How to use Remote Desktop to remotely connect directly to a workstation
Hi Experts,
I am able to use Remote Desktop to remotely connect our Server (using a service like dyndns.org).
But I would like to remotely connect to one of the Workstations, e.g. with an IP like 192.168.1.10.
Is it possible to do this?
Regards,
Leigh
I am able to use Remote Desktop to remotely connect our Server (using a service like dyndns.org).
But I would like to remotely connect to one of the Workstations, e.g. with an IP like 192.168.1.10.
Is it possible to do this?
Regards,
Leigh
Hello LeighWardle,
Depends, I have used it at home and configured my router to forward this traffic to my workstation that had a 192.168.xxx.xxx address. However, dyndns.org needs to point to a real externally accessible address. If you have an public internet address to use then you can set that up to use dyndns.org and then configure your firewall to pass this traffic to the internal address.
So it depends on your firewall configuration and whether you have another address to use.
Alternatively, since you can connect to the Server...if it is an internal server then you should be on the same network as the workstation and you could remote desktop from it to the workstation...
Regards,
dis1931
Depends, I have used it at home and configured my router to forward this traffic to my workstation that had a 192.168.xxx.xxx address. However, dyndns.org needs to point to a real externally accessible address. If you have an public internet address to use then you can set that up to use dyndns.org and then configure your firewall to pass this traffic to the internal address.
So it depends on your firewall configuration and whether you have another address to use.
Alternatively, since you can connect to the Server...if it is an internal server then you should be on the same network as the workstation and you could remote desktop from it to the workstation...
Regards,
dis1931
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It makes sense to do it that way if you are limited for addresses. I work for a larger company and that is considered bad practice but certainly nothing wrong with it except it can get a little confusing after tons of devices but it sounds like this will only be for a couple of devices
Since this is a Small Business Server environment, you would connect to the desktops directly using Remote Web Workplace.
For deatails about RWW, please see http://sbsurl.com/rww
Workstations must have been joined properly to the domain in order for RWW to work though. This means that you joined all workstations to the domain using IE going to http://<servername>/connectcomput
Jeff
TechSoEasy
For deatails about RWW, please see http://sbsurl.com/rww
Workstations must have been joined properly to the domain in order for RWW to work though. This means that you joined all workstations to the domain using IE going to http://<servername>/connectcomput
Jeff
TechSoEasy
You can always connect to the server and while on it, simply go to RUN and launch MSTSC. Then type the internal IP of any of the PCs and you will connect to it. RDP over RDP. :-)
Works great.
Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
Works great.
Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
Why not RDP into Server (secure) and bounce around using VNC on the inside? Would be secure since you are already "inside" the LAN.
ASKER
I haven't tested this solution yet, but it looks the easiest for me to implement.
Thanks to the other experts for their contributions.
Regards,
Leigh
Thanks to the other experts for their contributions.
Regards,
Leigh
I realy need to point out that the solution you accepted would not only open your network to unecessary security risks, but would definitely cause additional management efforts over the long term. If you don't use the built-in Remote Web Workplace, you should at the very least take tsmvp's recommendation and RDP first to the server and then to a workstation. (see http://sbsurl.com/m.jpg for an example of how this might look).
Jeff
TechSoEasy
Jeff
TechSoEasy
TechSoEasy,
for completeness, would be able to point out the specific "unecessary security risks" in my suggestion?
Leigh,
if you feel you need more security, the next easiest option i think would be to set up a VPN server on your server. this is quite easy to do, just google it up. i use this method. it makes it easier to connect to any local system (provided its configured to do so).
i'd also like to point out that i have tried tsmvp's method too and i feel that you might get frustrated with working this way - (1) navigation nested RDP sessions is difficult due to the fact that the control bar overlaps itself in successive sessions (annoying) and (2) the more RDP sessions you have nested, the usability lag increases exponentially. in short - dont nest RDP sessions. use VPN then RDP to the local address.
Peace
for completeness, would be able to point out the specific "unecessary security risks" in my suggestion?
Leigh,
if you feel you need more security, the next easiest option i think would be to set up a VPN server on your server. this is quite easy to do, just google it up. i use this method. it makes it easier to connect to any local system (provided its configured to do so).
i'd also like to point out that i have tried tsmvp's method too and i feel that you might get frustrated with working this way - (1) navigation nested RDP sessions is difficult due to the fact that the control bar overlaps itself in successive sessions (annoying) and (2) the more RDP sessions you have nested, the usability lag increases exponentially. in short - dont nest RDP sessions. use VPN then RDP to the local address.
Peace
The security risks are such that RDP directly into XP has been known to be fallable to DoS Attacks. While the previously discovered vulnerability has been patched (http://www.microsoft.com/technet/security/advisory/904797.mspx) there is always the potential for others... and having to watch the status of each workstation's patch/update status is just another level of effort/complication that doesn't need to exist.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Hi cottsak and Jeff,
Thanks for your additional comments.
Although my question was posed in terms of Remote Desktop, I will probably use UltraVNC.
My two motivations are:
1) I also need to remotely connect to a Windows 2000 Pro workstation. I understand there isn't Remote Desktop host software for Windows 2000 Pro.
2) It's easy to use end-to-end encryption using the MSRC4 Plugin available from http://msrc4plugin.home.comcast.net/index.html
Wouldn't end-to-end encryption satisfy the security concerns?
Regards,
Leigh
Thanks for your additional comments.
Although my question was posed in terms of Remote Desktop, I will probably use UltraVNC.
My two motivations are:
1) I also need to remotely connect to a Windows 2000 Pro workstation. I understand there isn't Remote Desktop host software for Windows 2000 Pro.
2) It's easy to use end-to-end encryption using the MSRC4 Plugin available from http://msrc4plugin.home.comcast.net/index.html
Wouldn't end-to-end encryption satisfy the security concerns?
Regards,
Leigh
Jeff,
i think the likelihood of the web server hosting RWW being exploited via DoS (or another kind of attack) is many times more likely than RDP being re-targeted for exploit via DoS. a web server responds to so much more than RDP and so to boil this all down, it's not really a security risk, at least in relative terms.
also, it should be noted that "having to watch the status of each workstation's patch/update status" is not only not complicated but part of the standard job description of a studious Admin.
no software is ever perfect, it must constantly be updated.
Peace
i think the likelihood of the web server hosting RWW being exploited via DoS (or another kind of attack) is many times more likely than RDP being re-targeted for exploit via DoS. a web server responds to so much more than RDP and so to boil this all down, it's not really a security risk, at least in relative terms.
also, it should be noted that "having to watch the status of each workstation's patch/update status" is not only not complicated but part of the standard job description of a studious Admin.
no software is ever perfect, it must constantly be updated.
Peace
Leigh,
VNC works too.
i'd like to point out that the current version of RDP already uses 128bit RC4 encryption (like the MSRC4 Plugin) so you're not 'adding' security strength with this plugin. it's well known that the RC4 cipher has been cracked but the AES has not to date [side channels dont count]. i'd suggest the AESV2 Plugin is u must use VNC and you want useable security strength.
Peace
VNC works too.
i'd like to point out that the current version of RDP already uses 128bit RC4 encryption (like the MSRC4 Plugin) so you're not 'adding' security strength with this plugin. it's well known that the RC4 cipher has been cracked but the AES has not to date [side channels dont count]. i'd suggest the AESV2 Plugin is u must use VNC and you want useable security strength.
Peace
Remote Web Workplace provides End-to-End encryption by default without the need to install any additional software. That's because it runs over port 443 using SSL.
If you are needing to connect to a Windows 2000 Pro workstation, then you would need a separate remote destop solution for that, and VNC works just fine, as does LogMeIn Free, which is what I use for the random Win2K desktops that still exist.
cottsak... you're missing the point, which may be due to you not working with SBS on a regular basis. SBS includes a number of things which make administration of a small business network easier and less complicated, and therefore MORE secure. Your comment regarding the "liklihood of a web server hosting RWW being exploited via DoS" shows that you don't truly understand how RWW works, and that it uses a PROXY port (4125). You can review the details of how this works here: http://sbsurl.com/rww
Jeff
TechSoEasy
If you are needing to connect to a Windows 2000 Pro workstation, then you would need a separate remote destop solution for that, and VNC works just fine, as does LogMeIn Free, which is what I use for the random Win2K desktops that still exist.
cottsak... you're missing the point, which may be due to you not working with SBS on a regular basis. SBS includes a number of things which make administration of a small business network easier and less complicated, and therefore MORE secure. Your comment regarding the "liklihood of a web server hosting RWW being exploited via DoS" shows that you don't truly understand how RWW works, and that it uses a PROXY port (4125). You can review the details of how this works here: http://sbsurl.com/rww
Jeff
TechSoEasy
or VPN into the inside and RDP / VNC using private addresses... kind of like a man in the middle attack being prevented by one sides nearsightedness ;)
VPN secures the connection at a single point and provides the most flexibility.
you should always try not to have a direct remote connection to any internal computer, so some sort of secured VPN; gateway; proxy (for my RWW friend) is suggested.
i have not used the RWW solution, but for convenience and fast setup it seems handy if it's available. the only reason i'd suggest to steer clear of it would be the fact that its an ActiveX beast which means it requires the notoriously insecure and flawed Internet Explorer (but i wont enter THAT debate! lol).
for sure, use VNC but use it thru a VPN (or some sort).
Peace
you should always try not to have a direct remote connection to any internal computer, so some sort of secured VPN; gateway; proxy (for my RWW friend) is suggested.
i have not used the RWW solution, but for convenience and fast setup it seems handy if it's available. the only reason i'd suggest to steer clear of it would be the fact that its an ActiveX beast which means it requires the notoriously insecure and flawed Internet Explorer (but i wont enter THAT debate! lol).
for sure, use VNC but use it thru a VPN (or some sort).
Peace
cottsak... thanks for the somewhat support of what I was trying to say. just FYI, ActiveX technology can be used to create an insecure situation, but the use of known ActiveX plug-ins is not in and of itself insecure.
TechSoEasy,
"but the use of known ActiveX plug-ins is not in and of itself insecure"
granted, but the use of IE is and of itself insecure (comparatively).
"but the use of known ActiveX plug-ins is not in and of itself insecure"
granted, but the use of IE is and of itself insecure (comparatively).
The use of IE is not insecure (comparatively). It has the potential to be less secure because it offers significantly more for the end-user by way of Activex controls. There is ALWAYS a trade-off between security and functionality... because the MOST secure computer is one that's unplugged. But that particular configuration is quite difficult to use for much of anything except keeping the door to the server room from swinging shut when the wind blows.
You might be interested in reading an article describing "Good Enough Security" which was written a couple years ago and is rather pertinent to this discussion: http://sbsurl.com/security
TechSoEasy,
thanx for the linkage. i'll keep that in mind. id prefer not to debate IE vs [other browsers]. i think we can agree to disagree on this one?
thanx for the linkage. i'll keep that in mind. id prefer not to debate IE vs [other browsers]. i think we can agree to disagree on this one?
You can set the RDP on the workstation to a different port and connect that way. I have a client that has 1 server and 5 workstations. The Server uses 3389 and the workstations use 9999, 9998,9997,9996 and 9995. I have a port forward rule in the router/firewall to each box. I connect RDP to the particular port to get to the machine I want.
samccarthy,
Setting a workstation to use a different port is not more secure than using RWW, which proxies the connection and is ultimately much more secure. Any port scanner can find an open port and attempt to gain access via RDP if you change the port. But using RWW stealths port 4125, and only allows a connection once authenticated. You might want to review this as outlined here: http://sbsurl.com/rww
Jeff
TechSoEasy
Setting a workstation to use a different port is not more secure than using RWW, which proxies the connection and is ultimately much more secure. Any port scanner can find an open port and attempt to gain access via RDP if you change the port. But using RWW stealths port 4125, and only allows a connection once authenticated. You might want to review this as outlined here: http://sbsurl.com/rww
Jeff
TechSoEasy
If opening ports up is an issue, I like to use LogMeIn Free, or If I need to print remotely then LogMeIn Pro or IT Reach. It connects using a 256 bit connection (unlike VNC) and is just as fast and responsive as Remote Desktop.
Also, if you have Windows Small Business Server, you can use Remote web workplace, which uses secured connections, though it can only work with Internet Explorer.
Also, if you have Windows Small Business Server, you can use Remote web workplace, which uses secured connections, though it can only work with Internet Explorer.
There is a good article for setting up Remote Desktop Web Connections @ http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx
If you wanted to make it a little more secure, or setup multiple private IP Clients, there are instructions for changing the RDP Listening Port @
http://support.microsoft.com/kb/306759
Changing from the default port is a good idea to prevent someone from easily scanning your router for RDP Connections.
Hope that gets you started.