Route RDP to more than one NATed LAN address without changing from use of Port 3889
How can I route RDP to more than one address inside my LAN, which is behind a Netgear FVS318 firewall with NAT enabled? I have SBS 2003 which, from my understanding, requires port 3889 to be mapped to it. Additionally, I am attempteing to deploy a separate terminal server in my SBS domain on the same LAN, and have it use the default port 3889 for RDP connections.
Apparently I cannot get this to work with the Netgear firewall/router because when I try to use the firewall adminn console to add an additional routing for 3889 to the terminal server nothing happens when I submit the new routing. (I am assuming this is because 3889 is already mapped to the SB Server.) Maybe this is just limitation of the Netgear firewall, and would function differently with a more sophisticated appliance?
I am aware that the port for RDP connections can be changed to something other than 3889 by tweaking the appropriate reggistry values, but I would really like to stay with the default on the TS and am extremely reluctant to change this on the SBS.
Apparently I cannot get this to work with the Netgear firewall/router because when I try to use the firewall adminn console to add an additional routing for 3889 to the terminal server nothing happens when I submit the new routing. (I am assuming this is because 3889 is already mapped to the SB Server.) Maybe this is just limitation of the Netgear firewall, and would function differently with a more sophisticated appliance?
I am aware that the port for RDP connections can be changed to something other than 3889 by tweaking the appropriate reggistry values, but I would really like to stay with the default on the TS and am extremely reluctant to change this on the SBS.
Your ISP should have given you more then one Public IP address. So right now you have x.x.x.x mapped to your SBS server. Setup a one-to-one NAT on your router/firewall (most routers will allow you to do this, if your's does not you will need to purchase a new one) to map x.x.x.y to your Terminal Server. Then create a second rule to forward port 3389 requests for x.x.x.y to the Terminal Server. To make things simpler for the users you can then create a DNS record to map ts.yourdomain.com to x.x.x.y
You can't change port 3389 on the SBS server, otherwise you won't be able to get RWW to work if you are using that.
You can't change port 3389 on the SBS server, otherwise you won't be able to get RWW to work if you are using that.
You have SBS, there is no need. SBS 2003 is the only Microsoft O/S that has a built in service allowing you to connect to every device on your LAN using remote desktop connections through the Remote Web Workplace option. The initial connection is through a web browser where you select the PC, server, or terminal server to which you want to connect. Assuming you have been granted the appropriate permissions it will then start the RDP session. See:
http://www.lan-2-wan.com/SBS.htm#q1
RWW uses ports 443 and 4125 not 3389. The RWW connection is more secure using SSL.
http://www.lan-2-wan.com/SBS.htm#q1
RWW uses ports 443 and 4125 not 3389. The RWW connection is more secure using SSL.
ASKER
RobWill: Good, but not really the total answer. RDP connections using the Windows Remote Desktop Connection cllient allows much more contol than does RWW over display propertiies, local recources, and programs. Also, what if you want to allow guest users or users established only on the Terminal server locally (i.e. not Domain users accounts).
Still not clear on the issue of whether or not SBS really needs 3389? If not , then this is the answer?
Still not clear on the issue of whether or not SBS really needs 3389? If not , then this is the answer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ps- link I posted earlier has a link to a good webcast with an overview of RWW. If interested have a look:
http://support.microsoft.com/kb/833983
Cheers !
--Rob
http://support.microsoft.com/kb/833983
Cheers !
--Rob
By the way if you want to stick to Remote Desktop for some reason you can do as per instructions below, but it will not work if the SBS has 2 NIC's and the other PC's and servers are behind the SBS. However, if you try RWW I'll bet you won't go back. It's one of the best features of SBS.
Depending on your router you may have 2 options.
1) Some routers when configuring port forwarding allow you to map an external port to an internal port. So you could map a different external port for each PC or server to the appropriate device and port 3389. For example:
Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
Computer #2: on the router forward port 3391 to port 3389 on IP 192.168.0.102
Computer #3: on the router forward port 3393 to port 3389 on IP 192.168.0.103
Computer #4: on the router forward port 3395 to port 3389 on IP 192.168.0.104
When connecting from the remote site in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
66.66.123.123:3391
2) If the router doesn't allow mapping external to internal ports, then you still assign each computer a different external port, but map that directly to the appropriate PC or server. However, in this case you have to change the listening port on each computer or server. Instructions on changing the listening port can be found at:
http://www.petri.co.il/change_terminal_server_listening_port.htm
Though the router in this case does not show external and internal ports, it changes the mapping to effectively be:
Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
Computer #2: on the router forward port 3391 to port 3391 on IP 192.168.0.102
Computer #3: on the router forward port 3393 to port 3393 on IP 192.168.0.103
Computer #4: on the router forward port 3395 to port 3395 on IP 192.168.0.104
Again when connecting from the remote site, in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
66.66.123.123:3391
Depending on your router you may have 2 options.
1) Some routers when configuring port forwarding allow you to map an external port to an internal port. So you could map a different external port for each PC or server to the appropriate device and port 3389. For example:
Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
Computer #2: on the router forward port 3391 to port 3389 on IP 192.168.0.102
Computer #3: on the router forward port 3393 to port 3389 on IP 192.168.0.103
Computer #4: on the router forward port 3395 to port 3389 on IP 192.168.0.104
When connecting from the remote site in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
66.66.123.123:3391
2) If the router doesn't allow mapping external to internal ports, then you still assign each computer a different external port, but map that directly to the appropriate PC or server. However, in this case you have to change the listening port on each computer or server. Instructions on changing the listening port can be found at:
http://www.petri.co.il/change_terminal_server_listening_port.htm
Though the router in this case does not show external and internal ports, it changes the mapping to effectively be:
Computer #1: on the router forward port 3389 to port 3389 on IP 192.168.0.101
Computer #2: on the router forward port 3391 to port 3391 on IP 192.168.0.102
Computer #3: on the router forward port 3393 to port 3393 on IP 192.168.0.103
Computer #4: on the router forward port 3395 to port 3395 on IP 192.168.0.104
Again when connecting from the remote site, in the connection window of the remote desktop connection manager you would enter the WAN IP and the port #, separated by a colon such as:
66.66.123.123:3391
Thanks haident.
Cheers !
--Rob
Cheers !
--Rob
If you are talking about 1 global IP address outside the netgear , it is not possible to achieve what you want. Because it is a one to many nat in which you have to do port mapping and cant map same port to more than one client.
Regards,
MrHusy