Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What is the best way to configure SBS 2008 & TS for RDP behind router using port forwarding?

Posted on 2011-09-26
10
Medium Priority
?
627 Views
Last Modified: 2012-05-12
I will be setting up two servers for a client - the first one running SBS 2008 Premium and the second one using the additional Server 2008 license as a Terminal Server. The Terminal Server will be the main server that remote users will access using Remote Desktop. I will need to access the SBS server for admin purposes.

What is the best way to configure the above for RDP behind router using port forwarding? My initial thought was to leave default port 3389 on the TS server and change the listening port on the SBS server. However i'm not sure if changing the listening port on the SBS server will work or cause other problems. I want to leave the 3389 on the TS server so that remote users don't have to keep typing in a different port each time they RDP. I also prefer to access the SBS server directly instead of via the TS server as that will use up a TS license.
0
Comment
Question by:redmanbros
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 36707662
Add the terminal server to the lost of computers remotely accessible via RWW. problem solved. You only need to forward port 443 to the SBS server. No 3389, no funky port mappings. RWW uses RDGateway under the covers, so as ling as you have RDS CALs for your RDS server, you'll be golden.

-Cliff
0
 
LVL 6

Expert Comment

by:Flipp
ID: 36707895
Cliff is 100% correct, but as I have found out, RWA or RWW requires IE as browser for ActiveX to connect to a Computer.

To resolve your question you can simply leave 3389 for TS and port forward through FW, then simply port forward another unused port to <ServerIP>:3389. That way, when you want to access SBS for admin you RDP to <External>:<OtherIP>.
0
 
LVL 2

Expert Comment

by:berry_rijnbeek
ID: 36708627
You can do it like Cliff to use the RWW or change the RDP port of the SBS server to 3390.
You only need to add port 3390 to the (windows) firewall and reboot the server.
After the reboot the server is available on port 3390.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Expert Comment

by:berry_rijnbeek
ID: 36708635
You can change the port number by the registery:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
0
 

Author Comment

by:redmanbros
ID: 36713918
Thanks Cliff (cgaliher) for the idea via RWW but i do prefer for the remote users to get a Remote Desktop session directly with the TS server. Can you see any problem changing the RDP listening port on the SBS server?

berry-rijnbeek - i am not sure i understand correctly - do you mean use an external port of say 3390 and translate it to the internal port of 3389 going to the SBS server? If so, my router cannot do an external to internal port map like that. It can only set as a direct port map translation ie the same internal port number and it will therefore conflict with the existing port map of 3389 on the TS server.

0
 
LVL 6

Expert Comment

by:Flipp
ID: 36713926
What he means is you can change the RDP listening port on your SBS to 3390, then you port forward 3390 to SBS.
0
 

Author Comment

by:redmanbros
ID: 36713944
Hi Flipp. Sorry, i meant to ask you that question instead of rijnbeek. I know that i can change the listening port on the SBS server to an alternate port and port forward but will it affect the SBS server? I don't want RWW and the certificates to be affected by changing the listening port. Have you done this before and has it worked?
0
 
LVL 6

Expert Comment

by:Flipp
ID: 36713981
No I have never changed the listening port on a Server or Workstation before - I simply use a different external port. Are you sure you can't port forward through FW from different port number?

What model Router are you using?
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 36714229
Yes, there will be problems with changing the listening port on the SBS server, if you do port changes at all, do so on the TS server. Bi ut, with that said, allow me to make a case here:

The best solution is to set up an RDGateway server. As previously mentioned, SBS uses this in RWW already, but it was designed for enterprises. gateway REQUIRES a trusted SSL certificate, which SIGNIFICANTLY enhances security. That cannot stress that enough. When poking holes through your firewall, security should always be high on your mind.

Second best is to use RWW. Throughout. Same security as above, gut restricts use to IE.

Third, admins can use RWW to access SBS. Forward 3389 to the RDS server. End users get direct access, but at the cost of security. SBS admins have the inconvenience of RWW, but at least your domain controller is still behind the. Ore secure tunneled configuration. Decent balance of securing the more sensitive server and convenience for the less important one.

If that can't be done. It is best to do IP based mapping. Get two public IPs forward 3389 from IP #1 to SBS. forward 3389 from IP #2 to the RDS server. Insecure, but standard server implementations. Patches and service packs don't risk breaking your custom config, because you don't HAVE a custom config.

Port remapping. The ugliest of the solutions. Only requires a single IP, but SOMEBODY has to remember the custom port (either the SBS admins, or the end users), is terribly insecure, and any patch, service pack, update rollup, or other update that touches RDS could reset the setting to default, breaking remote access, even to the point that you can't remote in to fix it. Overall, VERY high maintenance for little perceived gain. I could never "recommend" this config, but only mention it as technically possible.

-Cliff
0
 

Author Closing Comment

by:redmanbros
ID: 36714295
Thanks Cliff (cgaliher). That makes it very clear and i can see the reasons for all the solutions. I might implement solution 3 for now and then if i have time play around with solution 1 to "refine things".
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question