Terminal Services Client through VPN

ali-franks · ‎11-27-2002

Hi,

Having trouble with this one so I wonder if anyone can help please?

VPN establishes from client 3.5.1 to PIX no prob. Can establish mapped drives, browse network etc.

The PIX has an ACL allowing port 3389, the MS default port, to the server. Now, this works OK if you dial an ISP then connect using the Connection Manager, login as normal etc. but will not play using a VPN!

Any ideas please?

Cheers

Ali

bbaley · ‎12-03-2002

Based on the information here, I can only guess that your problem might have to do with routing. The first thing you need to check is which interface you are terminating your tunnel on. You need to verify that the PIX is forwarding traffic to the interface where the crypto map exists. You need to ensure that you have specified a route to the remote network with the appropriate next hop.

ali-franks · ‎12-05-2002

Hi Bill,

The VPN is terminating correctly on the outside interface.

When you say "You need to ensure that you have specified a route to the remote network with the appropriate next hop. " do you mean a route inside?

The WTS server is on the same LAN as the inside interface.

Ali

ajagadee · ‎12-07-2002

Hi Ali,

1. Using the same host that is having problems when connecting through the VPN, use the statically translated Public ip address and make sure that Terminal Services is working fine for this host. This is just to make sure that you are having issues only through VPN.

2. Now make an IPSec connection using the VPN Client and try pinging the Terminal Server and if that works fine then we know that there is IP Connectivity and your routing is looking good.

Now from the same host and through the IPSec connection, send ping packets with different packet size and see where the pings start failing.

And if possible, try to lower the MTU size on the host and then give it a shot.

Regards,

Arul

ali-franks · ‎12-09-2002

Arul,

1.The statically translated address works fine when used with normal dial access to an ISP

2. Using the VPN client I can ping the public IP address and the statically assigned

3. Pinging the Terminal Server with 992 bytes is no prob but it fails on 993 bytes

A colleague reckons that to change the MTU on the client involves using the command line and that in turn will change the MTU setting in the registry. Is that correct or am I of down the wrong road?

Ali

ajagadee · ‎12-09-2002

Hi Ali,

You can use a software called DrTCP to adjust the MTU.

Regards,

Arul

ali-franks · ‎12-11-2002

Arul,

I've tried that but DrTCP doesn't seem to pick up the Modem Interface on my Xircom PC card for some reason. Tried reboots, start/stop service etc but to no avail.

Any other ideas please?

Ali

ali-franks · ‎01-15-2003

FYI,

Using VPN Client 3.6.3, Set MTU to 576 and away you go! As long as the inbound ACL has 3389 allowed of course.

By the way, in case your wondering, NO I have not spent all this time figuring this out :)

Ali