6

I have a main server set up and staff that use laptops to come into the office and work. We have currently moved everything over onto a server setup in the office that the staff can all remote desktop onto and work on their work. The problem I am facing is that the remote desktop is viewable outside the domain via a domain name, but when in the office you have to access it via an IP address.

Is it possible to access the remote desktop in the office on the same network as the server using the domain name they use to access it at home?

It's not the end of the world if not, but they really aren't the best with computers so it would be a lot less work if they could just use the same address!

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
Oliver Whysall
  • 195
  • 1
  • 6

3 Answers3

13

It sounds like your firewall / router device doesn't support "NAT hairpin". When the users attempt to access the RDP server while on the LAN the server's name is being resolved, by DNS, to the external-side IP address of your firewall. The PC's RDP connection attempt is being sent to the firewall which isn't routing it back to the server on the LAN.

The easiest "fix" for you would be to:

  • Install the DNS Server role on the Windows Server machine (or another Windows Server machine, if you have one)

  • Create a "Forward Lookup Zone" with the same name being used by users to access the RDP server

  • Create an "A" record in this zone with a blank hostname and resolving to the LAN IP address of the RDP server computer

  • Reconfigure your DHCP server to provide the IP address of the server you installed the DNS Server role as the DNS server for client computers

If you're using the "bare" domain name "domain.com" to access your RDP server you'll find that the technique above will "break" access to Internet sites using your domain (like "www.domain.com"). In that case it would be better to create a DNS record on the Internet for something like "RDP.domain.com" (and the same Forward Lookup Zone on your LAN) so queries for other "domain.com" names can be sent to your Internet DNS server.

Finally, if you're going to expose a Windows Server machine directly to the Internet with RDP please be sure that your users are using complex passwords (that, hopefully, they're not using in other places), implement the Windows Account Lockout policy to disable accounts after consecutive failed logon attempts, and consider rate-limiting new incoming RDP connections to the server with your firewall (or, a third-party script

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    +1 to the above, just thought I would add NAT hairpin is also sometimes referred to as NAT reflection - may help with looking at replacement firewall/router if you don't choose to go the split DNS route (which is what I would probably personally take). – Robin Gill Jan 18 '12 at 23:30
1

It sounds like you need to be running an internal DNS server in order to do what you desire. If that is the case please do some research and post questions back on that specific subject.

Failing that you could set up a couple hand made RDP files that folks could just double click on to open a connection to your server.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • I think i'm going to use the two files and plonk them on every laptops desktop as big as I can get them! I hadn't even thought of the idea – Oliver Whysall Jan 18 '12 at 21:41
0

With Server 2008 the service to think about deploying is Directaccess. As Evan mentioned NAT refelection (or hairpinning) can cause other DNS issues. Additionally you don't have to directly expose an internal server to the internet.

Jim B
  • 23,938
  • 4
  • 35
  • 58