Solved

What is the best way to configure SBS 2008 & TS for RDP behind router using port forwarding?

Posted on 2011-09-26
10
618 Views
Last Modified: 2012-05-12
I will be setting up two servers for a client - the first one running SBS 2008 Premium and the second one using the additional Server 2008 license as a Terminal Server. The Terminal Server will be the main server that remote users will access using Remote Desktop. I will need to access the SBS server for admin purposes.

What is the best way to configure the above for RDP behind router using port forwarding? My initial thought was to leave default port 3389 on the TS server and change the listening port on the SBS server. However i'm not sure if changing the listening port on the SBS server will work or cause other problems. I want to leave the 3389 on the TS server so that remote users don't have to keep typing in a different port each time they RDP. I also prefer to access the SBS server directly instead of via the TS server as that will use up a TS license.
0
Comment
Question by:redmanbros
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36707662
Add the terminal server to the lost of computers remotely accessible via RWW. problem solved. You only need to forward port 443 to the SBS server. No 3389, no funky port mappings. RWW uses RDGateway under the covers, so as ling as you have RDS CALs for your RDS server, you'll be golden.

-Cliff
0
 
LVL 6

Expert Comment

by:Flipp
ID: 36707895
Cliff is 100% correct, but as I have found out, RWA or RWW requires IE as browser for ActiveX to connect to a Computer.

To resolve your question you can simply leave 3389 for TS and port forward through FW, then simply port forward another unused port to <ServerIP>:3389. That way, when you want to access SBS for admin you RDP to <External>:<OtherIP>.
0
 
LVL 2

Expert Comment

by:berry_rijnbeek
ID: 36708627
You can do it like Cliff to use the RWW or change the RDP port of the SBS server to 3390.
You only need to add port 3390 to the (windows) firewall and reboot the server.
After the reboot the server is available on port 3390.

0
 
LVL 2

Expert Comment

by:berry_rijnbeek
ID: 36708635
You can change the port number by the registery:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
0
 

Author Comment

by:redmanbros
ID: 36713918
Thanks Cliff (cgaliher) for the idea via RWW but i do prefer for the remote users to get a Remote Desktop session directly with the TS server. Can you see any problem changing the RDP listening port on the SBS server?

berry-rijnbeek - i am not sure i understand correctly - do you mean use an external port of say 3390 and translate it to the internal port of 3389 going to the SBS server? If so, my router cannot do an external to internal port map like that. It can only set as a direct port map translation ie the same internal port number and it will therefore conflict with the existing port map of 3389 on the TS server.

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 6

Expert Comment

by:Flipp
ID: 36713926
What he means is you can change the RDP listening port on your SBS to 3390, then you port forward 3390 to SBS.
0
 

Author Comment

by:redmanbros
ID: 36713944
Hi Flipp. Sorry, i meant to ask you that question instead of rijnbeek. I know that i can change the listening port on the SBS server to an alternate port and port forward but will it affect the SBS server? I don't want RWW and the certificates to be affected by changing the listening port. Have you done this before and has it worked?
0
 
LVL 6

Expert Comment

by:Flipp
ID: 36713981
No I have never changed the listening port on a Server or Workstation before - I simply use a different external port. Are you sure you can't port forward through FW from different port number?

What model Router are you using?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 36714229
Yes, there will be problems with changing the listening port on the SBS server, if you do port changes at all, do so on the TS server. Bi ut, with that said, allow me to make a case here:

The best solution is to set up an RDGateway server. As previously mentioned, SBS uses this in RWW already, but it was designed for enterprises. gateway REQUIRES a trusted SSL certificate, which SIGNIFICANTLY enhances security. That cannot stress that enough. When poking holes through your firewall, security should always be high on your mind.

Second best is to use RWW. Throughout. Same security as above, gut restricts use to IE.

Third, admins can use RWW to access SBS. Forward 3389 to the RDS server. End users get direct access, but at the cost of security. SBS admins have the inconvenience of RWW, but at least your domain controller is still behind the. Ore secure tunneled configuration. Decent balance of securing the more sensitive server and convenience for the less important one.

If that can't be done. It is best to do IP based mapping. Get two public IPs forward 3389 from IP #1 to SBS. forward 3389 from IP #2 to the RDS server. Insecure, but standard server implementations. Patches and service packs don't risk breaking your custom config, because you don't HAVE a custom config.

Port remapping. The ugliest of the solutions. Only requires a single IP, but SOMEBODY has to remember the custom port (either the SBS admins, or the end users), is terribly insecure, and any patch, service pack, update rollup, or other update that touches RDS could reset the setting to default, breaking remote access, even to the point that you can't remote in to fix it. Overall, VERY high maintenance for little perceived gain. I could never "recommend" this config, but only mention it as technically possible.

-Cliff
0
 

Author Closing Comment

by:redmanbros
ID: 36714295
Thanks Cliff (cgaliher). That makes it very clear and i can see the reasons for all the solutions. I might implement solution 3 for now and then if i have time play around with solution 1 to "refine things".
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now