Route RDP to more than one NATed LAN address without changing from use of Port 3889

How can I route RDP to more than one address inside my LAN, which is behind a Netgear FVS318 firewall with NAT enabled?  I have SBS 2003 which, from my understanding, requires port 3889 to be mapped to it. Additionally, I am attempteing to deploy a separate terminal server in my SBS domain on the same LAN, and have it use the default port 3889 for RDP connections.

Apparently I cannot get this to work with the Netgear firewall/router because when I try to use the firewall adminn console to add an additional routing for 3889 to the terminal server nothing happens when I submit the new routing. (I am assuming this is because 3889 is already mapped to the SB Server.) Maybe this is just limitation of the Netgear firewall, and would function differently with a more sophisticated appliance?

I am aware that the port for RDP connections can be changed to something other than 3889 by tweaking the appropriate reggistry values, but I would really like to stay with the default on the TS and am extremely reluctant to change this on the SBS.
haidentAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
SBS does not need 3389, assuming you are using RWW. If you want to go direct to a terminal server then you will need 3389, keeping in mind it is less secure. Remote Web Workplace initiates a connection using SSL on port 443 and then sets up communication on port 4125, instead of 3389.


RWW allows same controls as a remote desktop connection, only there may be restrictions applied through group policy to again tighten security. All programs are still available in the same way. Once the remote desktop connection is established there is no difference whatsoever between it and a Remote Desktop session.

"And what if you want to allow guest user access." Got me there. Then again, you are going to put a terminal Server on the Internet and allow guest access? Sounds pretty risky to me. The user does not need a domain computer, but they do need a domain user account. If you want to restrict them to the TS, then that is easily achieved with Group Policy, or in the user's profile under account/log on to, the same way you would with the terminal server in a domain environment.
0
 
Alan Huseyin KayahanCommented:
Hi haident,

             If you are talking about 1 global IP address outside the netgear , it is not possible to achieve what you want. Because it is a one to many nat in which you have to do port mapping and cant map same port to more than one client.

Regards,

MrHusy
0
 
bluetabCommented:
Your ISP should have given you more then one Public IP address.  So right now you have x.x.x.x mapped to your SBS server.  Setup a one-to-one NAT on your router/firewall (most routers will allow you to do this, if your's does not you will need to purchase a new one) to map x.x.x.y to your Terminal Server.  Then create a second rule to forward port 3389 requests for x.x.x.y to the Terminal Server.  To make things simpler for the users you can then create a DNS record to map ts.yourdomain.com to x.x.x.y

You can't change port 3389 on the SBS server, otherwise you won't be able to get RWW to work if you are using that.  
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
Rob WilliamsCommented:
You have SBS, there is no need. SBS 2003 is the only Microsoft O/S that has a built in service allowing you to connect to every device on your LAN using remote desktop connections through the Remote Web Workplace option. The initial connection is through a web browser where you select the PC, server, or terminal server to which you want to connect. Assuming you have been granted the appropriate permissions it will then start the RDP session. See:
http://www.lan-2-wan.com/SBS.htm#q1
RWW uses ports 443 and 4125 not 3389. The RWW connection is more secure using SSL.
0
 
haidentAuthor Commented:
RobWill: Good, but not really the total answer. RDP connections using the Windows Remote Desktop Connection cllient allows much more contol than does RWW over display propertiies, local recources, and programs. Also, what if you want to allow guest users or users established only on the Terminal server locally (i.e. not Domain users accounts).

Still not clear on the issue of whether or not SBS really needs 3389? If not , then this is the answer?
0
 
Rob WilliamsCommented:
ps- link I posted earlier has a link to a good webcast with an overview of RWW. If interested have a look:
http://support.microsoft.com/kb/833983
Cheers !
--Rob
0
 
Rob WilliamsCommented:
By the way if you want to stick to Remote Desktop for some reason you can do as per instructions below, but it will not work if the SBS has 2 NIC's and the other PC's and servers are behind the SBS. However, if you try RWW I'll bet you won't go back. It's one of the best features of SBS.

Depending on your router you may have 2 options.
1) Some routers when configuring port forwarding allow you to map an external port to an internal port. So you could map a different external port for each PC or server to the appropriate device and port 3389. For example:
  Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
  Computer #2: on the router forward port 3391 to port 3389 on IP 192.168.0.102
  Computer #3: on the router forward port 3393 to port 3389 on IP 192.168.0.103
  Computer #4: on the router forward port 3395 to port 3389 on IP 192.168.0.104
When connecting from the remote site in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
  66.66.123.123:3391

2) If the router doesn't allow mapping external to internal ports, then you still assign each computer a different external port, but map that directly to the appropriate PC or server. However, in this case you have to change the listening port on each computer or server. Instructions on changing the listening port can be found at:
http://www.petri.co.il/change_terminal_server_listening_port.htm 
Though the router in this case does not show external and internal ports, it changes the mapping to effectively be:
  Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
  Computer #2: on the router forward port 3391 to port 3391 on IP 192.168.0.102
  Computer #3: on the router forward port 3393 to port 3393 on IP 192.168.0.103
  Computer #4: on the router forward port 3395 to port 3395 on IP 192.168.0.104
Again when connecting from the remote site, in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
  66.66.123.123:3391
0
 
Rob WilliamsCommented:
Thanks haident.
Cheers !
--Rob
0
All Courses

From novice to tech pro — start learning today.