
Opened all the ports suggested in your first image (except 587, modem didn't have a spot to add that one) and requested one of the clients on site try their iphone email over cellular data. Found they were describing the problem backwards...... *promptlywalksoffcliff

The issue is offsite getting emails from remote.#########.ca will not work while they are connected (wifi) to their local network, so while connected to the wifi provided by the modem they get no emails on their phones.
Sorry mxnerd, but that info was incredibly useful for me for later.

 

[mxnerd]

You really have to tell what iPhone App they use for accessing Exchange and through what protocol, POP3/IMAP or OWA?.

Take a look at one of the employee's iPhone which worked before.

Do they connect PPTP or other VPN first before using email?

The modem you mentioned probably is gateway Actiontec R1000 ? port 587 should be able to be created on any router/gateway. You can create your own port forwarding, no need to use predefined port forwarding that comes with the gateway.

There are many Exchange tutorials on youtube, you really should watch some of them.

 

[jacktheripper88]

My apologizes for not getting back to you guys sooner, got the internal phone issue sorted out. I was having a "can't see the forest through the trees moment on this one".
Found out that the Server running exchange had a DNS server running on it as well, so we configured the modem to use the server's address as DNS 1 and then the ISP gateway as DNS 2 and everything was happy happy.
Thank you for all your help