SolutionBase: Connect to Windows XP Remote Desktop over the Internet

Remote Desktop can make it easy to remotely access your workstation from anywhere. Before you attempt to use Remote Desktop over the Internet, you should be aware of these potential pitfalls.

Recently, I was on a business trip to meet with a client. During my meeting, the client asked me about some information that I wasn't really expecting to talk about. I told the client that the file containing the information wasn't on my laptop, but rather on my home computer, and that I'd have to e-mail a copy to them when I returned home. Of course, if I had bothered to set up Windows XP's Remote Desktop feature, there wouldn't have been a problem because I could have remotely accessed my home machine while on the road.

The main reason I had never set up Remote Desktop at home is because, according to many of the articles I've read, the preferred connection method is dial-up. Quite frankly, I don't want the expense of a second phone line just so I can dial in to my home computer a couple of times a year when I forget to copy a file to my laptop prior to a trip. Besides, half of the time when it would be handy to dial in to my home computer, I'm at a place that doesn't allow long-distance phone calls.

Fortunately, there are ways of connecting to a Remote Desktop session through the Internet. By doing so, you can avoid all of the hassles and expense involved in dial-up connections. Of course, you'll have to take the appropriate security measures so that no one else controls your desktop machine through your Internet connection. Here's how it works.

Connecting from someone else's computer

Technically, all you need in order to use Remote Desktop is a computer that's running the software, a computer that's running a Terminal Service Client, and a TCP/IP link between them. By using this definition, it's possible to use Remote Desktop over the Internet without really doing anything special.

However, the problem is that one of the required components is the Terminal Service Client. This is fine if you're accessing Remote Desktop from your own laptop, but what happens if you're at a client's office borrowing someone else's computer? Odds are that the IT department isn't about to let you load a Terminal Service Client onto that machine. Fortunately, there's an alternative.

Rather than installing the usual client onto the machine, you can run a Remote Desktop session through a Web browser. This means that you won't have to install any special software on the machine that you're using to make the connection. It also means, however, that you'll have to do some extra work when setting up Remote Desktop on your home machine.

The trick to making this work is setting up your home machine as a mini-Internet Information Server (IIS). You can then have IIS transmit your Remote Desktop as if it were a Web page. Fortunately, Windows XP Professional comes with its own copy of IIS.

Begin the configuration process by opening the Control Panel and clicking the Add/Remove Programs link to open the Add Or Remove Programs applet. Now, click the Add/Remove Windows Components button to reveal a list of programs that are built into Windows. Scroll through the list of available components until you find Internet Information Services. Select this component and click the Details button to reveal a list of subcomponents.

At this point, locate and select the World Wide Web Service and click the Details button to reveal its subcomponents. Select the Remote Desktop Web Connection check box and click OK. The Windows Components Wizard might prompt you to insert your Windows XP installation CD. Click Next and Finish to complete the installation.

Before continuing, it's important to take a moment to make sure that your machine is secure. Even if you previously had all of the latest security patches installed, your system might be vulnerable at the moment because you just installed a new, unpatched component. I therefore recommend that you stop the World Wide Web Service, reapply Windows XP Service Pack 2, and then run Windows Update.

You can stop the World Wide Web Service by opening a command prompt window and entering the following command: NET STOP W3SVC. After you've reapplied the service pack, the system will reboot and the World Wide Web Service should automatically restart. It's a good idea to stop it again prior to running Windows Update. Once you're done, you can restart the service by either rebooting or by opening a command prompt window and entering the NET START W3SVC command.

Now that Windows is up to date, there's one other security measure you might want to put into place. This one isn't mandatory, but it's a good idea. Suppose for a moment that your home computer has an IP address of When all is said and done, anyone who enters into a Web browser will establish a Remote Desktop session with your home computer. Sure, they'll be prompted for a password, but we all know how easy it is to crack a password. Since this is the case, I recommend changing the TCP port that's associated with the Remote Desktop Web site.

When you enter a standard HTTP request into a Web browser, followed by either a URL or an IP address, Internet Explorer assumes that you want to make the request over TCP port number 80. You can dramatically increase security by changing IIS to use some obscure port number instead of the standard port number. For example, if you changed the port number to 79, anyone who wanted to access your Remote Desktop session would have to enter If they simply entered, they would just get an error message stating that they had entered an invalid request or that no page could be found.

The first thing you'll want to do is select a TCP port to use. In my example, I used port number 79. This is usually a safe choice, but most of the time you'll want to use something between 1000 and 65535. Just pick one that's easy to remember.

Once you've selected a port number to use, open the Control Panel and click the Performance And Maintenance link, followed by the Administrative Tools link. In the Administrative Tools window, double-click the Internet Information Services icon. This will cause Windows to open a Microsoft Management Console session and load the Internet Information Services snap-in. Navigate through the console tree to Internet Information Services | your computer | Web Sites | Default Web Site. Right-click the Default Web Site container and select the Properties command from the resulting shortcut menu to open the site's properties sheet.

When the properties sheet opens, select the Web Site tab and then fill in the TCP Port field with the port number you've chosen. Click OK to close the properties sheet and then close the Internet Information Services console.

Enable Remote Desktop

The next step is to enable Remote Desktop, if you haven't already done so. Right-click the My Computer icon and select the Properties command from the resulting shortcut menu. This will open the System Properties sheet. Select the properties sheet's Remote tab and then select the Allow Users To Connect Remotely To This Computer check box.

This will enable Remote Desktop, but you must now decide who can connect to the system. Click the Select Remote Users button and use the resulting dialog box to specify which user accounts may remotely access the system.

As you specify the accounts, pay particularly close attention to which ones you're selecting. If you have a network set up in your home, you probably have a domain Administrator account, but the machine also has a local Administrator account. Windows considers these completely separate accounts. If you grant the local Administrator access and then attempt to sign on as a domain Administrator, access will be denied. After specifying the accounts that you want to allow, click OK twice to return to the System Properties sheet and once more to close it.

Routers and firewalls

Perhaps the trickiest part of the entire process is configuring routers and firewalls. Assuming you have a broadband, "always-on" Internet connection in your home, you probably have a firewall in place that blocks most of the inbound traffic from the Internet. This firewall will have to be configured to allow a Web-based Remote Desktop connection. Unfortunately, I can't give you specific instructions because every firewall is different. Instead, I'll give you a general idea of what needs to be done, and you can use your firewall's manual to figure out the specifics.

Most firewalls have a setting that you can use to enable or disable Web access. If you changed the port number, though, this setting won't work because Remote Desktop requests are not coming in through port 80. Things also get a bit tricky because of the differences in the IP address used by your ISP and your machine's actual IP address.

Multiple IP addresses are used because there's a big shortage of IP addresses. Since there aren't enough IP addresses to go around, most Internet firewalls use a technology called NAT. NAT works by allowing the firewall to assign the computers on your home network an IP address that isn't valid on the Internet. The IP address that your ISP assigns you gets assigned to the firewall, not to your computer. The firewall then forwards packets of data between the two addresses as necessary. One thing to keep in mind is that if you have a NAT firewall, this is how the process works, even if you don't have a "home network."

You'll need to know both the IP address that's assigned to your firewall and the IP address that's assigned to the PC that Remote Desktop will be running on. Once you know these two addresses, I recommend using your firewall's port forwarding feature. Tell your firewall that requests coming in on the port you've designated for Remote Desktop should be forwarded to the machine that's actually running Remote Desktop.

Once you've configured your Internet firewall properly, you must turn your attention to the Windows Firewall. As you may know, the Windows Firewall is turned on by default in Windows XP Service Pack 2. Although the firewall's default configuration will allow a Remote Desktop session to function, it will not permit a Remote Desktop session through IIS. You'll therefore have to make a few adjustments.

Begin by opening the Windows Control Panel and clicking the Security Center link followed by the Windows Firewall link. Windows will open the Windows Firewall properties sheet. On the General tab, the firewall should be set to On, but the Don't Allow Exceptions check box must not be selected.

Next, select the Exceptions tab to see a list of the programs that are allowed to pass through the Windows Firewall. Remote Desktop is on the list, but it's set to use TCP port number 3389, not the port number you designated earlier. To add the necessary port to the list, click the Add Port button to open the Add Port dialog box. This dialog box will prompt you for a name and a port number. Enter Remote Desktop Web Access in the Name field, and, in the Port Number field, enter the port number you chose earlier. Make sure that the TCP radio button is selected and then click OK. Click OK one more time to close the Windows Firewall properties sheet.

Connecting to Remote Desktop

Everything should now be configured, and you should be able to access Remote Desktop over the Web. Before I show you how, here's one last bit of advice: Before you go on a trip where you might need Remote Desktop, double-check the IP address that has been assigned by your ISP. Even though my Internet connection is of the "always-on" variety, my ISP changes my IP address once a week just to prevent me from hosting a Web site. If your ISP also frequently changes your IP address, it won't prevent you from running Remote Desktop over the Web. You simply must know what the current address is.

With that said, you can connect to your Remote Desktop session by opening Internet Explorer and entering the URL in the format http://ip_address:port/tsweb/. For example, if I were using the IP address and port 79, the URL would look like this:

Upon connection, you may be prompted to install the Remote Desktop ActiveX control. If so, you must choose Yes. You must also verify that Internet Explorer is not restricted from running ActiveX controls.

When the initial screen is displayed, you'll be asked what server you want to connect to and what size you want to set the display to. Leave the Server field blank, set the display size to Full Screen, and click Connect. You should now see a Windows XP login screen in your browser window. Enter your username and password, and you're in business. When you're finished with your Remote Desktop session, you can terminate it simply by closing the browser window. Remote Desktop doesn't cache passwords, so you shouldn't have to worry about someone else stealing your password from the browser history.

Who needs Terminal Services?

Remote Desktop can be accessed easily and securely through a Web browser. This allows you to access your Remote Desktop from any computer with an ActiveX-compatible Web browser, without the need for loading Terminal Service Client software.