DVD Talk Forum

DVD Talk Forum (https://forum.dvdtalk.com/)
-   Tech Talk (https://forum.dvdtalk.com/tech-talk-10/)
-   -   Terminal services + VPN = not good (https://forum.dvdtalk.com/tech-talk/335922-terminal-services-vpn-%3D-not-good.html)

sfsdfd 12-15-03 08:16 PM

Terminal services + VPN = not good
 
So I Remote Desktop Connection-ed from one machine (call it X) into a machine (call it Y) the other day... and then VPN'd Y into another network. Naturally, my terminal services connection went dead, and since VPN almost always assigns a dynamic IP address, I couldn't even begin to think about finding Y on the other network. I had to VPN into the same network on X in order to find Y.

Honestly, I'm surprised that terminal services is this stupid. Each machine on the terminal services should just monitor its IP address, and if it changes, it initiates an attempt to re-connect to the other machine with the new address. Why doesn't it do that? For security, this process could always begin with the host machine logging out the RDC'd user and just providing a new login screen to the remote user.

- David Stein

X 12-15-03 08:25 PM

Whose VPN? The built-in MS stuff? I never used that one.

But I've never had a problem mixing VPN and TS, but I always used fixed IPs and never quite did what you did.

VPN isn't always so good about passing Netbios names. Depending on the subnets you tried to connect, it's possible that your VPN session put Y on a different subnet that the machine you were on at the time (X). Or it routed all traffic out through the VPN and X wasn't on VPN.

I have a software VPN that will lose connections to all my internal machines as soon as I connect to a remote VPN network even though all machines are on the same subnet.

sfsdfd 12-15-03 08:40 PM


Originally posted by X
Whose VPN? The built-in MS stuff? I never used that one.
Nah, this was the Cisco VPN client. I don't think it matters, though - does <i>any</i> VPN suite support this sort of dynamic connection?

Originally posted by X
Depending on the subnets you tried to connect, it's possible that your VPN session put Y on a different subnet that the machine you were on at the time (X).
That's exactly what it did. Y went from having 1.2.x.x to having 3.4.x.x: it went from my home broadband ISP's network to the school network, with predictable results. Of course, Y could then access all machines on the 3.4.x.x subnet.

Basically, I'm just surprised that terminal services doesn't have this facility built in: when Y sees that its IP address changes, it just contacts X (at X's IP address, presuming it's the same) and says, "Hey, I was just at 1.2.x.x but now I"m at 3.4.x.x." Authentication should be trivial... I think terminal services does some kind of session public-key exchange, right? - each side could just authenticate with those session keys.

- David Stein


All times are GMT -5. The time now is 04:41 PM.


Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.