Our Remote Desktop client's ports 3389 may be blocked - Alternatives?

We offer a RDS session service for our business clients.  These business clients are located in different locations and companies.

Most clients successfully use their Windows PC  Remote Desktop Connection  perfectly fine using default port of 3389. (and on our end we've also opened up a couple of other ports on our RDS server which we sometimes need when clients fail to connect because the default 3389 port does not work, such as host: OurRDSServer.com:1234)

But for some our clients  Remote Desktop Connection fails totally to connect.   In these cases we have to try and reach out to their corporate IT departments to adjust Firewalls and somehow get the clients access to work.    This is a painful process.


Is there an easier & quicker way to get our business clients connected to our RDS server?   We just need direction on the best course of action to investigate.  Do we look at VPN?  Tunneling?   SSH?   Other alternatives?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
A VPN would not make it easier, as it might get blocked the same way, and has own issues with firewalls. Same applies for anything else. There is always a port needed to reach your RDS server, no matter how you do it. Best option is to offer two or more different RDP ports, as you do already.

I assume you need a real, separate session for each client, and remote controlling (taking over an existing session) is no option. If I'm wrong, anything like TeamViewer, NetViewer etc. can be used, which requires HTTP only.
What was the reason the default port doesn't work?  If that port conflict you can assign a different port for the RDS service or you can port forward a different port number to your RDS.
MisbahSr. Software EngineerCommented:
I have a good solution for you that we implemented at work.
we have Remote Desktop Services and we have a RD Gateway,
this gateway function is to allow all traffic communication to be happen using https instead of RDP default port  3389.

read this article:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

In my opinion, if the IT department of the other company blocks ports, that is a security issue and their business (and actually the good example of how it should be handled). If it is a painful business for you, then that is so and you have to accept it. Allowing 3rd parties to access computers remotely is something that needs to be carefully handled and only allowed for very good reasons and after plenty of thought. There should be nothing that can circumvent such procedures.
Blue Street TechLast KnightCommented:
Misbah nailed it! You shouldn't be opening 3389 anyway even through obfuscation (port redirection) - its a terrible security practice and ripe for multi-sourced attacks.

With RDCB (Remote Desktop Connection Broker) once you set it up correctly they just hit a site on 443 and launch from there. You can also provide the RemoteApps or VDI/Full Desktops in addition to RDP'ing more securely to an internal device. You can increase encryption and use ACL to limit user access/control. You can deploy MFA or 2FA as well using third-parties that integrate.

Its the best way to deploy RDS.

Qlemo already provided alternatives to this but in terms of your question specifically "Do we look at VPN?  Tunneling?   SSH?   Other alternatives?" I hesitate to say "no" to all only because you already have RDS deployed but it really comes down to the business drivers/needs? What is the purpose of deploying this type service...e.g. are they remoting in to a server or desktop, do they need remote access to an internal app, etc...? By the nature of RDS it is going to be faster than VPN and especially if deploying RemoteApps.

Let me know. Thanks!
David Johnson, CD, MVPOwnerCommented:
From your clients perspective I can definitely support blocking 3389 for incoming requests but not for outgoing requests.
JReamAuthor Commented:
Thank you for you comments.     Very helpful as always.    As suggested by Misbah  we figured out the RD Gateway access.  Seems to work as advertised!   Took us a while since we enabled the RD Gateway role on a new separate server, and getting the new SSL Certificate CA installed is always a bit of a task as you know.  

We do have a couple of follow up question about RD Gateway which we will open a new question for.
Blue Street TechLast KnightCommented:
Thanks for the points...glad I could help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.