Legacy systems and finding ways to access them remotely.

 Recently spent a few fruitless hours trying to work out why a client could not do what we have done for many clients and connect remotely to their work machine.  Fortunately I had access to their home and the work machine via different means, and could noodle away in the background whilst dealing with urgent issues.  

Turns out the machine in the office was running domain joined Windows XP SP2 connecting to a Small Business server 2011 !

Obviously both of these should not be connected to the Internet, and rely on a fairly strong internet restriction policy to lock down what they can and can't connect to .  Unfortunately this severely restrained the means of connecting from the external machine.

The original plan was to set up a connection via VPN to the work network, and use MSTSC to connect to the workstation.  When this did not work we did a number of troubleshooting steps to narrow down the issue and figured that it was a workstation issue as we were able to connect to the workstation from inside the network but were failing to from external.  Strangely we could ping the workstation and we could see traffic being delivered to it from the network but nothing coming back out.  

In the end my initial setup was correct and would have worked, provided the user account being used had been in the Domain Admins group!  It turns out there is a Group policy in Windows SBS that blocked access to remote assistance to only those in the Domain Admins group.  After I added the Domain Users group it allowed connectivity.  

 

So after a day of digital archaeology, I am exhausted and annoyed that it came down to a GP setting.  Trying to find various remote softwares that would 1. install on Windows XP and 2. talk through a firewall with a DMZ was very difficult in between balancing calls.  For example Teamviewer breezily annonced that 14.2 would connect but when we used a later version on the Window 11 external machine it insisted that the internal machine could not be connected to because it was on too old a version.  Even dropping the version on the external machine to the same version as installed on the internal machine was not enough for them to connect.  

Good thing we are planning on ripping out the SBS shortly. :) More to the point,  there are times when it is important to have old equipment and software around to assist with troubleshooting. I get in trouble for hoarding old kit and softwares but I have been saved a few times by having some of that available.