• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 898
  • Last Modified:

Networking: RDP and Port # 3389

Hi,

This is related to remote desktop between Main Office and Branch Office. To do it, we can use the followings software:
- LogMeIn.com
- TeamViewer.com
- GotoAssist
- Cisco WebEX
- VNC
- Remote Assistance (Microsoft)

There are Firewalls, Both at Main Office and Branch Office.

My question: What should the Network Administator do related to Port # 3389? Would you explain a little bit of it please

Thank you

tjie
0
tjie
Asked:
tjie
4 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Port 3389 is for direct access in. I don't think you need to enable it for Logmein, WebEx, Remote Assistance. These tools use authentication at both ends and so should not need that port open. I think you should just leave it closed. I do not use the other ones.

... Thinkpads_User
0
 
d0ughb0yCommented:
LogMeIn, WebEx, GoToMyPC, etc. all use outbound connections, not inbound, so the network administrator only needs to make sure not to block outbound traffic from the machine in question.

For Remote Desktop (and Remote Assistance, for that matter) the Network Admin will have to allow port 3389 into the machine from outside. He/she will need to set up a firewall rule to allow the traffic through (i.e. open the port), as well as (likely) a static NAT pointing the 3389 traffic to the internal IP address of that machine.
0
 
rauenpcCommented:
Thinkpads is right.

For 3389, would likely need to setup a firewall and nat rule for each PC that needs direct access. This can chew up a lot of IP's and admin time. Most customers that require this end up building a terminal server so that outside users connect to one server, and RDP from there to any other inside devices.

I can't say for sure on remote assistance as I've never actually used that, but for applications like LogMeIn, WebEx, Team Viewer, Join.Me, etc., they all make connections to the outside world to register. This registration creates an active session on the firewall since it started from inside the network. Assuming the firewall wasn't configured to specifically block this connection, you will be able to connect in to that device using the active session. The application servers in the outside world act as a proxy to allow the use of an existing session so you don't need to worry about a giant security hole with these apps.
0
 
tjieAuthor Commented:
Hi all,

Per the above explanation ...

I agree with thinkpads that the network administrator should NOT do anything related to the port # 3389 (either it is open or close) to use LogMeIn, VNC, etc

Please post it back if you do not agree

Thank you

tjie
0
 
d0ughb0yCommented:
That's correct, regarding port 3389. None of those have to do with 3389 - which is only RDP, and which would require the inbound connection, per above. However you mention VNC. VNC is not in the same category as LogMeIn, Citrix, etc. VNC is an inbound service. It doesn't start a connection with an external site, like those others. So it would require inbound NAT and firewall rules, to make it available from the outside. I believe the standard port for VNC is 5900, not 3389.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now