Tags:Microsoft, Remote Desktop, server 2003 x64 r2, behind a cisco firewall with about 80 clients
Hello all,
I have a setup with 4 servers and about 80 clients. I can login to my servers through remote desktop without any problems, one of them is hooked to an external ip. If I need to get on the other 3 I login in to the one, and than open another remote desktop session directly from the server to log in to another server. The problem is I have one user who wants to log in to his machine directly( one of the 80 clients). I do not want him to log in to the server and then use another session to log in to his machine (even though it works, I tested it). Is there a way where he could use our main ip address and his internal credentials to login to his client machine directly?
You can change the listening port on the client computer using: http://support.microsoft.com/kb/306759 Use something like 3395, then set the router to forward port 3395 to the PC. When the user connects they need to add the port number, such as 123.123.123.123:3395
If you have another public ip address available, you can simply forward port 3389 to the clients internal ip address, if not you can forward another port use change the remote desktop listening port on his computer. See the following link: http://support.microsoft.com/kb/306759
Though the above is the simplest, you can also set up a VPN by enabling the RRAS service on one of the servers. Then you can give any one you like permission, though Active Directory to connect, and they simply use the LAN IP of their PC. The VPN is also more secure.
If this is of interest, we can provide details on configuring the VPN, or perhaps you have a VPN capable router.
Thanks guys for the quick response. Rob, I do have a vpn setup through Cisco and it works beautifuly, but this user does not feel like using it because he does not want to copy files back and forth, and since he is hi up there, (if you know what I mean) I have to accomodate him. The first solution looks good. Also a quick question about one of the details. Since in the office I have dynamic ips setup. Do I have to setup a static IP on his machine or can I have the port forwarded to the computer name? I have a cisco router and firewall and both are managed, so I have to know what to tell them. Also the port number you mention 3395, can it be like 3000 or 4000 or what is the range that I can use? Thanks again guys
How do you feel about using LogMeIn.com? It will get you in and all you need is a firewall rule to allow only logmein over that port. Then you client will be able to use it ANYWHERE.
You will have to assign the user a static IP, or what I do is use DHCP reservations. The reservation allows for central management and you don't need to statically assign the PC an IP. If you need clarification on the reservations let me know.
You can use most any port for redirection, so long as it doesn't conflict with an existing service. I have never found it a problem, but there are articles that say when redirecting ports they should be separated by 1 port number. I.e. use 3389, 3391, 3393
I am not very comfortable with Cisco's but with many good routers you have another option. You can forward an external port to a different internal port. For example you tell the user to connect to 123.123.123.123:3395 but on the router you forward external port 3395 to internal port 3389 on the client PC. Eliminates the need to change the listening port and a year from now when you forgot you did that, you won't be trying to figure out why you can't connect to the default port 3389 internaly :-)
Using the Cisco VPN client would be more secure and easier. They don't need to use it for file copying, just remote desktop connections. That way you don't have to configure any port forwarding or change listening ports, just connect to the LAN IP instead of the external IP. If name resolution works over your VPN, you don't even have to set up an IP reservation.
