Problem: I have several .rdp connectoids saved on the desktop of my admin workstation so I can quickly Remote Desktop into critical servers when I need to. After a desktop migration from Windows Vista to Windows 7, which included replacing my admin workstation, I discovered that the saved connectoids didn’t work anymore. Thinking it might be an issue with the version of RDP used by the saved connectoids, I created new connectoids from scratch on my Windows 7 desktop, but these didn’t work either. I logged on interactively to the servers and checked to make sure Remote Desktop was still enabled on them, and it was—nothing had changed on the server end.
Resolution: I began by checking the Microsoft Support website and worked through all the possible scenarios described in KB2477176 “Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2” but nothing helped.
I tried disabling Windows Firewall on the admin workstation, but that didn’t help. Then I also disabled Windows Firewall on one of the servers, and suddenly I could Remote Desktop into it from the workstation! So the problem must have something to do with Windows Firewall on the server, but what? I checked the Windows Firewall settings on the server, and nothing had changed!
Then I thought, “It must be have something to do with the fact that I now have a new admin workstation. What’s different about my new workstation besides the new OS? Well, for one thing, it has a different IP address from my old workstation (my admin workstations have statically assigned IP addresses).”
Aha! Then I remembered that for “extra security” I had configured Windows Firewall on my servers so that inbound Remote Desktop connections were limited to those initiating from a single IP address (my admin workstation). So now that I had a new admin workstation with a different IP address, my connection attempts were blocked by the server’s firewall. I could now resolve my problem either by modifying the IP address restriction for the Remote Desktop firewall rule on the server, or I could change the IP address of my workstation to match that of my old workstation. Since I still planned on keeping my old workstation around just in case my new one had issues, I decided to modify the IP address restriction for the Remote Desktop firewall rule on the server to allow inbound Remote Desktop connections from both workstations.
Moral of the Story: There really is a trade-off between security and manageability!
Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.