?
Solved

Networking: RDP and Port # 3389

Posted on 2013-01-14
5
Medium Priority
?
876 Views
Last Modified: 2013-01-15
Hi,

This is related to remote desktop between Main Office and Branch Office. To do it, we can use the followings software:
- LogMeIn.com
- TeamViewer.com
- GotoAssist
- Cisco WebEX
- VNC
- Remote Assistance (Microsoft)

There are Firewalls, Both at Main Office and Branch Office.

My question: What should the Network Administator do related to Port # 3389? Would you explain a little bit of it please

Thank you

tjie
0
Comment
Question by:tjie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 97

Accepted Solution

by:
Experienced Member earned 800 total points
ID: 38775771
Port 3389 is for direct access in. I don't think you need to enable it for Logmein, WebEx, Remote Assistance. These tools use authentication at both ends and so should not need that port open. I think you should just leave it closed. I do not use the other ones.

... Thinkpads_User
0
 
LVL 8

Assisted Solution

by:d0ughb0y
d0ughb0y earned 800 total points
ID: 38775870
LogMeIn, WebEx, GoToMyPC, etc. all use outbound connections, not inbound, so the network administrator only needs to make sure not to block outbound traffic from the machine in question.

For Remote Desktop (and Remote Assistance, for that matter) the Network Admin will have to allow port 3389 into the machine from outside. He/she will need to set up a firewall rule to allow the traffic through (i.e. open the port), as well as (likely) a static NAT pointing the 3389 traffic to the internal IP address of that machine.
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 400 total points
ID: 38775874
Thinkpads is right.

For 3389, would likely need to setup a firewall and nat rule for each PC that needs direct access. This can chew up a lot of IP's and admin time. Most customers that require this end up building a terminal server so that outside users connect to one server, and RDP from there to any other inside devices.

I can't say for sure on remote assistance as I've never actually used that, but for applications like LogMeIn, WebEx, Team Viewer, Join.Me, etc., they all make connections to the outside world to register. This registration creates an active session on the firewall since it started from inside the network. Assuming the firewall wasn't configured to specifically block this connection, you will be able to connect in to that device using the active session. The application servers in the outside world act as a proxy to allow the use of an existing session so you don't need to worry about a giant security hole with these apps.
0
 

Author Comment

by:tjie
ID: 38776539
Hi all,

Per the above explanation ...

I agree with thinkpads that the network administrator should NOT do anything related to the port # 3389 (either it is open or close) to use LogMeIn, VNC, etc

Please post it back if you do not agree

Thank you

tjie
0
 
LVL 8

Assisted Solution

by:d0ughb0y
d0ughb0y earned 800 total points
ID: 38776791
That's correct, regarding port 3389. None of those have to do with 3389 - which is only RDP, and which would require the inbound connection, per above. However you mention VNC. VNC is not in the same category as LogMeIn, Citrix, etc. VNC is an inbound service. It doesn't start a connection with an external site, like those others. So it would require inbound NAT and firewall rules, to make it available from the outside. I believe the standard port for VNC is 5900, not 3389.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question