Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Only my local PC can access via Remote Desktop the VM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 96%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Thomas
0
Reputation points
Hi all,
I have set up a Windows VM (Server 2019) with a public IP but nobody can access the VM.
Only my local PC can access the VM via RDP connection and also ping it (VPN or without VPN). Ports should all be open...
What could be the issue?
Thx in advance
Azure Virtual Network
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
{count} votes
-
KapilAnanth 49,866 Reputation points Moderator2023-12-21T05:32:23.0866667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
- Are you using Azure VPN Gateway P2S?
- You can use IP flow verify overview tool to check if NSG is blocking requests from different IPs (other than your local PC).
-
Local IP Address : VM Private IP Address
Local Port : 3389
Remote IP Address : 8.8.8.8
Remote Port : 1234
Cheers,
Kapil
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-12-22T02:09:36.0233333+00:00 Hello,
If you are using a VM, you can check in your portal and confirm if there is any firewall rules or network settings to block network communication. (Not only in your PC level , but also in the VM vendor portal)
-
Thomas 0 Reputation points
2023-12-22T10:22:56.93+00:00 The firewall of the VM is disabled and still I can only connect from my local pc.
Well you can try to ping the ip: 51.116.128.123
-
KapilAnanth 49,866 Reputation points Moderator
2023-12-22T11:42:51.21+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
- Please share the details of e IP flow verify overview as mentioned above
- Can you confirm if you are using Azure VPN Gateway P2S?
Thanks,
Kapil
-
MotoX80 37,346 Reputation points2023-12-22T15:14:44.39+00:00 From the server, view https://canyouseeme.org/ to test connectivity to port 3389. Verify the external IP that the site sees matches the public IP that you have defined.
If you have exposed web sites on 80/443, try those ports too.
Use netstat to verify that the vm will accept incoming 3389 on any IP.
C:\>netstat -aon | findstr -i listen | findstr :3389 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 908 TCP [::]:3389 [::]:0 LISTENING 908 -
KapilAnanth 49,866 Reputation points Moderator
2023-12-26T04:43:47.82+00:00 Can you please update us if the action plan provided was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
-
Thomas 0 Reputation points
2024-01-02T09:04:55.1866667+00:00 - IP flow verify overview works and access is allowed
- I don't use Azure VPN
the netstat command also shows me that 3389 is accepting connections
I guess I have try all your suggestions....
-
MotoX80 37,346 Reputation points
2024-01-02T14:40:49.1766667+00:00 Nmap shows that 3389 is open on 51.116.128.123. I ran mstsc.exe and it connected. I tried to log in with user xxxxxxxxxxx so you should see that failure in your security event log.
It would appear that you have some client side issue.
You commented "but nobody can access the VM", but you didn't say what specific error message they got or what program they were using or described their network configuration.
Are they using mstsc.exe? Have you temporarily disabled the Windows firewall on the client machines?
What network are these machines on? Are these users at home connecting directly over the internet to 51.116.128.123? Are they at work on some other private network? Are they at home connected over a VPN to a work network? Can they browse internet web sites?
Have they tried to connect to the private network IP of the server?
There are additional remote desktop and terminal services event logs under "Application and Services Logs/Microsoft/Windows". Have you looked in those for errors?
-
Thomas 0 Reputation points
2024-01-03T11:46:27.4233333+00:00 @MotoX80 They are always geting this error message when trying to connect via mstsc.exe.
I also disabled the firewall on both sides: client and server. My colleagues tried to login with and without vpn but failed too.
They can browse internet web sites...
-
KapilAnanth 49,866 Reputation points Moderator
2024-01-03T13:50:05.7+00:00 From the looks of it, this does not look like a network connectivity issue at all.
Instead, user authentication issue.
So, I am thinking firewall and NSGs are not the culprit.
If you try to login from a different IP and same Username/Password (yours), can you check if that works or fails?
Cheers,
Kapil
-
MotoX80 37,346 Reputation points
2024-01-03T14:48:01.6933333+00:00 They are always geting this error message when trying to connect via mstsc.exe.
Are you able to RDP to the server from your home network? Are the users able to RDP to the server from their home network? Are you sure that they are typing in the correct IP address?
Nmap is showing that you have 4 ports open.
Have them open a Powershell prompt and copy and paste in these commands.
Test-NetConnection -ComputerName 51.116.128.123 -Port 445 | Format-Table -Property RemotePort, TcpTestSucceeded Test-NetConnection -ComputerName 51.116.128.123 -Port 554 | Format-Table -Property RemotePort, TcpTestSucceeded Test-NetConnection -ComputerName 51.116.128.123 -Port 3389 | Format-Table -Property RemotePort, TcpTestSucceeded Test-NetConnection -ComputerName 51.116.128.123 -Port 7070 | Format-Table -Property RemotePort, TcpTestSucceeded tracert.exe -h 20 -w 5000 51.116.128.123Here are my results.
I see that your server is hosted by Microsoft in Frankfurt. I am in Pennsylvania USA and my tracert gets to the MSN network and I'm guessing that 'fra21' is some router in France.
Does their TcpTestSucceeded return False? If it does, then something on their PC or in your network is blocking the traffic. Compare the tracert results on a working pc to one that fails. That might point out where the traffic is getting blocked.
PS C:\> Test-NetConnection -ComputerName 51.116.128.123 -Port 445 | Format-Table -Property RemotePort, TcpTestSucceeded RemotePort TcpTestSucceeded ---------- ---------------- 445 True PS C:\> Test-NetConnection -ComputerName 51.116.128.123 -Port 554 | Format-Table -Property RemotePort, TcpTestSucceeded RemotePort TcpTestSucceeded ---------- ---------------- 554 True PS C:\> Test-NetConnection -ComputerName 51.116.128.123 -Port 3389 | Format-Table -Property RemotePort, TcpTestSucceeded RemotePort TcpTestSucceeded ---------- ---------------- 3389 True PS C:\> Test-NetConnection -ComputerName 51.116.128.123 -Port 7070 | Format-Table -Property RemotePort, TcpTestSucceeded RemotePort TcpTestSucceeded ---------- ---------------- 7070 True PS C:\> tracert.exe -h 20 -w 5000 51.116.128.123 Tracing route to 51.116.128.123 over a maximum of 20 hops 1 5 ms 5 ms 2 ms Wireless_Broadband_Router.home [192.168.1.1] 2 15 ms 9 ms 12 ms lo0-100.HRBGPA-VFTTP-302.verizon-gni.net [108.55.114.1] 3 16 ms 9 ms 10 ms B3302.HRBGPA-LCR-22.verizon-gni.net [100.41.206.141] 4 * * * Request timed out. 5 18 ms 11 ms 11 ms 0.ae6.GW1.PHIL.ALTER.NET [140.222.0.223] 6 12 ms 12 ms 9 ms 208.253.109.170 7 16 ms 49 ms 28 ms ae21-0.ear05.ewr30.ntwk.msn.net [104.44.231.104] 8 * * 139 ms be-25-0.ibr02.ewr30.ntwk.msn.net [104.44.33.213] 9 * * 96 ms be-3-0.ibr02.nyc30.ntwk.msn.net [104.44.7.104] 10 206 ms * * be-7-0.ibr02.lon22.ntwk.msn.net [104.44.18.155] 11 164 ms 90 ms 91 ms be-15-0.ibr02.ams30.ntwk.msn.net [104.44.31.3] 12 94 ms 309 ms 102 ms be-8-0.ibr02.fra21.ntwk.msn.net [104.44.28.122] 13 102 ms 101 ms 869 ms ae122-0.icr02.fra21.ntwk.msn.net [104.44.23.108] 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. Trace complete. PS C:\>If TcpTestSucceeded returns True, then something on your server is rejecting the connection. Start by searching the eventlogs for messages.
I wrote a Powershell script that I called RecentEvents.ps1. It reads through all of the event logs and sorts by time of day. Run that from an admin PS prompt on your server. Make note of the time that a user failed to connect and see what events were generated at that time.
https://docs.microsoft.com/en-us/answers/questions/102481/eventlog-madness.html
Sign in to comment
Sign in to answer