Windows Server and Windows Firewall Settings

We have a company that is providing our phone and internet services with this firewall/router and they will not allow VPN's to be setup on that firewall. I had asked them if they could set it up since I do not know how to and they said as a practice they don't do it.

You can use all sorts of things as a VPN endpoint. Any server os including windows and osx will all have a VPN server built in. You can also run open vpn server or something.

Anyway, does it work with 3389 forwarded and allowed through the firewall?

The port forwarding works--that is not the problem. I am trying to find out what is the best way to add rules/exceptions to the Windows firewall to allow other ports other than 3389 to work, namely a range of 3380 to 3399. Right now that is the main thing--once I have that working I can (maybe) focus on a VPN solution but right now I need users to be able to remote in without having to turn the firewall off.

For the windows firewall it has a rule ready to be enabled. Remote Desktop or windows Remote Desktop or something. Just open the advanced firewall incoming rules and you should see it.

I agree about the different port if you don't vpn. Also, only forward that port to the box you need to rdp, not everything.

serialband I will follow your advise about using higher numbered port numbers. Your question--what I am trying to do. I support 42 systems remotely, a mix of Win XP and Win 7 and then 3 Win Server 2003, 3 Win 2008 Server and 1 Win 2012 Server. I have saved remote desktop connections for each systems. There are a total of 5 different networks involved in this, 5 different companies. Someone calls, I remote desktop into their system (double click their saved RDP connection), fix the problem and get back out. Do most of the maintenance at night when everyone has gone home and work on the servers on the weekends. On each router (5 of them) I have setup ports to forward to each system's IP address and changed the RDP port in the registry to correspond to the port number setup in the router.

You didn't actually have to change the RDP ports on the local systems registries if you port forward.  You only had to remap the ports at the router.  I do that all the time.  You can map external port (e.g. 40000) to port 3389 on a local IP.   Every once in a while you should change it.

It really depends your workflow, but here's a suggestion:
If you're mainly doing this for sysadmin work, I suggest that you reserve just one port forward to each system network probably to a special locked down server that only you will ever log into.  From there you can RDP to other systems within the company.  It's better to keep your exposed external external ports down to a minimum if you can.  This way, if the  systems ever get externally attacked, you reduce the number of system's logs to search through.

You can do multiple remote desktops within remote desktops.

I never thought of that before to leave all the systems with 3389 and only have different ports on the external ports/on the router. The only thing I don't like about your suggestion about remoting into a server and then RDP to the other systems is that what do I do if that system is down? I do want the best possible solution and the most secure so if I have to setup a VPN for each company I support them that is what I must figure out the best way to do.

If you support many computers with many companies, I would do two things:
1. Have a VPN at each one.
2. Pay for logmein connect. One account you pay for, all the computer licenses are free.

If you don't want a single access point, you could just set multiple external port forwards at each company.  This way you don't have to go to each system and change each port.  That seems like a lot of extra unnecessary work.  You only need to change the forwarding ports at their router/firewall/gateway.  You can then also reconfigure the ports as the systems change.

Yes that is my plan right now to use multiple port forwards at the router level, using the high port numbers you suggested, without changing the RDP port numbers at the PC level (which is what I was doing before). I need to get a better understanding of setting up a VPN to each router before adopting that solution, which it seems clear everyone is suggesting I adopt as the most secure way.