Link to home
Start Free TrialLog in
Avatar of Steven Mentzer
Steven MentzerFlag for United States of America

asked on

Can't connect to WS2016 RD server after changing default port (3389).

Windows Server 2016 running Hyper-V: one VM is RD server.  I changed the RD server port from 3389 default.  I changed the SEP rules to permit all remote traffic.  I can access the RD server from my second VM (domain controller) on the same Hyper-V nic, but cannot connect to the RD server from outside client.  I assume it is a firewall issue, but am stumped.  Please help.
Avatar of David Sankovsky
David Sankovsky
Flag of Israel image

There are several things to check here.
1) Is the port you are trying to use being filtered out at the host level (the HV Server).
2) When you say "outside" client do you mean from a completely different subnet / vLAN? If so, it's a fair bet you are crossing a firewall on the way (an actualy one, not the windows firewall, something like Fortigate or a SonicWall) in which case, you'd have to make sure you allow the new port there as well.
In addition to allowing the port in the firewall/router, you'll have to forward the port in the firewall/router.

Also, make sure you have changed the port setting in the remote client (assuming you're not changing the port as it goes through the firewall).

As a separate issue, are you comfortable with whatever security you have set up for remote access?  If you are just relying on the Windows login name and password, you may want to reconsider.

As a separate issue, are you comfortable with whatever security you have set up for remote access?  If you are just relying on the Windows login name and password, you may want to reconsider.

That line is very important and Kudos to CompProbSolv for bringing it up.
Especially in environments where you have an RD box that is on the same vLAN and/or segment as your Domain Controller. Changing the default RDP port from 3389 to something else is a good idea (especially if you choose from the higher end of the range) but it's rarely enough. You should invest in 2/MFA solutions (especially if this is a production environment) and for remote access, you better have a well-configured VPN to allow encrypted connection to your environment. Last but certainly not least, since you already changed the RDP port, it's also a good idea to rename the original Administrator user name so that the user DOMAIN\Administrator doesn't actually exist (Also avoid obvious replacements like HelpDesk and such - those are prime targets). And make sure that only the users that need access to the network remotely, can access the network remotely.
it is unclear what you meant to do which makes the suggestions general.

What is the purpose of the change on the server?
On the external firewall you need to update the port forwarding rule depending on your firewalll


external                   internal
3389                         VM IP your altered port
any port                 VM IP  your altered port

depending on the firewall changes from the ouside you have to match the settings on the outside firewall.

mstsc /v:remotewanip:remote_rdp_port

where the remote_rdp_port can be anything you set that on the firewall's port forwarding/NAT table routes to the internal system's new_rdp_port.
Avatar of Steven Mentzer

ASKER

I am a scientist at a well-known academic institution in Boston that has used a remote desktop server since the beginning of terminal services.  My collaborators and lab personnel have used it without problems (except for the occasional brute force attack) for over 20 years. We have many years of customized software developed for our system. Now our institution wants us to use something called SecureLink which strikes me as Big Brother and intrusive.  The question is whether SecureLink would be better than other options.  Move my RD server to a cloud service (I have no idea how complicated that is)?  Other options? Any suggestions would be helpful.  Thanks.
I have had a couple of clients get compromised through RDS because of weak passwords in AD.  Stronger AD passwords are one option as well as restricting client IP addresses (which doesn't work if the clients have dynamic IP addresses), VPN from client to RDS network, or use of certificates on client computers.

I've not worked with SecureLink before so can't comment on it with any authority.  One potential significant difference between it and RDS is whether or not it allows multiple accesses to the same computer.  It appears that it may be just a single access to a computer.  That's very workable for users who have a computer in the office that they want to access, but not so useful for users who only do remote access.
Thanks for the help.  I think the practical question is how safe is RDS?  The network security people at my institution seem to be convinced that RDS will lead to the cataclysmic implosion of Western civilization. Since 1996, we have had occasional brute force attacks but never any successful penetration of our network.  My current protocol is complex passwords, daily WS2016 updates, one administrator (me), only local management, no IIS or unnecessary services running on the RD server, daily login monitoring, Comodo SSL certificate, network level authentication, lockout policy (3 failures = 30 day lockout), software firewall (Syspeace) rules limiting access to 8 countries, and Symantec EP.  

I was going to change the default port, but that would involve negotiations with the Security police so I changed it back to 3389.

Do you think I have an optimal security strategy?  What else can I do?  I don't want to contribute to the demise of our civilization.  Many thanks!
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial