• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 33223
  • Last Modified:

Remote Desktop and VPN Tunneling

Hello everyone, I hope I can find some assistance.  I hope I'm not confusing but here I go.  My goal is to be able to use Remote Desktop using VPN tunneling to connect to my mothers computer and other family members who need assistance.  I can currently connect to my mothers computer using the the Remote Desktop Web Connection but not with VPN.  I have successly created a VPN server on my desktop (WinXP Pro) and VPN Client on her computer (WinXP Pro) using directions from the following website:  http://www.pcstats.com/articleview.cfm?articleID=608.  I can successfuly connect  both computers using VPN but when I open up Remote Desktop I'm unable to get it to work through the VPN.  I also went to this website:  http://www.sbslinks.com/remotely_accessing_a_computer.htm and used there info to try to set it up but again was unsuccessful.  I believe I have everything connected correctly (only thing different from the article is that I have a WORKGROUP and not a domain on my network).  I'm guessing some of you will ask why I want a VPN and the reason is that I'm always security worried and want to take as many precautions as I can.  Also, I'm trying to do this without have to spend any money.  I'm also aware of Remote Assistance but often it is not convenient.  To make this even more confusing, everything I've read says that you cannot use Remote Desktop without using VPN (or a VNC program) unless you use the Remote Web Connection that runs in Internet Explorer.  Well, when I have the VPN "turned off" I can still use the Remote Desktop program "mstsc.exe" to connect to my mothers computer.  Now I'm guessing it is using the web connection some how but I thought I would throw that point out there.   Below I will give you a description of important things you might want to know about the network.  Good luck, and I'm sure we will have some dialogue before this question can be answered.

My Network & Mothers network (both networks are in different locations)
Windows XP Pro SP2
1.  Cable modem
2.  Wireless Router Dlink DI-624 (ports 1723 and 3389 open with correct IP address)
3.  Windows Firewall (with ports 1723 and 3389 open)

Last, I may just continue using the Web Connection method if someone can sway my opinion (I've read a lot on these boards and other sites and have never found a good answer)

Thanks,

gcsc_2002


0
gcsc_2002
Asked:
gcsc_2002
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
DrDamnitCommented:
Two things:

1. RDP (Remote Desktop Protocol) is already encrypted (http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpmanaged/22_xprem.mspx)

2. If you really MUST use a VPN, I would hazard a guess that you are overlooking the fact that the VPN server-client relationship changes the IP addresses. Here's how to do it.

If you are the server, and she is the client, have her connect to your computer for a VPN session. Then ping her computer BY NAME to locate her IP address. She should have a local (192.168.x.x) ip address. Once you determine her LAN address (because her computer is now considered part of your network) you should be able to connect with no problem.

If you have different routers / network cards / etc... this could pose a problem because one may be set to 192.168.0.x and the other to 192.168.1.x as is common with Netgear vs Linksys routers. You'll want to have them have the same IP addresses in this respect.
0
 
Rich RumbleSecurity SamuraiCommented:
As stated above, RDP is encryoted already, and sufficently by default to not have to worry about your traffic being intercepted/sniffed and or cracked. However, I would not use the default port for RemoteDesktop/TerminalService- as anyone can try to login your PC's if they see it open. Tbe local administrator account cannot be locked out, so they are free to try to guess it, programs like TSgrinder can make the process go faster.

Here's what I'd do. Change the listening port's on both your machines, or just your mom's if your the only one using RD to control/logon her pc. If she does not RD to your machine, then don't even open any ports incomming. http://support.microsoft.com/default.aspx?scid=kb;en-us;306759
Change the port to something like 65000
You've got 1-65535 to choose from, and it's best to take a port that a typical scan will not try, http://www.iana.org/assignments/port-numbers

Then DL the windows xp rd client (works on 9x,nt,win2k etc... even MAC's) http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx
Connect to your mom's machine by typing in her IP address and a colon followed by the listening port you changed to
1.2.3.4:65000
Viola... WIth RD your able to use copy and paste and transfer files over the encrypted RDP session. Just open up port 65000 or whatever port you decide, on your mom's firewall, set the port in the registry, reboot, and you should be good to go. A VPN will just add overhead and confusion. You can up the encryption if you wish http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_quaq.asp
Oh and rename the admin account, just incase someone stumbles upon her pc and figures out that the RD port has been changed.
-rich
0
 
gcsc_2002Author Commented:
Thanks to both of you.  After reading your post and doing my own research for the past 5 days I would have to agree a VPN Network with not be worth it.  DrDamnit I noticed when connecting via VPN it gave new IP Addresses and I tried entering those IP Addresses into RDC but was still out of luck.  I made sure all software firewalls were off, thus leaving only the Wireless Router.  The wireless router obviously had the VPN port open and the RDC port open.  When you connect via VPN does RDC tunnel through the VPN port?  If that is the case I'm wondering if WinXP Pro is not allowing it because I read that in WinXP Pro when you run it as a VPN Server you can only have one connection at a time.  Would using RDC through VPN count as 2?  

Richrumble I took your advice and changed ports and it works great except if I'm wanting to use terminal services for Windows Mobile 2003 SE.  Window Mobile does not allow me to add the colon and new port number, it says it is an invalid address.  Also Richrumble you mentioned about chaning my Administrator name, could you leave me info on how to do that?  I remember seeing a post on how to do it but I can't remember what topic it was in.  Last, I was researching on the web yesterday and found a new website called logmein.com.  It is very similar to GoToMyPC.com but has a free version.  Both the the free and paid version have 128bit to 256bit encryption and have separate username and password logins than just the Windows login.  The main difference between the 2 is that the free version does not allow any files transfers or print sharing (I'm not concerned about these 2 because I know there are other means of doing that and I will not be doing that that much anyway).

I will continue to watch this post for another few days and see if anymore useful info is posted.  If not I will split points for both of you.

Thanks,

gc_2002

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
DrDamnitCommented:
>>>When you connect via VPN does RDC tunnel through the VPN port?  If that is the case I'm wondering if WinXP Pro is not allowing it because I read that in >>>WinXP Pro when you run it as a VPN Server you can only have one connection at a time.  Would using RDC through VPN count as 2?  

That's a good question. RDP connects using its own service, port, and encryption and does not create a VPN within itself; however, XP Pro should not be counting that as two connections. I will check on this for you though...
0
 
Rich RumbleSecurity SamuraiCommented:
No, rd/ts can be tunneled in addition to their own encryption. I've never messed with Win-Mob-2003_SE but in the NT and win2k TS clients you had to use a special file to set the port to another port- you can find instructions here
http://support.microsoft.com/default.aspx?scid=kb;en-us;q187623#XSLTH3126121123120121120120
THis might be the same for  Windows Mobile 2003 SE

Using RD/TS is probably better, as you have a simple copy/paste, and a reliable program already, in my opinion.
-rich
0
 
gcsc_2002Author Commented:
Thanks for your post.  As I mentioned in my earlier post I have setup RD via logmein.com.  This is a great site since it lets you do all of this for free except if you want to transfer files (which I don't do very often anyway) and it works behind any firewall.  I'm still using Microsoft RD at home and to connect to my mothers computer since it is faster.  Last, I would still like to a post on how to change the name of "Administrator" as richrumble stated before.  

Thanks,

gcsc_2002
0
 
Rich RumbleSecurity SamuraiCommented:
Right-click My Computer, select "Manage"
Open user's and groups, go to users, highlight, and then right-click the Administrator account, select Rename, that's it. takes effect immediatly.
-rich
0
 
okacsCommented:

Doesn't renaming the account in this way only change the user name appearance and NOT the profile name? (ie:  the folder under "c:\documents & settings\<profilename>" will not change...)

Thanks.
0
 
dc_Commented:
okacs: Renaming the account that way really does change the name AND the profile name.  The folder you referenced is just that - a folder.  The profile points to it and is stored there.  If it makes you feel better, you can change that too as long as the profile is not loaded and you update the related registry setting as well.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now