Windows Firewall with SCOPE=ALL blocks some traffic from Internet

Hi there,
a computer running XP SP3 fails being accessed from the Internet with a
Remote Desktop client.
The problem arises because port 3389 is not accessible from the Internet.

The computer being tested:
- has Terminal service running
- has a Domain Group Policy exception for Remote Desktop to enable access to
port 3389 with SCOPE=ALL
- can be accessed within the LAN from another computer running Remote
Desktop client
- can be Telnetted within the LAN from another computer on port 3389 (means
the port is accessible within the LAN)

The computer above, tested from then Internet with Microsoft Port Query
Tool. gives the following results:
- port 3389: FILTERED
- ports 80 & 443 (just to mention a few): LISTENING

In the beginning I thought there could be some configuration problem on the
in-LAN DSL router, however I have made some tests using another computer on
the LAN, running VISTA, NOT being part of the domain, NOT inheriting Domain
Group Policies, whose firewall was configured apparently with the same
Remote Desktop exception, and its port 3389 is perfectly accessible from the
Internet (LISTENING)

Conclusion:the computer not being accessible from the Internet on some
ports, it is fully accessible within the LAN.... it looks like the firewall
is running the Remote Desktop exception as with a SCOPE=SUBNET.

Could it be that the firewall's group policy exception/configuration is
corrupted and being showed as with scope=ALL while it is currently running
with scope=SUBNET? Or that the firewall is scrambled and not working
properly?



Any thoughts

Just a few questions from a troubleshooting aspect.
The RDP session established to the Vista System:
Was it done externally from the same system you are attempting the RDP
session to for XP box?
Have you tried both name and IP for the RDP session for XP?
Are the Vista and XP systems on the same subnet?
Remove the XP system from all GPO restrictions, and remove it from the domain.
In other words, try to get the configuration as close to the Vista system as
possible.
When in doubt remove all restrictions and then add one at a time back.

"Marcus" wrote:

> Hi there,
> a computer running XP SP3 fails being accessed from the Internet with a
> Remote Desktop client.
> The problem arises because port 3389 is not accessible from the Internet.
>
> The computer being tested:
> - has Terminal service running
> - has a Domain Group Policy exception for Remote Desktop to enable access to
> port 3389 with SCOPE=ALL
> - can be accessed within the LAN from another computer running Remote
> Desktop client
> - can be Telnetted within the LAN from another computer on port 3389 (means
> the port is accessible within the LAN)
>
> The computer above, tested from then Internet with Microsoft Port Query
> Tool. gives the following results:
> - port 3389: FILTERED
> - ports 80 & 443 (just to mention a few): LISTENING
>
> In the beginning I thought there could be some configuration problem on the
> in-LAN DSL router, however I have made some tests using another computer on
> the LAN, running VISTA, NOT being part of the domain, NOT inheriting Domain
> Group Policies, whose firewall was configured apparently with the same
> Remote Desktop exception, and its port 3389 is perfectly accessible from the
> Internet (LISTENING)
>
> Conclusion:the computer not being accessible from the Internet on some
> ports, it is fully accessible within the LAN.... it looks like the firewall
> is running the Remote Desktop exception as with a SCOPE=SUBNET.
>
> Could it be that the firewall's group policy exception/configuration is
> corrupted and being showed as with scope=ALL while it is currently running
> with scope=SUBNET? Or that the firewall is scrambled and not working
> properly?
>
>
>
> Any thoughts
>
>
>
>

"PassPlay" <PassPlay@discussions.microsoft.com> wrote in message
news:78E485F7-E3A9-4E81-BE8A-D9988BA3A2AA@microsoft.com...
> Just a few questions from a troubleshooting aspect.
> The RDP session established to the Vista System:
> Was it done externally from the same system you are attempting the RDP
> session to for XP box?

Actually I didn't go for an RDP session to the Vista system, I have just
tested port 3389 from the Internet, just because acces to the the same port
on the XP system, was denied, explaining why the RD client couldn't
connect.

> Have you tried both name and IP for the RDP session for XP?

I have only tried IP access. The XP system is accessible from the Internet
in a way a static NAT is set on the router so xxx.yyy.zzz.www maps in LAN to
192.168.1.20. No name exists for xxx.yyy.zzz.www

> Are the Vista and XP systems on the same subnet?

Yes, and best of all I have disconneted the XP system from the LAN and
assigned its IP address to the Vista system, to reproduce the exact router
mapping for the failing XP system.

> Remove the XP system from all GPO restrictions, and remove it from the
> domain.
> In other words, try to get the configuration as close to the Vista system
> as
> possible.
> When in doubt remove all restrictions and then add one at a time back.
>

I recall about an article that was pointing out how some user.dat cached
profile data can get corrupt, bringing into fuzzyness... can you confirm?




> "Marcus" wrote:
>
>> Hi there,
>> a computer running XP SP3 fails being accessed from the Internet with a
>> Remote Desktop client.
>> The problem arises because port 3389 is not accessible from the Internet.
>>
>> The computer being tested:
>> - has Terminal service running
>> - has a Domain Group Policy exception for Remote Desktop to enable access
>> to
>> port 3389 with SCOPE=ALL
>> - can be accessed within the LAN from another computer running Remote
>> Desktop client
>> - can be Telnetted within the LAN from another computer on port 3389
>> (means
>> the port is accessible within the LAN)
>>
>> The computer above, tested from then Internet with Microsoft Port Query
>> Tool. gives the following results:
>> - port 3389: FILTERED
>> - ports 80 & 443 (just to mention a few): LISTENING
>>
>> In the beginning I thought there could be some configuration problem on
>> the
>> in-LAN DSL router, however I have made some tests using another computer
>> on
>> the LAN, running VISTA, NOT being part of the domain, NOT inheriting
>> Domain
>> Group Policies, whose firewall was configured apparently with the same
>> Remote Desktop exception, and its port 3389 is perfectly accessible from
>> the
>> Internet (LISTENING)
>>
>> Conclusion:the computer not being accessible from the Internet on some
>> ports, it is fully accessible within the LAN.... it looks like the
>> firewall
>> is running the Remote Desktop exception as with a SCOPE=SUBNET.
>>
>> Could it be that the firewall's group policy exception/configuration is
>> corrupted and being showed as with scope=ALL while it is currently
>> running
>> with scope=SUBNET? Or that the firewall is scrambled and not working
>> properly?
>>
>>
>>
>> Any thoughts
>>
>>
>>
>>