Solved

How to use Remote Desktop to remotely connect directly to a workstation

Posted on 2007-11-29
25
4,603 Views
Last Modified: 2013-11-21
Hi  Experts,

I am able to use Remote Desktop to remotely connect our Server (using a service like dyndns.org).

But I would like to remotely connect to one of the Workstations, e.g. with an IP like 192.168.1.10.

Is it possible to do this?

Regards,
Leigh
0
Comment
Question by:LeighWardle
  • 8
  • 7
  • 2
  • +6
25 Comments
 
LVL 1

Expert Comment

by:Henschel
ID: 20378756
What are you using for a firewall? Typically you can assign a DMZ address on the firewall that corresponds with the address of the firewall/router and a port (RDP in this case). The DMZ rule essentially redirects traffic destined for the router/firewall address and the port you define to the internal RDP Client.

There is a good article for setting up Remote Desktop Web Connections @ http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx

If you wanted to make it a little more secure, or setup multiple private IP Clients, there are instructions for changing the RDP Listening Port @
http://support.microsoft.com/kb/306759

Changing from the default port is a good idea to prevent someone from easily scanning your router for RDP Connections.

Hope that gets you started.



0
 
LVL 10

Expert Comment

by:dis1931
ID: 20378770
Hello LeighWardle,

Depends, I have used it at home and configured my router to forward this traffic to my workstation that had a 192.168.xxx.xxx address.  However, dyndns.org needs to point to a real externally accessible address.  If you have an public internet address to use then you can set that up to use dyndns.org and then configure your firewall to pass this traffic to the internal address.

So it depends on your firewall configuration and whether you have another address to use.

Alternatively, since you can connect to the Server...if it is an internal server then you should be on the same network as the workstation and you could remote desktop from it to the workstation...

Regards,

dis1931
0
 
LVL 6

Accepted Solution

by:
cottsak earned 500 total points
ID: 20378826
ur router is prob forwarding all traffic to ur server now including the port 3389 traffic for the RDP connection. simply pick another port like 13389 (for example) and forward that port on ur router to ur internal 192.168.1.10 address. make sure for the forwarding entry that the external port is 13389 and the internal port (to the local address) is 3389. this way, when u connect to ur same dyndns.org address but with the new port (eg. myserver.dyndns.org:13389) using RDP, the connection will be with ur other internal computer.
peace
0
 
LVL 10

Expert Comment

by:dis1931
ID: 20379365
It makes sense to do it that way if you are limited for addresses.  I work for a larger company and that is considered bad practice but certainly nothing wrong with it except it can get a little confusing after tons of devices but it sounds like this will only be for a couple of devices
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20379604
Since this is a Small Business Server environment, you would connect to the desktops directly using Remote Web Workplace.

For deatails about RWW, please see http://sbsurl.com/rww

Workstations must have been joined properly to the domain in order for RWW to work though.  This means that you joined all workstations to the domain using IE going to http://<servername>/connectcomputer.  If you didn't use this method, correct it by following the steps I've outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20379872
You can always connect to the server and while on it, simply go to RUN and launch MSTSC. Then type the internal IP of any of the PCs and you will connect to it. RDP over RDP. :-)
Works great.

Claudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
0
 
LVL 1

Expert Comment

by:tmoon
ID: 20379876
Why not RDP into Server (secure) and bounce around using VNC on the inside?  Would be secure since you are already "inside" the LAN.
0
 
LVL 1

Author Closing Comment

by:LeighWardle
ID: 31411833
I haven't tested this solution yet, but it looks the easiest for me to implement.
Thanks to the other experts for their contributions.

Regards,
Leigh
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20379956
I realy need to point out that the solution you accepted would not only open your network to unecessary security risks, but would definitely cause additional management efforts over the long term.  If you don't use the built-in Remote Web Workplace, you should at the very least take tsmvp's recommendation and RDP first to the server and then to a workstation.  (see http://sbsurl.com/m.jpg for an example of how this might look).

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:cottsak
ID: 20380141
TechSoEasy,
for completeness, would be able to point out the specific "unecessary security risks" in my suggestion?

Leigh,
if you feel you need more security, the next easiest option i think would be to set up a VPN server on your server. this is quite easy to do, just google it up. i use this method. it makes it easier to connect to any local system (provided its configured to do so).
i'd also like to point out that i have tried tsmvp's method too and i feel that you might get frustrated with working this way - (1) navigation nested RDP sessions is difficult due to the fact that the control bar overlaps itself in successive sessions (annoying) and (2) the more RDP sessions you have nested, the usability lag increases exponentially. in short - dont nest RDP sessions. use VPN then RDP to the local address.
Peace
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20380203
The security risks are such that RDP directly into XP has been known to be fallable to DoS Attacks.  While the previously discovered vulnerability has been patched (http://www.microsoft.com/technet/security/advisory/904797.mspx) there is always the potential for others... and having to watch the status of each workstation's patch/update status is just another level of effort/complication that doesn't need to exist.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:LeighWardle
ID: 20380231
Hi cottsak and Jeff,

Thanks for your additional comments.

Although my question was posed in terms of Remote Desktop, I will probably use UltraVNC.
My two motivations are:

1) I also need to remotely connect to a Windows 2000 Pro workstation.  I understand there isn't Remote Desktop host software for Windows 2000 Pro.

2) It's easy to use end-to-end encryption using the MSRC4 Plugin available from http://msrc4plugin.home.comcast.net/index.html

Wouldn't end-to-end encryption satisfy the security concerns?

Regards,
Leigh
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 6

Expert Comment

by:cottsak
ID: 20380236
Jeff,
i think the likelihood of the web server hosting RWW being exploited via DoS (or another kind of attack) is many times more likely than RDP being re-targeted for exploit via DoS. a web server responds to so much more than RDP and so to boil this all down, it's not really a security risk, at least in relative terms.
also, it should be noted that "having to watch the status of each workstation's patch/update status" is not only not complicated but part of the standard job description of a studious Admin.
no software is ever perfect, it must constantly be updated.
Peace

0
 
LVL 6

Expert Comment

by:cottsak
ID: 20380263
Leigh,
VNC works too.
i'd like to point out that the current version of RDP already uses 128bit RC4 encryption (like the MSRC4 Plugin) so you're not 'adding' security strength with this plugin. it's well known that the RC4 cipher has been cracked but the AES has not to date [side channels dont count]. i'd suggest the AESV2 Plugin is u must use VNC and you want useable security strength.
Peace
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20380281
Remote Web Workplace provides End-to-End encryption by default without the need to install any additional software.  That's because it runs over port 443 using SSL.

If you are needing to connect to a Windows 2000 Pro workstation, then you would need a separate remote destop solution for that, and VNC works just fine, as does LogMeIn Free, which is what I use for the random Win2K desktops that still exist.

cottsak... you're missing the point, which may be due to you not working with SBS on a regular basis.  SBS includes a number of things which make administration of a small business network easier and less complicated, and therefore MORE secure.  Your comment regarding the "liklihood of a web server hosting RWW being exploited via DoS" shows that you don't truly understand how RWW works, and that it uses a PROXY port (4125).  You can review the details of how this works here:  http://sbsurl.com/rww

Jeff
TechSoEasy
0
 
LVL 1

Expert Comment

by:tmoon
ID: 20380287
or VPN into the inside and RDP / VNC using private addresses... kind of like a man in the middle attack being prevented by one sides nearsightedness ;)
0
 
LVL 6

Expert Comment

by:cottsak
ID: 20380334
VPN secures the connection at a single point and provides the most flexibility.
you should always try not to have a direct remote connection to any internal computer, so some sort of secured VPN; gateway; proxy (for my RWW friend) is suggested.

i have not used the RWW solution, but for convenience and fast setup it seems handy if it's available. the only reason i'd suggest to steer clear of it would be the fact that its an ActiveX beast which means it requires the notoriously insecure and flawed Internet Explorer (but i wont enter THAT debate! lol).

for sure, use VNC but use it thru a VPN (or some sort).
Peace
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20383226
cottsak... thanks for the somewhat support of what I was trying to say.  just FYI, ActiveX technology can be used to create an insecure situation, but the use of known ActiveX plug-ins is not in and of itself insecure.
0
 
LVL 6

Expert Comment

by:cottsak
ID: 20392947
TechSoEasy,

"but the use of known ActiveX plug-ins is not in and of itself insecure"
granted, but the use of IE is and of itself insecure (comparatively).

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20392973
The use of IE is not insecure (comparatively).  It has the potential to be less secure because it offers significantly more for the end-user by way of Activex controls.  There is ALWAYS a trade-off between security and functionality... because the MOST secure computer is one that's unplugged.  But that particular configuration is quite difficult to use for much of anything except keeping the door to the server room from swinging shut when the wind blows.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20392981
You might be interested in reading an article describing "Good Enough Security" which was written a couple years ago and is rather pertinent to this discussion:  http://sbsurl.com/security
0
 
LVL 6

Expert Comment

by:cottsak
ID: 20392994
TechSoEasy,
thanx for the linkage. i'll keep that in mind. id prefer not to debate IE vs [other browsers]. i think we can agree to disagree on this one?
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 20637579
You can set the RDP on the workstation to a different port and connect that way.  I have a client that has 1 server and 5 workstations.  The Server uses 3389 and the workstations use 9999, 9998,9997,9996 and 9995.  I have a port forward rule in the router/firewall to each box.  I connect RDP to the particular port to get to the machine I want.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20646636
samccarthy,

Setting a workstation to use a different port is not more secure than using RWW, which proxies the connection and is ultimately much more secure.  Any port scanner can find an open port and attempt to gain access via RDP if you change the port.  But using RWW stealths port 4125, and only allows a connection once authenticated.  You might want to review this as outlined here:  http://sbsurl.com/rww

Jeff
TechSoEasy
0
 
LVL 5

Expert Comment

by:juanfermin
ID: 21001193
If opening ports up is an issue, I like to use LogMeIn Free, or If I need to print remotely then LogMeIn Pro or IT Reach.  It connects using a 256 bit connection (unlike VNC) and is just as fast and responsive as Remote Desktop.

Also, if you have Windows Small Business Server, you can use Remote web workplace, which uses secured connections, though it can only work with Internet Explorer.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now