[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1540
  • Last Modified:

connect to terminal services from a client behind a firewall (ts port change?)

I am a contractor for a government agency which as their network locked down pretty tight....for the most part only the standard ports (80, 443, 21) are open to traffic inside/outside of the network.   I am looking for a way that I can connect via a terminal services (remote desktop) from a "Client" on the local LAN to a "Server" on the internet.

I tried to configure terminal services on the Server to port 443 but I was unable to connect to it (my.terminalservices.com:443) from any clients either here on the LAN or directly via the internet.  I assume there is something that will not allow me to use the SSL port for terminal services.

My questions are....

1.  Is there a way to figure out exactly which ports are open here on the government LAN without the system administrators feedback (I would hate to ask for this info - uhg, the government)?

2.  Does it matter what ports I assign terminal services to listen on the Server, if so which ones can I and cant I use?

thanks,

-humantag
0
humantag
Asked:
humantag
  • 5
  • 5
1 Solution
 
119supportCommented:
You can put a firewall infront of your TS box that does port re-direct.  So anything that comes in on 21 or 443, gets forwarded to the server on 3389 instead of 21 or 443.

0
 
purplepomegraniteCommented:
You can assign your terminal services server to listen on any port, but it will only be able to do it if the port is free.  It being that 443 is normally the SSL port (HTTPS), are you sure it isn't being used by another program on your server that is grabbing it before terminal services?  The main culprit would be IIS.

There are ways to figure out what ports are open on the LAN... but most of them would, I hope, tip the system admins off that someone was trying to do so!!  It would be best I think to follow the proper procedure and ask, explaining your reasons for the question!!
0
 
humantagAuthor Commented:
if i disable the "World Wide Web Publishing" service but leave the other IIS services (SMTP & FTP) running will that stop XP from directing port 443 to IIS and allow me configure TS to listen to port 443?  I guess there is one way to fiind out.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
humantagAuthor Commented:
hmmmm....that didnt work. oh well
0
 
purplepomegraniteCommented:
From a command prompt, type:
netstat -a -o

This will display all listening ports on the machine.  Check for a program listening on port 443 and post back.
0
 
humantagAuthor Commented:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    gordo:echo             gordo:0                LISTENING       2008
  TCP    gordo:discard          gordo:0                LISTENING       2008
  TCP    gordo:daytime          gordo:0                LISTENING       2008
  TCP    gordo:qotd             gordo:0                LISTENING       2008
  TCP    gordo:chargen          gordo:0                LISTENING       2008
  TCP    gordo:ftp              gordo:0                LISTENING       1660
  TCP    gordo:epmap            gordo:0                LISTENING       992
  TCP    gordo:https            gordo:0                LISTENING       944
  TCP    gordo:microsoft-ds     gordo:0                LISTENING       4
  TCP    gordo:1025             gordo:0                LISTENING       1660
  TCP    gordo:2190             gordo:0                LISTENING       356
  TCP    gordo:5101             gordo:0                LISTENING       2556
  TCP    gordo:8080             gordo:0                LISTENING       3316
  TCP    gordo:14238            gordo:0                LISTENING       2900
  TCP    gordo:1026             gordo:0                LISTENING       1180
  TCP    gordo:1134             localhost:8100         TIME_WAIT       0
  TCP    gordo:1135             localhost:8100         TIME_WAIT       0
  TCP    gordo:1156             localhost:8100         TIME_WAIT       0
  TCP    gordo:1157             localhost:8100         TIME_WAIT       0
  TCP    gordo:1160             localhost:8100         TIME_WAIT       0
  TCP    gordo:1161             localhost:8100         TIME_WAIT       0
  TCP    gordo:1162             localhost:2286         TIME_WAIT       0
  TCP    gordo:1164             localhost:2286         TIME_WAIT       0
  TCP    gordo:1166             localhost:8100         TIME_WAIT       0
  TCP    gordo:1167             localhost:8100         TIME_WAIT       0
  TCP    gordo:1172             localhost:8100         TIME_WAIT       0
  TCP    gordo:1173             localhost:8100         TIME_WAIT       0
  TCP    gordo:1175             localhost:8100         TIME_WAIT       0
  TCP    gordo:1176             localhost:8100         TIME_WAIT       0
  TCP    gordo:1181             localhost:8100         TIME_WAIT       0
  TCP    gordo:1182             localhost:8100         TIME_WAIT       0
  TCP    gordo:1185             localhost:8100         TIME_WAIT       0
  TCP    gordo:1186             localhost:8100         TIME_WAIT       0
  TCP    gordo:1198             localhost:8100         TIME_WAIT       0
  TCP    gordo:1199             localhost:8100         TIME_WAIT       0
  TCP    gordo:1207             localhost:8100         TIME_WAIT       0
  TCP    gordo:1208             localhost:8100         TIME_WAIT       0
  TCP    gordo:1209             localhost:8100         TIME_WAIT       0
  TCP    gordo:1210             localhost:8100         TIME_WAIT       0
  TCP    gordo:1214             localhost:8100         TIME_WAIT       0
  TCP    gordo:1215             localhost:8100         TIME_WAIT       0
  TCP    gordo:1221             localhost:8100         TIME_WAIT       0
  TCP    gordo:1222             localhost:8100         TIME_WAIT       0
  TCP    gordo:1223             localhost:8100         TIME_WAIT       0
  TCP    gordo:1224             localhost:8100         TIME_WAIT       0
  TCP    gordo:1226             localhost:8100         TIME_WAIT       0
  TCP    gordo:1227             localhost:8100         TIME_WAIT       0
  TCP    gordo:1231             localhost:8100         TIME_WAIT       0
  TCP    gordo:1232             localhost:8100         TIME_WAIT       0
  TCP    gordo:1233             localhost:2286         TIME_WAIT       0
  TCP    gordo:1235             localhost:8100         TIME_WAIT       0
  TCP    gordo:1236             localhost:8100         TIME_WAIT       0
  TCP    gordo:1237             localhost:8100         TIME_WAIT       0
  TCP    gordo:1238             localhost:8100         TIME_WAIT       0
  TCP    gordo:2286             gordo:0                LISTENING       2376
  TCP    gordo:2286             localhost:1170         TIME_WAIT       0
  TCP    gordo:8100             gordo:0                LISTENING       356
  TCP    gordo:8101             gordo:0                LISTENING       3220
  TCP    gordo:netbios-ssn      gordo:0                LISTENING       4
  TCP    gordo:1148             cdn-69-28-178-8.sjc.llnw.net:http  TIME_WAIT       0
  TCP    gordo:1158             sdchcondir.napster.com:http  TIME_WAIT       0
  TCP    gordo:1171             outbound-wm.sc0.cp.net:pop3  TIME_WAIT       0
  TCP    gordo:1212             sdchcondir.napster.com:http  TIME_WAIT       0
  TCP    gordo:1213             sdchdload14.napster.com:http  ESTABLISHED     2528
  TCP    gordo:1217             sdchcondir.napster.com:http  TIME_WAIT       0
  TCP    gordo:1229             sdchcondir.napster.com:http  TIME_WAIT       0
  TCP    gordo:1230             sdchdload01.napster.com:http  ESTABLISHED     2528
  TCP    gordo:4747             64-164-108-195.deploy.akamaitechnologies.net:http  CLOSE_WAIT      2528
  TCP    gordo:4751             cache.napster.com:http  ESTABLISHED     2528
  TCP    gordo:4752             cache.napster.com:http  ESTABLISHED     2528
  TCP    gordo:4753             cache.napster.com:http  ESTABLISHED     2528
  UDP    gordo:echo             *:*                                    2008
  UDP    gordo:discard          *:*                                    2008
  UDP    gordo:daytime          *:*                                    2008
  UDP    gordo:qotd             *:*                                    2008
  UDP    gordo:chargen          *:*                                    2008
  UDP    gordo:microsoft-ds     *:*                                    4
  UDP    gordo:1182             *:*                                    1116
  UDP    gordo:2190             *:*                                    356
  UDP    gordo:2288             *:*                                    1116
  UDP    gordo:3456             *:*                                    1660
  UDP    gordo:3739             *:*                                    1116
  UDP    gordo:14237            *:*                                    2900
  UDP    gordo:ntp              *:*                                    1056
  UDP    gordo:1187             *:*                                    3900
  UDP    gordo:1900             *:*                                    1208
  UDP    gordo:2283             *:*                                    2556
  UDP    gordo:2391             *:*                                    256
  UDP    gordo:4400             *:*                                    2528
  UDP    gordo:4998             *:*                                    3036
  UDP    gordo:ntp              *:*                                    1056
  UDP    gordo:netbios-ns       *:*                                    4
  UDP    gordo:netbios-dgm      *:*                                    4
  UDP    gordo:1900             *:*                                    1208
0
 
purplepomegraniteCommented:
Ok, there is something listening on the HTTPS port as shown by:

 TCP    gordo:https            gordo:0                LISTENING       944

We need to identify what the process is.  In the above example the process is ID 944.  This would match the process id as displayed by Task Manager (or by typing tasklist at the command prompt).  Could you run the netstat -a -o command again, and this time note the PID (the last number on the line) and look up the process id by then typing tasklist.  tasklist lists the program name followed by the PID, so you just match that number.
0
 
humantagAuthor Commented:
svchost.exe                  944 Console                 0      5,176 K
0
 
purplepomegraniteCommented:
Ok, svchost.exe pretty much tells us that it's either IIS or RDP - unfortunately both come up as svchost.exe in this case.

Can you stop IIS and terminal services (from Service Manager or IIS can be stopped via IIS MMC), and rerun the test above?  Then just enable IIS and rerun it?

Basically, with both services stopped, there should be nothing listening on port 443.  You then start each one seperately to see which goes onto port 443 (or if they both do).
0
 
humantagAuthor Commented:
purplepomegranite,

Thanks for your help but I finally figure out what the problem was....I need to modify the Windows XP firewall to allow connnections via port 443...I had it set up for terminal services but it just alllowed for the pinhole for 3389 -not whatever port "terminal serices" were configure with in the registery.....

thanks.....can I give you partial credit for your help?

thanks
0
 
purplepomegraniteCommented:
lol... one of the first rules... always check the firewall... and yet sometimes it doesn't cross my mind!!

You can split points as you like, which is all done when you accept an answer.  You can accept one and give another assisted, and can allocate the points between them.

Good luck!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now