• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Remote Desktop from outside of SBS to a machine inside of SBS - without VPN

We have a machine that we would like to allow Remote Desktop access for.  The machine is in our SBS 2003 network.

Right now we can Remote Desktop directly to the machine as long as we are on another machine that is on our network (if we're on the network via VPN or via a direct connection, Remote Desktop works).

However, we would like to be able to give a client remote access to this machine - without them having to log onto our network or use VPN.

We've already setup the machine to listen for Remote Desktop connections via port 3390.

However, because our SBS machine uses 2 NICs, we cannot forward port 3390 directly to the machine from the router.  We can forward it to the SBS machine - and I assume there are some fairly simple settings to have SBS, in turn, forward it to the appropriate specific machine.

Can anyone help us provide the appropriate forwarding so that we can give Remote Desktop access to this machine from anywhere on the Internet?

3 Solutions
Hi crm_info,
Another option besides remote desktop is www.logmein.com. It handles all the connection issues for you.

Lee W, MVPTechnology and Business Process AdvisorCommented:
My question is, WHY do you want to put a security hole like this into the network.  Give the client VPN access and direct them to use that.

Set the port back to 3389.  You didn't have to change it - and it's better to keep things consistent.

Now, if you insist on doing the unwise, go to the Routing and Remote Access Administrative Tool, expand ServerName, IP Routing, NAT/Basic Firewall, and then right click on the network adapter in the right column that is used for the internet connection (not the local connection).  On te window that appears, click "Services and Ports" tab, then click the Add button.  In that window, type in a description of the service, leave TCP as the protocol selected, and for the incoming port, select 3390, for the private IP, enter the IP of the workstation you want them to have access to, then enter port 3389 as the outgoing port (This is why you didn't have to change the port earlier - this translates it for you).  Click ok, make sure the service is selected with a check mark, and OK out.  That should do it.
crm_infoAuthor Commented:
leew ... THANKS.

Can you tell me know to setup an outside client with a VPN connection to our network?  I'll need help on setting up the user login, and allowing the user to download the VPN client, etc.

I would like to do this without using up another license on our SBS machine.

I would also like to do this in such a way that they cannot access any machine except for the specific machine that I've given them permission for.

The only reasons why I might prefer to poke a security hole:
(1) Don't want to ask our clients to install software on their desktop
(2) Some of our clients have very secure systems that won't allow them to install other software and, even if it can be installed, they may not be able to run a VPN client on their machine
(3) I don't want to create additional users on our network (thus requiring additional licenses on our SBS machine ... unless I'm missing a way to create a login without using a license).

Thanks again for your help.  I'm optimistic that we'll be able to make the VPN work and would certainly prefer to have a more secure setup.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:

If you are providing a user access to a machine on your network, you are required to have a CAL for that user, or you can use DEVICE CALs and then you can have as many users as you like accessing various machines.  Either way, though, you cannot avoid the licensing issue.

Your clients don't have to install anything other than a small ActiveX script to allow remote desktops through Remote Web Workplace (http://sbsurl.com/rww).

RWW does not require the use of a VPN.  It only requires the ability to access a web page.

Allowing users to access your network without having the proper licenses is a violation of your licensing agreement.


Follows Jeff's advise above, however, you must also port forward TCP 4125 from your router to the SBS's external NIC for Remote Web Workplace to work.
crm_infoAuthor Commented:
leew & TechSoEasy - thanks for the tips.  We'll either buy the extra licenses and use the recommended approach ... or we'll just take this particular machine off of the SBS network and put it on our "dev" network so we can provide access without requiring the additional SBS license.  I'll split the points between the two of you.

manicsquirrel - thanks for fine tuning of the feedback.  I'll also put a small portion of points towards your answer.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now