Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Can't get RD Web Connection to work through WatchGuard Firewall

Posted on 2008-10-05
Medium Priority
Last Modified: 2013-11-21
I am trying to setup Remote Desktop Web Connection on Windows XP. It is working internally but I am trying to publish the connection to the internet so I can connect from outside my company's firewall. I have a WatchGuard Firebox III. I have added a new server in on the firewall and tried to forward it to my computer several different ways but no matter what it won't work. Could somebody please help.

Thank you,
Question by:ob1_
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Expert Comment

ID: 22646467
You'll need to forward port 3389 from the outside IP to whatever box you want to gain access to internally.  In addition, since you're trying to use the web client, you'll need to have 80 and 443 forwarded to the web server that serves the RDP web connection page.

Author Comment

ID: 22646533
There is no web server that serves the page, there is only the client with Remote Desktop Web Connection installed. So I tried forwarding the external ip:port -> internal ip:80. The Remote Desktop Web Connection page comes up, but I can't connect from there. I've also tried opening 3389 and forwarding it.

I am using an additional port to specify my machine from the outside, so the address I am trying in is - b/c I only have 1 external IP and I want to set this up for many machines on my network. So I am trying to forward traffic from my external ip on port 113 to my internal ip on port 80.

So how forward 3389? Traffic on port 3389 on my external ip gets forward to 3389 on my internal ip? Or is it traffic to my external ip on 113 gets forwarded to 3389 on my internal ip?

Expert Comment

ID: 22646556
Ah, you're trying to use that multiple RDP fucntionality.  Haven't fully configured that before.  Standard RDP uses port 3389, to communicate, and then only on a 1 to 1 basis (i.e. you can forward each external IP to one internal IP on the same port).

Sorry but that's all the help I can be on that issue.  Anyone else?
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 22646865
please see

i had to cfg each machine to listen on a different port for RD, and forward pubip:3389=>privip:newport for RD and pubip:whatever=>privip:80 for each user!

LVL 32

Expert Comment

ID: 22656994
As I understand you wish to have incoming traffic on one specific port and then to forward it internally to a different port to different machines.

Let me take an example:
Incoming TCP traffic on port 5000 needs to be directed to on port 3389
Incoming TCP traffic on port 5001 needs to be directed to on port 3389
Incoming TCP traffic on port 5002 needs to be directed to on port 3389

I am assuming you are using WSM version 7.x

In Policy Manager; create a custom service; select protocol as TCP; port as 5000; client port as ignore [this is important]

Now add the service created above and configure as below:
Incoming connections are "Enabled and allowed"; from Any; to click Add->Add NAT; in the External IP address the public IP would be listed; in internal IP specify; check the box, Set internal port  to a different port than this policy and specify port as 3389; click OK all the way back.

If there are more ports [please note this port also should not be common], you can either add them in the specific custom service [when adding 5000 as in example above]; or add specific service for each port.

Repeat for 5001 and 5002 as well.

Save to firebox; please implement and update.

Thank you.

Author Comment

ID: 22658802
here is the problem it needs to be:

Incoming TCP traffic on port 5000 needs to be directed to on port 3389 and port 80.

Can you forward to 2 ports? Port 80 is the IIS website for TSWEB (Remote Desktop Web Connection). Currently I have the traffic forwarded to 3389 and Remote Desktop works fine through the firewall, but I'd like to use TSWEB.


LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 22660722
yes you can forward two port, 5000 and 80 to 3389 and port 80 respectively; but port 80 can be forwarded only for If you wish to forward port to more than one machine, then you would need to configure different port for the webserver as well.

You would need two services, one for each port, because we need internal port redirection.

So assuming that you have 5000 and 80 port; and 5001 for .2 and 5003 for .3; then the services needed would be:
service-1 for port 5000; getting redirected to on port 3389
service-2 for port 80; getting redirected to on port 80
service-3 for port 5001; getting redirected to on port 3389
service-4 for port 5002; getting redirected to on port 3389

Thank you.

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Case Summary: In this Article we introduce the new method to configure the default user profile using Automated profile copy with sysprep rather than the old ways such as the manual copy of a configured profile to default user profile Old meth…
Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question