IT Employment·20,072 discussions

Remote Access

Locked

Currently, remote access at my company is done by mapping 5 public IP addresses with 5 internal IP address through the firewall. Users beyond the first five, remote into the first five and then remote to thier own pcs. I realize this is clearly not the most efficient way of doing things. I am looking for a way to allow multiple users to access their pcs while away from the office. I was considering using a RAS but someone had mentioned that there was a way of assigning port numbers to each computer instead. I am open to all suggestions and all help is appreciated. Due to the lack of my own technical expertise, the more detailed the suggestions, the better.

Network: Sonicwall router, 6 servers, 50 clients, Windows 2003 server, clients are win2k or xp

Thanks agian,
Rick

Topic

what you can do……

In reply to Remote Access

You can run all your systems from one IP. Take one IP and connect it to a router. Have that router delegate DHCP addresses to your network. In the router, depending on the make, filter internet access via MAC address. You can find the MAC address by going to each system and typing IPCONFIG /ALL and it will give you the MAC address. You can also download a program called NETSCAN by Softperfect (http://www.softperfect.com/) that will show all connected by name, their IP address, and the associated MAC.

Another thing you can do is use http://www.logmein.com to allow them to access their PC as if they were actually in the office. It is free provide you only need to access the system an not print or map a drive. Try it out. I?m using it currently to assist my clients who are far away. If you have questions, email me directly fidolido@pacbell.net

How good is your budget?

In reply to Remote Access

You having a Windows 2003 server, you could install Terminal Services, then have your router redirect port 3389 or any port you specify to your Windows 2003 Server’s IP Address.
Easy done,
Or the other way, if you right click on My Computer on the Windows 2003 server, and go to the Remote tab, then enable Remote Desktop, only two or more administrators can connect at a time this way.
But implementing Terminal Services, you have to think about installing the end user’s software apps, etc.
There is another way, how are they connecting to their PCs?
If you could, have different port redirections setup, change the remote access ports on each PC at work, and then configure the router to allow each port redirected to the allocated port internally.
For example. User One’s PC Port is 3345. You allow 3345 to his work computer, from his remote connection client at home you specifiy that port.
For Users’ Two PC Port 3346, once again allow the user’s home remote connection use that port.
Bit of mucking around, but hey good for saving costs too.
Could also get software like Remote Administrator, (www.farmtech.com) as you could just allow one port redirection through to one PC. Then each PC can tunnel through that PC to the rest of the PCs.

Regards,
Jim

Port Redirection

In reply to How good is your budget?

I have changed the listening port of my client machine via its registry key. How do I get the router to send remote access traffic there?

Shouldn’t be to hard.

In reply to Port Redirection

In the router you should find something to the effect of Port Redirection, Ports, etc.
So you need to redirect port 3391 to 123.123.123.123 3391 (Not a real IP). Let’s say you had port 3392, then redirect port 3392 to 123.123.123.124 3392. Make sure the protocol is TCP, make sure the source is any IP, and the internal IP is the designated IP and the port you chose.
Good luck. By the way the problems you are having with remote desktop, make sure the XP PC is configured to allow remote connections. This can be done by right clicking on My Computer, clicking on the Remote tab, add the appropiate users to the list. This should also automatically configure your Windows Firewall to allow RDP, but won’t hurt to check this as well. You can do this by going to Administrative Tools, either in the Start Menu, or go to Control Panel, towards the end of the list there should be the Windows Firewall icon, double click on this and make sure if the firewall is on, that the “Don’t Allow Exceptions” box is not checked. Then goto the Exceptions tab has the Remote Desktop Protocol checked, even edit the connection and see the any scope is been chosen for the scope. Then this should be done, now since you have changed the RDP port number by the registry, I am not sure whether or not the Windows Firewall default RDP Entry will relate to that new port or is hard coded to 3389. It might pay to under Exceptions tab in Windows Firewall to add a port of 3391, TCP, and any for the scope. Do this to every PC that needs to have Remote Desktop enabled. Then to test the Windows Firewall from another Internal PC, try and RDP to those PCs. Then try externally.
Let us know how you go.

Kind Regards,
Jim

Update

In reply to Shouldn’t be to hard.

Hi Jim,
Thank you for the info. I had to edit this post due to my own misinformation. I have double-checked to ensure that “Don’t Allow Exceptions” box is not selected. Under “Exceptions” tab on the firewall control I have created a new exception called “Remote Desktop Access” with TCP/3391/Any settings. I then de-selected the original “Remote Desktop” exception that has TCP/3389/Any settings. With these settings I am able to remote from any computer, using port 3391, within the network. The router acts as a static NAT box. I have not made any changes to the router as of yet. In order to use the port meathod, do I need to add every internal IP mapped to the same external IP in the NAT?
Thank you,
Rick

VPN / SSL-VPN / Goto My PC

In reply to Remote Access

Hi,

How about using a secure VPN or SSL (that’s the web https equiv.) VPN or even the Goto My PC…

You only require a single Public IP Address for all of the above.

Apart from the last solution (Goto My PC) the others all have a variety of product solutions available.

The Goto My PC solution is also simple and practical for small companies.

URL: https://www.gotomypc.com/

Ryan

easy and powerful SSL VPN

In reply to VPN / SSL-VPN / Goto My PC

http://www.gotoServers.com offers a simple, powerful and easy SSL VPN solutions. Secury and easy to use. Free trial. Take a look, you will be surprised.

THANK YOU!

In reply to Remote Access

Thanks for all the suggestions. I will look into all of them and let you know how it goes… Thanks again! Rick

Multiple users

In reply to Remote Access

I’m in a similar situation and have 6 users who want to remote in. I’ve set up 3 so far and have to purchase 3 more copies of XP (not just for remote purposes) and will be setting up the other 3 within the next week or so. It’s failry simple to do with 1 IP address. The tricky part is getting it thru the router (mine is a watchdog) and the other challenge might be XP’s firewall. Theoretically, the firewall is supposed to change ports automatically for Remote Desktop … at least that’s what I’ve read. I had to make a new remote desktop exception in the firewall with the new port and it works fine now.

For some easy to understand information on setting up remote desktop and changing ports, you might want to check out this webpage.http://members.cox.net/drcray/remotedesktop.htm

He did a nice job of explaining and it has screen shots to help.

Good luck

Trouble outside network

In reply to Multiple users

The article posted was very helpful. I am now able to remote within the network using specific port numbers. Unfortunately, I am still unable to connect from outside of my network. I have configured my client machine to listen for a specific port (3391) and configured the router to map the same port number on a specific public IP to my client machine. I asked a friend to attempt to remote into my machine using the specified public IP address and specific port (example 192.168.3.10:3391), but they received an error message saying they could not connect. Am I perhaps missing a step?

Port Translation too

In reply to Trouble outside network

You’ll also need to make sure each of the ports that forwards translates to 3391 at the machine end from whatever you use on the router end.

Example:

If one machine is set up to use port 3395 then your NAT entry will have to translate the IP address from the external IP using the port number but also translate the port number back to that specified for the protocol (most likely 3391). 169.254.1.83:3395 (not a real external ip) would need to point to 192.168.3.10:3391

I hope that’s at least as clear as mud.

Port translation used

In reply to Remote Access

Here is the clean way to allow remote desktop connections using port translation in your router and a public address.
Take one of your public addresses that is pointing to your router by your ISP that you want to use for remote destop connections. For example we’ll say it’s 123.454.321.123 and you want it to go to you internal computer which has a reserved or static IP address of 192.168.10.10. You do not need to change (and I would suggest not to change) the port 3389 used on the internal computer to another number. For this example we will choose the port number 6000 to gain access to the internal computer from the internet. In the router you set up the NAT or PAT statement that says anything looking for 123.454.321.123:6000 got to LAN IP 192.168.10.10 and translate to port 3389. If you want to control one of your servers give it port 6001 for example and map it to the static or reserved internal address that it uses.Best scenario is to give the public IP address used a secondary domain name for example – if your web domain name is http://www.coolcompany.com then maybe use office.coolcompany.com for the 123.454.321.123 address. Then all you or any user will need to enter into their remote desktop connection app is office.coolcompany.com:6000 it will connect to your router, find the PAT statement and redirect to port 3389 on the internal computer THAT IS ON and ask for login information. Of course the internal computer has to have the service enabled and the account added but I figure you already know that.
I have been using this for years to remotely administer several servers and a few computers on the networks I have managed. You cannot just pick any port to use for translation since several are used for your internal network connections – butr there are plenty to choose from. I suggest using a program called fport.exe to see what ports are currently open on your machine when you run your network apps AND use a public list of port reservations that can be found on the web before deciding to do this. I have a nice range of 6 for all the servers and to make it easy on the Pres and VP’s I used their respective street addresses as their port number from the outside in … they happen to be 4 digit and not in use or close to being used.
Hope that helps you out – it works like a charm and nowadays the inexpensive SOHO routers can do PAT.

SBS 2003 Server has remote desktop builtin

In reply to Port translation used

Your original network information says you have 2003 server and if it is SBS 2003 you would be able to take advantage of the Remote Desktop connection capabilities through the secure Web server portion that usually is setup for Outlook Web Access. In SBS 2003 Premium there is ISA Server which can create a much more secure connection. In either version, Standard or premium you put the list of network computers you want to have available to Web clients and of course they also have to have permissions but their is no Remote Desktop application needed – only Internet Explorer and the internet. A staff member logs in and then from the list of available computers selects the one they need or if you set them up to only see their network computer it will be the only one in the list. Since I am and administrator I see them all but I tend to connect using the older Remote Desktop connection app and port translation … since I have been doing it for years.
Just some more info fopr you and other readers to consider.
Some of the other posts talk about gotomypc and logmein which are both excellent secure methods but have costs associated with them. The free version of logmein does have some limitations compared to the licensed version but it depends on what your need is. If you want to run the computer at the office which is turned on but no one is sitting at the computer then the Remote Desktop version is what several of us have decided works best. If you are a support person and the client is at their computer and needs help and security is in your program or neccesitated by regulations then logmein )licensed version) or gotomypc are the preferred choice.
I do not mention using the CA (certificate authority) built into Windows 2003 Server to create secure or SSL connections through http or rdp connections since most people struggle with the intricacies of using CA .. but I thought I should mention it since it is available to you in the products you already have and will create an extremely secure connection…hence the reason people struggle with it just to get it working.
I personally use it with RADIUS to authenticate wireless connections to my network WAP’s since I used to work in the medical field and HIPPA regulations like to see that.

Update

In reply to Port translation used

Here’s where I am now: We are using a Sonic SOHO3 router in which access is directed via NAT and Rules. The NAT does not give me an option to specify a port so I create a new Rule delcaring that public IP 123.454.321.123 port 6000 goto LAN IP 192.168.10.10 which is setup for remote access. I did not see any area to translate ports from 6000 to 3389. I could try changing the remote access port here on the client machine I am trying to access to 6000. With that rule in place, I am still unable to connect from outside of the network. I didn’t see any area for PAT on the router interface either. Thank you for your help.

VPN + Remote Desktop

In reply to Update

You are doing things the hard way. I have set up Managed VPN connections for several clients and they work perfectly. All you need is a VPN-enabled router as somebody had mentioned earlier. Assign static IP addresses to your LAN machines. All the staff have to do is set up a VPN connection on their remote machine, connect to the Office network, then connect to their PC via XP’s built-in Remote Desktop (make sure this is enabled on the office PCs) using their assigned static IP address. Sonic has several VPN enabled routers and there are many other brands. All you need is one public IP address and there are no aditional costs besides the hardware.

Remote Access

In reply to Remote Access

I’ve used a product called LogMeIn (www.logmein.com) It installs an ActiveX component on the users PC’s and target PC. You have to log into your network, then into your PC so the product is secure and now provides 128 bit SSL encryption. Best of all, unless you need the remote print feature from the remote location the cost is ZERO.. With this software I can log in and use my office PC from ANY internet connection in the world. Gartner reports that this type of software isn’t secure and doesn’t want companies using it, but it is the same technology that all your major software houses use when they want to connect to your system/server to diagnosis or have their tech support look at a problem on your system. Used to use GotoMyPC, but it became very pricey for the occasional user.

ssl-explorer

In reply to Remote Access

Hi, if you are handy with system stuff, check out ssl-explorer (http://www.3sp.com/). They have a free version. It is setup on a XP or server box behind a firewall (even a cheap home router is ok). You use a browser with java giblets, to connect to the box, and then remote to any of your XP PCs, provided that they are XP PRO. Very very slick, cheap, and can incorporate various authentication methods. A+++ from what I have experienced.

— cheers,
Guy

[Author]

Replies