1

We have two internet connections, both on their own routers.

Router 1: 192.168.0.1 / 255.255.255.0 Router 2: 192.168.0.2 / 255.255.255.0

Our terminal server has a single NIC, 192.168.0.3 / 255.255.255.0, with a default gateway of 192.168.0.1.

Both routers are set to forward external 3389 to 192.168.0.3. When connecting via router1 from the WAN, connection is successful, no issue. If we try to connect via router2, as expected it does not work. The terminal server is configured to listen on all NIC/Addresses (Default) etc.

Now I know a second gateway shouldn't really be added to remedy this, so I'm assuming the server needs a static route to get back to router2 if required?

Any advice would be appreciated.

f0xy
  • 11
  • 1

1 Answers1

2

Assuming both routers are receiving connections from the Internet (and not a subset of the Internet that you can identify in a static route) Windows can't do what you want.

If your incoming connections on "Router2" come from a particular subnet then just add a static route to that subnet via "Router2" and you're done.

Assuming you're looking to service connections from the Internet on both connections: What you're looking for is policy-based routing functionality that Windows just doesn't have. When Windows receives a new connection attempt from "Router2" it will respond via the default gateway. Windows doesn't "care" that the connection "came from" the "Router2" router.

To do what you're looking for you're going to need to put a router in front of the Windows Server computer that supports this functionality. A Linux machine would do it, as would any major-label embedded router (Cisco, Juniper, etc).

Edit:

Just putting a second NIC on the machine doesn't help. Windows will still respond to its default gateway.

That's the key point you need to concentrate on. Windows can receive new connections from any number of sources, but it's going to respond back to off-subnet hosts through its default gateway.

As Zoredache points out you could configure your routers to source-address-NAT the incoming connections, at which point Windows would "see" the connections as coming from the routers' IP addresses and would respond to each router individually. You lose any ability to log the real source addresses of incoming connections. It would be ugly, but it would work.

Finally, I'll echo what Zoredache says: You're on an ESXi box-- deploy a Linux router VM between the Windows machine and the Internet and take care of it there.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Ah, the part I was missing is the Windows response, wasn't sure if it just went to the default gateway... that explains it. Without any additional hardware, could I not change Router2 to for example 192.168.2.1, then add a second NIC in ESXi for the terminal server, and give that a 192.168.2.x address? With the RDP-tcp set to listen on all NICs would I be able to connect via both connections? – f0xy Oct 24 '14 at 20:40
  • If you have an ESXi box, you could just setup a Linux VM acting as a gateway. You could also skip the policy routing bit if you do some **ugly** NAT on your routers. If you can get each your routers to do NAT so that any connections to the gateway appear as the Internal address of the router, it could work. (basically a reverse masquerading). – Zoredache Oct 25 '14 at 00:00