Windows Server and Windows Firewall Settings

I have my firewall setup to forward ports to IP addresses for remote desktop. What is the best way to make changes to Windows firewall to allow these connections to come through? If I turn the firewall off I can connect. There are relatively few ports used so I could add each port individually or would you suggest I make one entry and do it with a range of ports (what is best practice?)? This is a Windows 2008R2 domain with Hyper-V, 1 2008R2 VM server, and 2 XP and 5 Win7 PCs.
LVL 26
Lionel MMSmall Business IT ConsultantAsked:
Who is Participating?
 
serialbandCommented:
You shouldn't actually use port 3389 as the outside port.  Change it to some other higher number (e.g. 33888, 33999) that automated scripts don't detect and connect to.  Any higher number will work.

What is it that you're trying to do?  How many connections do you need or have?  If you have 20 Windows systems behind the firewall and want all 20 to accept RDP from the network, then you're just going to have to port forward each system.  If you just have the one server, you only need one connection.  The users can all use the same port to connect and log in to the same server using their own account and password.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Don't port forward, use a VPN. If you absolutely have to, only forward this port. It's 3389 both tcp and udp.
0
 
Lionel MMSmall Business IT ConsultantAuthor Commented:
We have a company that is providing our phone and internet services with this firewall/router and they will not allow VPN's to be setup on that firewall. I had asked them if they could set it up since I do not know how to and they said as a practice they don't do it.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Aaron TomoskySD-WAN SimplifiedCommented:
You can use all sorts of things as a VPN endpoint. Any server os including windows and osx will all have a VPN server built in. You can also run open vpn server or something.

Anyway, does it work with 3389 forwarded and allowed through the firewall?
0
 
Lionel MMSmall Business IT ConsultantAuthor Commented:
The port forwarding works--that is not the problem. I am trying to find out what is the best way to add rules/exceptions to the Windows firewall to allow other ports other than 3389 to work, namely a range of 3380 to 3399. Right now that is the main thing--once I have that working I can (maybe) focus on a VPN solution but right now I need users to be able to remote in without having to turn the firewall off.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
For the windows firewall it has a rule ready to be enabled. Remote Desktop or windows Remote Desktop or something. Just open the advanced firewall incoming rules and you should see it.

I agree about the different port if you don't vpn. Also, only forward that port to the box you need to rdp, not everything.
0
 
Lionel MMSmall Business IT ConsultantAuthor Commented:
serialband I will follow your advise about using higher numbered port numbers. Your question--what I am trying to do. I support 42 systems remotely, a mix of Win XP and Win 7 and then 3 Win Server 2003, 3 Win 2008 Server and 1 Win 2012 Server. I have saved remote desktop connections for each systems. There are a total of 5 different networks involved in this, 5 different companies. Someone calls, I remote desktop into their system (double click their saved RDP connection), fix the problem and get back out. Do most of the maintenance at night when everyone has gone home and work on the servers on the weekends. On each router (5 of them) I have setup ports to forward to each system's IP address and changed the RDP port in the registry to correspond to the port number setup in the router.
0
 
serialbandCommented:
You didn't actually have to change the RDP ports on the local systems registries if you port forward.  You only had to remap the ports at the router.  I do that all the time.  You can map external port (e.g. 40000) to port 3389 on a local IP.   Every once in a while you should change it.

It really depends your workflow, but here's a suggestion:
If you're mainly doing this for sysadmin work, I suggest that you reserve just one port forward to each system network probably to a special locked down server that only you will ever log into.  From there you can RDP to other systems within the company.  It's better to keep your exposed external external ports down to a minimum if you can.  This way, if the  systems ever get externally attacked, you reduce the number of system's logs to search through.

You can do multiple remote desktops within remote desktops.
0
 
Lionel MMSmall Business IT ConsultantAuthor Commented:
I never thought of that before to leave all the systems with 3389 and only have different ports on the external ports/on the router. The only thing I don't like about your suggestion about remoting into a server and then RDP to the other systems is that what do I do if that system is down? I do want the best possible solution and the most secure so if I have to setup a VPN for each company I support them that is what I must figure out the best way to do.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
If you support many computers with many companies, I would do two things:
1. Have a VPN at each one.
2. Pay for logmein connect. One account you pay for, all the computer licenses are free.
0
 
serialbandCommented:
If you don't want a single access point, you could just set multiple external port forwards at each company.  This way you don't have to go to each system and change each port.  That seems like a lot of extra unnecessary work.  You only need to change the forwarding ports at their router/firewall/gateway.  You can then also reconfigure the ports as the systems change.
0
 
Lionel MMSmall Business IT ConsultantAuthor Commented:
Yes that is my plan right now to use multiple port forwards at the router level, using the high port numbers you suggested, without changing the RDP port numbers at the PC level (which is what I was doing before). I need to get a better understanding of setting up a VPN to each router before adopting that solution, which it seems clear everyone is suggesting I adopt as the most secure way.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.