Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

How to Setup a RDP to an External IP

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is convenience -- you no longer need to VPN into your home office before logging into the RDP session.

Before I begin, let me cover some points on security. Anytime you connect to a network, a hole is made in your security. The traditional method of Remote Desktop Protocol involves punching two holes in your security: One is for connecting to your network via VPN, the second is connecting to the computer via IP or DNS name.

The method I describe in this article allows you to bypass the VPN and connect directly to the computer.   If you want to add another layer of security, you should avoid  using the traditional port of 3389.  Letting the router redirect the traffic, using a custom port, and requiring a username and password makes this method of connecting to a machine in your office as secure as possible.
In this example, I am running Server 2003 and using a Netgear Firewall.

What will be covered in this article:

Setting a static IP
Set the Firewall info

STEP ONE - Set a Static IP on the Machine

There are several ways to set a static IP. This article assumes a machine on a network with a domain controller and a DHCP server.

First, determine what IP the machine has been assigned by the DHCP server. Do this by opening a DOS window and typing
You can see that my machine has been assigned an internal IP of by the DHCP server.
IPCONFIGNow log into the server that has DHCP on it.
Go to Start -> Administrative Tools -> DHCP
Starting the DHCP toolExpand the Server and the Scope.
Click on the Address Leases and find your IP, in this example, my IP of
DHCP Address LeaseJot down the Unique ID. This will be used in a later step.

Next, click on the Reservations.
In the right hand panel, right click and select New Reservation
Reserve an addressEnter in the information.
Plug in the IP you want to be static. This is not necessarily the same IP that you saw in step one. Usually, you will want to reserve an address that is not in the Address Pool, however this is up to you and your office policy. For this example, I am going to keep the address and assign it to this machine.
Reservation settingsEnter the MAC address that you jotted down earlier. This was the Unique ID found in the DHCP Address Lease.
Click Add.
Now, this machine will always be given the IP assigned to it. DHCP will not assign this IP unless the MAC address matches so you do not have to worry about someone else getting your IP.

STEP TWO - Set the Firewall

Log into the Firewall.
Go to Security.
Go to Firewall.
Go to LAN WAN Rules.
Firewall rules
Go down to the Inbound Services.

You will need to know your IP address that has been given to you by your Internet Provider (called your external IP).
For this example, I will use  (Note:  This is not an actual IP;  I am only using it as an example).

In the Inbound Services, click Add
Add a rule
Inbound service settingsConfigure the new Inbound Service as follows:
Service = RDP
Action = Allow Always
Send to LAN Server =  (This is the IP of the machine you configured above)
WAN Destination IP = (This is the external IP)
WAN User = Any

Click Apply.

Now when you RDP, use the external address. No need to VPN in first.
Connect directly to the IP

Comments (2)



I have attached my images in a zip file as requested.
Thank you for your suggestion about security. I have added a paragraph at the beginning of the article covering security.

Please let me know if there are any other areas that I need to add.

Thank you!
Tony JLead Solutions Architect

I have some additional comments with regards to security - if you must use this method (I prefer an RD Web Gateway as it can encapsulate RDP into HTTPS and is end-to-end encrypted) then:

Rename and disable your local domain administrator account. Log on with non privileged accounts;

Use complex passwords - as complex as possible, even to the point of requiring a password safe;

Don't do this on a domain controller - if the administrator account is compromised, it's just compromised the entire network;

Enable firewalls and lock down unnecessary ports. Disable echo (ping) in both directions;

Disable any unnecessary services - many open up listener ports without you being aware;

Ensure that all AV and AntiMalware is bang up to date. Same with OS and particularly application patches;

Don't install anything unnecessary on the server - Flash, Java etc are all huge attack vectors. Use the RDP server as a jump box into other parts of the network. For example, you could literally close off all ports other than RDP via firewalls and then only use the connected server to RDP into others;

I also tend to disable DNS and use IP addresses. It's one less route into the network;

If at all possible, don't join it to the domain. Again this works if you're using it as a jump-off RDP server. Don't save credentials.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.