Remote Access to workgroup in shared office space

gerlis used Ask the Experts™
We have a client who is moving into shared space in an office suite where broadband is supplied by the office management.  The building is cabled with all the RJ45 sockets terminating in a cabinet maintained by the office management IT support company (although this may change).  
We need to be able to remotely access their computers (a workgroup) using Remote Desktop.  Also, they all need to have access to shared folders on each of the three workgroup computers.
On the office suite router, they intend to create a DMZ to our client’s router, and then patch from that router into the appropriate connections in the patch panel.  We can then setup port forwarding in our client’s router to allow us access to each of the three workgroup computers. We will give our client’s network a different internal IP address to the main IP range and will also give each of the computers a fixed IP within that range so that we can assign a RDP port for each of them
Is this the best way to do it?  Have I missed anything?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011
That's sounds viable to me. I don't see why they need to create a "dmz" if they are using port forwarding.
Make sure that the DMZ the building management company is providing is wide open with no restrictions. Use your client's router/firewall for all NAT / PAT.

If you're planning to have them use a VPN connection where they will tunnel into their RDP connection, you may run into issues. VPN tunnels don't like double NATing.
That is fairly straight forward; I wouldn't want to keep up with different port numbers for your RDP connections though.

One other thought; you could use Hamachi to put all the computers on the same local subnet. I use this application personally and works great. Never used it in a business environment but to each his own. =)


Soulja: The management company intend to use only a DMZ.  It is us who need the port forwarding for the puroposes of remote support.

jzaniewski: The DMZ will be unrestricted.  No VPN is required.

pitchford: Only three PC's, so only three port numbers to manage.  We just need to change the port number in the registry of each PC and forward it on the router.  Hamachi looks very interesting, but for now, we just need RDP.

Thank you all for your most helpful comments and advice.  I will set this up next week and come back with the good or bad news.
Top Expert 2011

Okay, I understand now. Yes, there is no reason you shouldn't be able to accomplish this.
You shouldn't need to make registry setting changes if your router/firewall supports PAT (port address translation).

Basically, you would set it up like this:
All users use a single public IP with a port number appended to the end like this
You setup your firewall so that all traffic on port 3390 routes to PC1 and gets translated to port 3389 on the inside.
You would then create another rule for port 3391 and repeat the process for the next PC.
I recommend that you choose high port numbers, like 50000, 50001 and 50002. They're less likely to be scanned by an attacker.
This method allows for a centrally managed method of what you're trying to do without having to worry about getting to every PC and make the changes locally. This also allows you to make changes quickly if needed. And if you have remote access to the firewall, you can make adjustments without inturrupting the client at their desktop.

If your firewall doesn't support PAT, you'll have to do it using the reg hack method you mentioned.


jzaniewski: Unfortuateley the router doesn't support PAT, but this is a very interesting approach, new to us.

Soulja and all: It all worked fine. So success.

Thanks to all. We'll split the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial