Questions

Remote Desktop Connection to behind a router.

+
0 Votes
Locked

Remote Desktop Connection to behind a router.

Healer
How do we remote (RDC) to a computer in a peer-to-peer network behind a router and a firewall?

I am aware there are quite a few brands of free VPN software for non-commercial use. Those for commercial use is quite expensive for subscription and probably not that "private". I am wondering if we can use Windows Remote Desktop Connection or Remote Desktop Web Connection over the Internet in this scenario.

I suppose I need the WAN IP address. Then how do we get to a specific computer behind the router or even the firewall?
+
0 Votes
power zhu

If the two computers connected with two different router, yes, the two computers should have WAN IP address, but the LAN computers have a same WAN IP. You may try to map port to the computer that you want to connect, 3389 to the LAN computer. The same operation on another LAN computer

+
0 Votes
pdr5407

That is funny, I just finished reading an article about how to do this in the latest CPU magazine. It involves opening port 3389 and 80 in your firewall software. Next, you have to assign a static IP address to the computer that will be receiving the remote connection. You then need to know both internal (192.168.1, etc.) and external IP 64.58.21. etc. IP addresses of the remote client. Now type in http://external IP address:80.

+
0 Votes
Healer

I wonder why you said I need to open the port 80 as well. Are you talking about Remote Desktop Web Connection? I have enquired about RDWC before, I was told it is only used to connect to Windows Server 2003 or 2008 and so forth. I can't see any documentation to support that yet. Perhaps you can tell me something I don't know.

I suppose I can reserve an IP address from the DHCP for the target computer concerned. Are you referring the WAN IP address as the external address?

How would you put the external IP address and the internal IP address together on the RDC logon window?

+
0 Votes
Healer

I am testing it in my home office.

I set up Port Forwarding on the router as follows.
Name: RDC Start Port: 3389 End Port: 3389 Protocol: TCP Local IP Address 192.168.0.X.

The intended destination router has a fixed IP address though my test one doesn't I shall get the IP address at the time of testing. From what I have set up if it is correct, I can only remote to one computer on the destination network at one time. Am I right?

I suppose it means that on the Remote Desktop Connection window I should enter the destination WAN IP address on the Comuter field and "computername\username" of the target computer in the User name field. Am I correct?

+
0 Votes
Healer

Do we also need to change the RDC port in the target computer registry or do we only need to do the mapping (port forwarding) inside the router?

+
0 Votes
tsbs

You are correct in that you can (and should) set the port a pc uses in the registry. MS default is 3389. What I do is set the port differenty for each pc that I need to access remotely (pc1-3389, pc2-3390, etc.). You should set each pcs ip statically and then set port forwarding in your router accordingly. Run mstsc and use your public ip with the particular port you want, for example 69.147.114.224:3389 for pc1, .224:3390 for pc2. It's supposed to be that easy.

+
0 Votes
Healer

Are you saying I need to do both port-forwarding on the router firewall and manual change of the RDC port in the registry of every computer?

If that is the case, could you please tell me which key in the registry I should change? I searched for the RDC port 3389 in the registry and there were many.

+
0 Votes
tsbs

It wouldn't hurt to back up your registry first, but it is only one entry you need to change.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
On the Edit menu, click Modify, and then click Decimal. Type the new port number, and then click OK.

I've found this is by far the easiest way to accomplish this. You just need to know which computers are which.

+
0 Votes
Healer

I changed the port number in the registry and it still wouldn't work. It didn't even work using the local LAN IP address.

I changed it back to the default 3389 and it worked fine both locally and remotely. I wonder what else I could have missed.

+
0 Votes
tsbs

So, when you are local and you want to RDP to say pc2 (192.168.1.10). You should just run rdp client and when it asks for pc name type in 192.168.1.10:3390. Of course, there is no reason to do this locally (except for testing some hairbrained idea from some anonymous idiot on the internet) since you have direct access to the subnet and just specify by ip/computer name. I just set up a new connection to test it and it worked fine so I'm very surprised this doesn't work for you. I would check the logs on both pcs to see what's going on.

Also, you have to create a new port forwarding rule for each pc in your router for remote access.

+
0 Votes
tsbs

I would definitely try local since you have easy access to all pcs and their logs. You should try remotely and then check the router logs also.

Again, Google the exact errors/conditions in all logs.

Let us know, I'm very curious as to why this won't work.

+
0 Votes
Healer

I've got it working after opening the assigned port on the Windows Firewall of the target PC. This must be what I have missed.

By the way what log I could check on both PCs, RDP log and Firewall log? Where could I find them? I try the Event Viewer but the security log is not very self-explanatory. I have a Netgear router from my ISP. I don't see any log anywhere for the firewall in the router or the Windows firewall on the PCs. The router Event Log does not tell you much, nothing about RDC. At least I don't see anything obviously related to RDC.

Anyway would you use Windows Remote Desktop rather than other commercial or VPN software?

+
0 Votes

RDC

Nimmo

All you need to do is to have a static IP address on the PC you want to connect to and also either a static IP address or dynamic dns address for your WAN.

Enable port forwarding on your router to forward port 3389 that is comming in on the WAN interface to 3389 to the internal IP address of your PC.

If you don't want to use well known ports you can just connect to external ip : port but you'll have to make sure you have that port forwarded to 3389 in your port translation.

+
0 Votes
Healer

I suppose the port forwarding only works on one target PC only, correct?

I don't quite follow your last paragraph regarding port translation. Could you please explain a bit more and give me an example?

+
0 Votes
Nimmo

You can have PAT for as many connections as you like, for example say I had two XP machines behind my router running PAT with the IP addresses of 10.1.1.2 & 10.1.1.3 and I wanted to connect via RDP.

What I can do is setup my PAT table to forward any or a specified incomming IP address on port 3389 to go to 10.1.1.2 port 3389 and then specify to forward connections comming in on port 3390 to go to 3389 on 10.1.1.3.

All you need to do to connect to 10.1.1.3 is to append the port number in your RDP connection (seperate the IP and port with a colin). <external IP address:port number>, the router receives this connections and looks up it's forwarding table and forwards the packet to the correct PC for a RDP connection.

Technically you could do this for every PC behind your router because all you need to do is add the port number associated with the PAT table in your connection and PAT will do the rest when it receives the packet.

As for my last paragraph all I was say was that if you didn't want to use 3389 (i.e to connect to 10.1.1.2) you can simply use a different port and not allow port 3389 on your WAN interface.

So your PAT table would look similar to for example allowing any IP address to connect.


allow any WAN_Interface 3389 to LAN_Interface 10.1.1.2 3389
allow any WAN_Interface 3390 to LAN_Interface 10.1.1.3 3389

(Allow any IP comming in on the WAN interface with the port number 3389 to be forwarded out the LAN interface to 10.1.1.2 on port 3389. Allow any IP comming in on the WAN interface with the port 3390 to go out the LAN interface to 10.1.1.3 on port 3389.)

+
0 Votes
CG IT

some consumer routers have SSL remote connections. In essense, you connect to the router via SSL [not remote management] which then gives you access to the internal LAN.

once connected you can RDP to any host on the lan that has RDP enabled and that has your user account on the allowed list.

+
0 Votes
Healer

SSL VPN is new to me. I have had a quick glance on Netgear's SSL312 VPN Gateway. It seems to me the SSL VPN Gateway is rquired in addition to the network router, not a replacement. So it is an extra cost. Certainly it might provide more features and facilities. It could be an useful addition though.

+
0 Votes
Healer

Thanks for your detailed explanation.

So we don't need to change any port setting at the target computer, no RCD port change in the registry.

We only need to do the mapping, port forwarding in the router for individual computer, one port one computer. And we enter WAN_IP_address or domain_name:port_assigned_to_target_computer in the Computer field and target_computer_name\user_name in User name field.

By the way, do ISPs usually restrict RCD and router remote management access?

+
0 Votes
Nimmo

No there is no change needed on the target computer because the connection is getting redirected at the router to the default RDP port on the PC.

ISP don't restrict ports on your network you can use any service, provided you have the appropriate entries in the translation table to allow the connection from external to internal. (ISP's have no control over your router)

Basically once you've set up the translation table you don't need to know or care about the ports/ip addresses been translated because all you're doing is connection to the external domain and the port that will be used to translate to the internal machines.

Once the connection hits the router the router will do the rest, and yeah then you'll just have to have domain user policies to allow the connection to the machine.

+
0 Votes
Healer

I tested using the WAN IP address and the port number I assigned to each computer I had on the Lan with port-forwarding in the router, only the one that I assigned with port 3389 worked. I was testing 3 computers using port 3389 through 3391 respectively.

It looks like the RDC port number need to change in the registry of the target computers. However I do not know which keys to change. Please help!

+
0 Votes
Nimmo

You don't make the changes on the PC's it's all in the forwarding that is why they created PAT (to allow services from the internal network be assessable from externally) along with helping to save public IP addresses.

Here is an example off one our client routers which may help you.

Definitions>Service Groups:
Terminal Server - TCP/3390

Packet Filter:
Name - Terminal Server
Incoming interface - WAN
Source address - Any
Destination address - WAN IP
Services - TCP/3390
Destination address - 192.168.168.15
To services - TCP/3389

Make sure you've allowed RDP on your PC; maybe drop your PC's firewall and AV for a quick test too.

+
0 Votes
Healer

I did manage to RDC using WAN IP address to computer assigned with the default port number 3389. However I couldn't communicate with those assigned with other port number in port-forwarding.

I am testing on a peer-to-peer network in a workgroup at present, not in a domain.

Here is a transcript of the Active Forwarding Rules on my router.

Name Start Port End Port Protocol Local IP Address
RDC 3389 3389 TCP 192.168.0.12
RDC 3390 3390 TCP 192.168.0.10
RDC 3391 3391 TCP 192.168.0.12
RDC 3392 3392 TCP 192.168.0.11

I can only get the first one working remotely.

+
0 Votes
Nimmo

Your forwarding is wrong, you want to keep your PC's with the default RDP port and have a different port specified in a remote connection from the internet to be forwarded to the default port of each workstation.

external_IP TCP 3389 internal_IP
192.168.0.12 TCP 3389

external_IP TCP 3390 internal_IP
192.168.0.10 TCP 3389

external_IP TCP 3391 internal_IP
192.168.0.12 TCP 3389

external_IP 3392 internal_IP
192.168.0.11 TCP 3389

All the internal addresses should have the default port of 3389.

What make/model is your router, I'll take a look at the how the setup should be specified in it for you.

+
0 Votes
Healer

I couldn't get it working without changing the port address in the target computer registry.

I have got it working now after I did the registry change and open the port on the Windows Firewall.

Perhaps what you have is a different way. I love to know that. As we have reached the maximum message level, I have to put this on a different branch.

+
0 Votes
Nimmo

Port forwarding is the proper way to go about doing this, it's one of the reasons the IETF designed PAT (to allow internal services to be accessible from externally), did you try taking down the firewall and A/V whilst you tested this?

+
0 Votes
georgelawlor16

We also wished to do a Remote Desktop Connection over a Home LAN with XP Vista and Win 7 systems. Teamviewer is free for personal use and inexpensive for business use. It Works right out of the box. I have not yet tried all of the features but all of the features I have tried work as advertised. This is simply a great product!!! My Thanks to Team Viewer.

George

+
0 Votes
Healer

And a service has to be running on target computers all the time waiting for incoming calls. I am just looking at all alternative ways to do things and weigh up the pros and cons. Some people might not like to go through the third-party software in view of possible security-conscious communications.

+
0 Votes
georgelawlor16

Hello Healer:
I like that I need to know when a guest will be connected to my system so the server thing is just a click away. I wanted to limit the access to a specific application and can do that but then my system (host) has to be left alone for the client to use the application. This is really a case where Linux would be better, yes?

George

+
0 Votes
Healer

Are you saying the Team Viewer is better or just being sarcastic? Excuse me being thick.

+
0 Votes
georgelawlor16

I liked every thing about Team Viewer, the limitation is with Windows in that it does not really allow remote terminal connections in the way that Linux does. When a remote connection is made by Team Viewer the Windows host system must remain as the user that made the connection and the host owner cannot be on the host system doing things as he or she might in a Linux environment.

George

+
0 Votes
Healer

I like the way the TeamViewer does too. Then I just like to explore all sort of technology

+
0 Votes
sumesh.tr

what are the configuration in Router.If it allows all ports then u only need to configure Port forwarding of the WAN IP to your Server's LAN IP.

From internal network to external if u need to coonect RDC to your client if the firewall block these port then u can't do it,but usually it won't

So try to configure the firewall/Router to allow port 3899

+
0 Votes
Healer

I have already got it working with this Netgear router of mine. Allowing only 3899 allows only one computer behind the router to be accessible.

I like the D-Link router that provided port-mapping as well.

+
0 Votes

HI

roshan

This could be easily solved using no-ip. Download no ip get registered & then do a port route on the router.. Problem Solved...