Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is convenience -- you no longer need to VPN into your home office before logging into the RDP session.
Before I begin, let me cover some points on security. Anytime you connect to a network, a hole is made in your security. The traditional method of Remote Desktop Protocol involves punching
two holes in your security: One is for connecting to your network via VPN, the second is connecting to the computer via IP or DNS name.
The method I describe in this article allows you to bypass the VPN and connect directly to the computer. If you want to add another layer of security, you should avoid using the traditional port of 3389. Letting the router redirect the traffic, using a custom port, and requiring a username and password makes this method of connecting to a machine in your office as secure as possible.
In this example, I am running Server 2003 and using a Netgear Firewall.
What will be covered in this article:
Setting a static IP
Set the Firewall info
STEP ONE - Set a Static IP on the Machine
There are several ways to set a static IP. This article assumes a machine on a network with a domain controller and a DHCP server.
First, determine what IP the machine has been assigned by the DHCP server. Do this by opening a DOS window and typing
You can see that my machine has been assigned an internal IP of 10.0.10.115 by the DHCP server.
Now log into the server that has DHCP on it.
Go to Start -> Administrative Tools -> DHCP
Expand the Server and the Scope.
Click on the Address Leases and find your IP, in this example, my IP of 10.0.10.115
Jot down the Unique ID. This will be used in a later step.
Next, click on the Reservations.
In the right hand panel, right click and select New Reservation
Enter in the information.
Plug in the IP you want to be static. This is not necessarily the same IP that you saw in step one. Usually, you will want to reserve an address that is not in the Address Pool, however this is up to you and your office policy. For this example, I am going to keep the 10.0.10.115 address and assign it to this machine.
Enter the MAC address that you jotted down earlier. This was the Unique ID found in the DHCP Address Lease.
Now, this machine will always be given the IP assigned to it. DHCP will not assign this IP unless the MAC address matches so you do not have to worry about someone else getting your IP.
STEP TWO - Set the Firewall
Log into the Firewall.
Go to Security.
Go to Firewall.
Go to LAN WAN Rules.
Go down to the Inbound Services.
You will need to know your IP address that has been given to you by your Internet Provider (called your
For this example, I will use 220.127.116.11 (Note: This is not an actual IP; I am only using it as an example).
In the Inbound Services, click Add
Configure the new Inbound Service as follows:
Service = RDP
Action = Allow Always
Send to LAN Server = 10.0.10.115 (This is the IP of the machine you configured above)
WAN Destination IP = 18.104.22.168 (This is the external IP)
WAN User = Any
Now when you RDP, use the external address. No need to VPN in first.
I have attached my images in a zip file as requested.
Thank you for your suggestion about security. I have added a paragraph at the beginning of the article covering security.
Please let me know if there are any other areas that I need to add.
Rename and disable your local domain administrator account. Log on with non privileged accounts;
Use complex passwords - as complex as possible, even to the point of requiring a password safe;
Don't do this on a domain controller - if the administrator account is compromised, it's just compromised the entire network;
Enable firewalls and lock down unnecessary ports. Disable echo (ping) in both directions;
Disable any unnecessary services - many open up listener ports without you being aware;
Ensure that all AV and AntiMalware is bang up to date. Same with OS and particularly application patches;
Don't install anything unnecessary on the server - Flash, Java etc are all huge attack vectors. Use the RDP server as a jump box into other parts of the network. For example, you could literally close off all ports other than RDP via firewalls and then only use the connected server to RDP into others;
I also tend to disable DNS and use IP addresses. It's one less route into the network;
If at all possible, don't join it to the domain. Again this works if you're using it as a jump-off RDP server. Don't save credentials.