• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1931
  • Last Modified:

Services Required for RDP? Outside Access to Computer via RDP / Firewall config.

i need to set up access so that an employee can RDP from home to his computer at work.
i have set up port forwarding on a free port.  i do not want to use the standard terminal services port because other employees use RDP to access our server.

i set up the services as TCP and UCP on the free port.  are these the correct services for RDP?  in my firewall/router, i have the option via a wizard to set up port forwarding for terminal services, but it does not allow me to configure terminal services on a port other than the standard one.  so i first have to define the services and then do the port forwarding on those services i set up.

which services do i need for RDP?
0
zephyr_hex (Megan)
Asked:
zephyr_hex (Megan)
  • 6
  • 6
  • 3
  • +1
2 Solutions
 
JoeCommented:
By default, RDP uses port 3389 for all of its traffic. Here is a Microsoft KB showing How to change Terminal Server's listening port.

http://support.microsoft.com/default.aspx?scid=kb;en-us;q187623

Joe
0
 
cvsadminCommented:
JoeZ430 is right; if you want to change the port I assume you have a single IP.

Users terminal to a terminal server for example on 3389 but you want more users

1. 3389 to 192.168.0.10 (terminal server)
2. 3390 to 192.168.0.100 (workstation1)
3. 3391 to 192.168.0.101 (workstation2)

You will need to change the listening port on workstation1 and 2 to the respected numbers don’t forget that if you terminal to them internally that you will also have to specify port number in mstsc 192.168.0.100:3390 for example.
Your router should do this without to much monkey business.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
the workstation is config'd properly.  i can RDP to the workstation with an internal ip and specifying the new port.

but when i try to access using the external IP, it does not work...which suggests the firewall port forwarding is not right.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
zephyr_hex (Megan)DeveloperAuthor Commented:
let me make sure i am using RDP correctly when trying to hit the computer from the outside
computer name=externalIP:port
is this possible/right?

or do i have to have all incoming RDP to go to the computer?
computername=externalIP
0
 
JoeCommented:
like mentioned above you will want to have each machine listen on a different port then forward that port to the correct machines local ip from your port forwarding menu.

Joe
0
 
JoeCommented:
There is a service that you can use for free called LogMein it works great. You can remote control the pc from the browser you do not have to worry about port forwarding or firewall and best of all it is free. I will post the information and link for it if you are ever interested.

https://secure.logmein.com/welcome/get_logmein_free/signup.asp

» Open remote files        » Access from any browser
» Check your email       » Access from wireless Pocket PC
» Run programs               » Easy-to-use interface
» Run system diagnostics       » 100% FREE to use!

Joe
0
 
Rob WilliamsCommented:
zephyr_hex try verifying the port is configured correctly by logging onto the computer you to which you are trying to connect, and going to http://www.canyouseeme.org  and testing for the port you have chosen. This will verify if the port forwarding is configured correctly.

Also make sure the Windows firewall is disabled or configured for remote desktop connections, on the computer to which you are connecting.

As asked above, remote desktop only requires TCP not UDP, and when connecting use  <IP address>:<port #>
0
 
cvsadminCommented:
Any free services that allows you to use a web browser and you pass your logon credentials through is suspect in my opinion.

Just another hole for the hacker. This is just my opinion and should be taken as such.
0
 
Rob WilliamsCommented:
cvsadmin, curious as to what logon credentials you would be passing to the canyouseeme site? The site only asks for the port number you wish to test, you are not granting access to any machine. Any one of thousands of immoral hackers run a similar port scan against most machines daily.
As for the hole, port forwarding does create a hole, but it exists whether you test it or not.
Having said that, there are concerns about enabling port forwarding for any service, as well as the ability to hack and listen in on remote desktop traffic. The safest way to achieve remote access is to install a VPN (Virtual Private Network) router. Then you can create a secure, private, encrypted tunnel between the remote and host machines without enabling port forwarding on any port. Then using remote desktop within the confines of the VPN you can securely access any machine on the remote network.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
this is just a temporary solution... so we will use port forwarding.
i am not at the same location as the computer in question, so i will have someone check the canyouseeme site to verify whether or not i have port forwarding config'd correctly on the firewall.
0
 
Rob WilliamsCommented:
There are always security concerns. If we are to be truly secure there would be no networking. Remote desktop is a relatively secure connection method, but there is no question there are potential issues, and it is important to be aware of them, and weigh the pro's and con's. Thousands of people run this configuration every day, but they also bungee-jump. <G>
Personally on my systems I only run through IPSec VPN's, but I wouldn't fault anyone for using the port forwarding method.
Good luck with it and advise if you need some assistance.
--Rob

#1 make sure your data is backed up !
0
 
cvsadminCommented:
Zeph,

you are right outside IP:port for your workstation in question, same as above but looks like this.
1.  OUTSIDE IP:3389 to 192.168.0.10:3389 to (terminal server)
2. OUTSIDE IP:3390 to 192.168.0.100:3390 (workstation1)
3. OUTSIDE IP:3391 to 192.168.0.101:3391 (workstation2)

Your router will be simpler than the above
3398 to 192.168.0.x (192.168.0 is grayed out to you) and you only specify the last octet (X), you will then put in the port number on the inside, easiest to match the outside and inside without doing port shifting.

Regards,
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
i had someone go to the canyouseeme site and the response was a "timed out", which caused me to question the firewall status.  i was told the xp firewall is off and there is no software firewall.

so i re-did the config in my firewall for a different port.  i have done port forwarding before and not had an issue.  i am sure i did it right.  i can not RDP to the computer in question.  i can't imagine that i've set up the forwarding incorrectly.  i was very careful.

i am going to have them test canyouseeme again to see if they are still getting a timed out response.  if that's the case, then i will continue to assume the port forwarding is correct.  if the port forwarding were not enabled, the response would not be "timed out", right?
0
 
Rob WilliamsCommented:
Windows Firewall should not block the canyouseeme test as it is an outgoing initiated request.
As for the timed out response I have never seen that. You should get either:
  Error: I could not see your service on 123.123.123.123 on port (xxxx)
  Success: I can see your service on 123.123.123.123 on port (xxxx)

There are a couple of other test sites if you are interested.
  http://www.whatsmyip.org/ports/

  http://www.grc.com/default.htm
This is a great site to verify your basic firewall security if you do a check all common ports. To test though, browse down the page for Shields UP, then down to the proceed button, next enter in the box your port and click "user specified custom port probe". This site is a security test, so failed may be a good thing for you. You want to see next to your port "open"
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
i ended up doing a test here at my location.  i opened the port on my firewall and set up my computer to receive incoming RDP.
checked canyouseeme and it showed the port as being open
was able to RDP to my computer from the outside successfully.

i read somewhere that sometimes ISP's block certain kinds of traffic.  that's the only other explanation i can think of for what i happening at the other location.  i set up the port forwarding the same way on their firewall... and i'm sure they have the incoming RDP config right on the computer because they are able to test it successfully inside the network.  the bugger just won't work when trying to access from outside the network.
0
 
Rob WilliamsCommented:
What make and model numbers are the router and modem at the office? Any chance the modem is also a NAT router?
Highly unusual for an ISP to block this sort of traffic.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
problem resolved.
i was given the wrong IP of the computer to which the port should forward.

ugh.

once i changed the port to forward to the correct IP, there is much joy and laughter.
0
 
Rob WilliamsCommented:
Thant would do it. :-)
Thanks zephyr_hex,
--Rob
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now