Solved

What is the best way to configure SBS 2008 & TS for RDP behind router using port forwarding?

Posted on 2011-09-26
10
617 Views
Last Modified: 2012-05-12
I will be setting up two servers for a client - the first one running SBS 2008 Premium and the second one using the additional Server 2008 license as a Terminal Server. The Terminal Server will be the main server that remote users will access using Remote Desktop. I will need to access the SBS server for admin purposes.

What is the best way to configure the above for RDP behind router using port forwarding? My initial thought was to leave default port 3389 on the TS server and change the listening port on the SBS server. However i'm not sure if changing the listening port on the SBS server will work or cause other problems. I want to leave the 3389 on the TS server so that remote users don't have to keep typing in a different port each time they RDP. I also prefer to access the SBS server directly instead of via the TS server as that will use up a TS license.
0
Comment
Question by:redmanbros
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Add the terminal server to the lost of computers remotely accessible via RWW. problem solved. You only need to forward port 443 to the SBS server. No 3389, no funky port mappings. RWW uses RDGateway under the covers, so as ling as you have RDS CALs for your RDS server, you'll be golden.

-Cliff
0
 
LVL 6

Expert Comment

by:Flipp
Comment Utility
Cliff is 100% correct, but as I have found out, RWA or RWW requires IE as browser for ActiveX to connect to a Computer.

To resolve your question you can simply leave 3389 for TS and port forward through FW, then simply port forward another unused port to <ServerIP>:3389. That way, when you want to access SBS for admin you RDP to <External>:<OtherIP>.
0
 
LVL 2

Expert Comment

by:berry_rijnbeek
Comment Utility
You can do it like Cliff to use the RWW or change the RDP port of the SBS server to 3390.
You only need to add port 3390 to the (windows) firewall and reboot the server.
After the reboot the server is available on port 3390.

0
 
LVL 2

Expert Comment

by:berry_rijnbeek
Comment Utility
You can change the port number by the registery:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
0
 

Author Comment

by:redmanbros
Comment Utility
Thanks Cliff (cgaliher) for the idea via RWW but i do prefer for the remote users to get a Remote Desktop session directly with the TS server. Can you see any problem changing the RDP listening port on the SBS server?

berry-rijnbeek - i am not sure i understand correctly - do you mean use an external port of say 3390 and translate it to the internal port of 3389 going to the SBS server? If so, my router cannot do an external to internal port map like that. It can only set as a direct port map translation ie the same internal port number and it will therefore conflict with the existing port map of 3389 on the TS server.

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 6

Expert Comment

by:Flipp
Comment Utility
What he means is you can change the RDP listening port on your SBS to 3390, then you port forward 3390 to SBS.
0
 

Author Comment

by:redmanbros
Comment Utility
Hi Flipp. Sorry, i meant to ask you that question instead of rijnbeek. I know that i can change the listening port on the SBS server to an alternate port and port forward but will it affect the SBS server? I don't want RWW and the certificates to be affected by changing the listening port. Have you done this before and has it worked?
0
 
LVL 6

Expert Comment

by:Flipp
Comment Utility
No I have never changed the listening port on a Server or Workstation before - I simply use a different external port. Are you sure you can't port forward through FW from different port number?

What model Router are you using?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
Comment Utility
Yes, there will be problems with changing the listening port on the SBS server, if you do port changes at all, do so on the TS server. Bi ut, with that said, allow me to make a case here:

The best solution is to set up an RDGateway server. As previously mentioned, SBS uses this in RWW already, but it was designed for enterprises. gateway REQUIRES a trusted SSL certificate, which SIGNIFICANTLY enhances security. That cannot stress that enough. When poking holes through your firewall, security should always be high on your mind.

Second best is to use RWW. Throughout. Same security as above, gut restricts use to IE.

Third, admins can use RWW to access SBS. Forward 3389 to the RDS server. End users get direct access, but at the cost of security. SBS admins have the inconvenience of RWW, but at least your domain controller is still behind the. Ore secure tunneled configuration. Decent balance of securing the more sensitive server and convenience for the less important one.

If that can't be done. It is best to do IP based mapping. Get two public IPs forward 3389 from IP #1 to SBS. forward 3389 from IP #2 to the RDS server. Insecure, but standard server implementations. Patches and service packs don't risk breaking your custom config, because you don't HAVE a custom config.

Port remapping. The ugliest of the solutions. Only requires a single IP, but SOMEBODY has to remember the custom port (either the SBS admins, or the end users), is terribly insecure, and any patch, service pack, update rollup, or other update that touches RDS could reset the setting to default, breaking remote access, even to the point that you can't remote in to fix it. Overall, VERY high maintenance for little perceived gain. I could never "recommend" this config, but only mention it as technically possible.

-Cliff
0
 

Author Closing Comment

by:redmanbros
Comment Utility
Thanks Cliff (cgaliher). That makes it very clear and i can see the reasons for all the solutions. I might implement solution 3 for now and then if i have time play around with solution 1 to "refine things".
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now