RDP n00b

O

O2Flow

Limp Gawd
Joined
Jul 8, 2004
Messages
371
Ok so I would like to be able to manage one of my clients' networks remotely. My understand is that the most secure method of doing this with a SOHO router is to enable RD on the windows boxes, change the RDP port on the Windows boxes, then forward a port on the router to the new RDP port on the client machine.

My question is this:

Should I forward all workstations to separate ports so I can access each one independently? Also, would I just need to enable remote desktop on each machine and then change the port in the registry?

TIA
 
Can the router function as a VPN gateway? VPN to the router, then RDP to each desktop/server - that's the most secure way of doing this.
 
If you can't do the vpn then the simple answer to your question is yes. Choose a different port for each workstation, edit the registry, and forward the proper port to each workstation. This will work just fine.
 
da sponge said:
Can the router function as a VPN gateway? VPN to the router, then RDP to each desktop/server - that's the most secure way of doing this.
Click to expand...

says it supports VPN pass-through?
 
VPN pass-through and VPN gateway are different concepts ...
- the "pass-through" means that it is capable of allowing/denying incoming vpn connection requests that are going to a specific server
- vpn gateway is referring to the ability to authenticate and establish a vpn connection to the SOHO router box itself
 
VPN would be more secure.

Anyway does said cleint have a windows server? Or a machine that acts like a server where someone is not on it most of the time. If they do I would setup remote access on it(don't use the standard 3389 port) and remote into it. From that machine you can remote into any other machine on the network through the normal port. Little slower but you don't have as many holes in the firewall. Also remember if you did it to every machine you would pretty much need to know each port for each machine and have to set all of them to static ips. I go in through the server and just hit the machines by name.

To change the port if you didn't know under registry editor

Local machine, system, currentcontrolset, control, terminal server, winstations, rdp-tcp, under port number.
 
I prefer setting up multiple port forwards in the router to the dividual boxes. You need static IP's or dhcp reservations for this to work reliably.

Ex.

3392 goes to 10.0.0.2:3389
3393 goes to 10.0.0.3:3389
3394 goes to 10.0.0.4:3389

Then if I need to remote into workstation 10.0.0.3 i just type in customerdomain.net:3393

That way has been easier to manage thus far.
 
Yoblad said:
I prefer setting up multiple port forwards in the router to the dividual boxes. You need static IP's or dhcp reservations for this to work reliably.

Ex.

3392 goes to 10.0.0.2:3389
3393 goes to 10.0.0.3:3389
3394 goes to 10.0.0.4:3389

Then if I need to remote into workstation 10.0.0.3 i just type in customerdomain.net:3393

That way has been easier to manage thus far.
Click to expand...

while I do have all static IPs set, I would concede with swatbat, I am trying to protect this network as much as possible. The machines are windows terminals that run an app off the file server, so it makes more sense to check it out first anyway.

swatbat said:
VPN would be more secure.

Anyway does said cleint have a windows server? Or a machine that acts like a server where someone is not on it most of the time. If they do I would setup remote access on it(don't use the standard 3389 port) and remote into it. From that machine you can remote into any other machine on the network through the normal port. Little slower but you don't have as many holes in the firewall. Also remember if you did it to every machine you would pretty much need to know each port for each machine and have to set all of them to static ips. I go in through the server and just hit the machines by name.

To change the port if you didn't know under registry editor

Local machine, system, currentcontrolset, control, terminal server, winstations, rdp-tcp, under port number.
Click to expand...


I would also like to note that I found a firmware distro that allows VPN connections (wrt54g) so I may look into this also. Anyone have experience with this?

Thanks for all the advice so far!
 
O2Flow said:
while I do have all static IPs set, I would concede with swatbat, I am trying to protect this network as much as possible. The machines are windows terminals that run an app off the file server, so it makes more sense to check it out first anyway.

Thanks for all the advice so far!
Click to expand...

It is slower in the sence you are doing 2 remotes instead of 1. Good news is you don't need to know which port goes to which machine. Only time I setup direct remote access to a machine in the network is if they don't have a server or if a client wants it(ie I have a few clients that we opened it up on so they could hit their boxes from home).

Just change the port you connect to on the server either by having the router forward it to another port or just changing it through windows and make sure that box has strong passwords. You do this and you should be fine.

I also like to use no-ip to link to client sites if they don't have static ips. Have like remote.clientdomain.com:3400 or whatever I have the port set to to get it.
 
O2Flow said:
I would also like to note that I found a firmware distro that allows VPN connections (wrt54g) so I may look into this also. Anyone have experience with this?

Thanks for all the advice so far!
Click to expand...

DD-WRT is great, just make sure you read the caveats with the newer versions of the wrt54g & installation.
 
Hmm ok so I decided to use the server and simply RDP to other machines from an RDP session on the server. I think I may be doing this wrong. I enabled RDP on all the client machines and the server, and changed the RDP port on the server. I can connect to the router from the internet and view the settings, but I can't seem to connect directly to the server using the port forward. I am using advanced server 2003, so I am wondering if there is a firewall or security feature enabled stopping me from connecting?

port_forward.gif


any idea?
 
I am glad you decided to not open all those ports to the Internet.

Default RDP port is 3389. Did you change your server to answer on 6625 (per your image)?


My preferred method is to use SSH and then I can setup forwards to each IP address through the encrypted tunnel. Its not an easy concept to learn but once you do (and the light bulb goes on) it opens all sorts of doors for you.

Edit: I just found the post where I learned how to do it:

Easy RDP over SSH Instructions
 
Bean Dip said:
I am glad you decided to not open all those ports to the Internet.

Default RDP port is 3389. Did you change your server to answer on 6625 (per your image)?
Click to expand...

yes, I changed it in the registry, I guess I will make another trip and double check my settings. I will read up on the SSH also, thanks for the link
 
O2Flow said:
yes, I changed it in the registry, I guess I will make another trip and double check my settings. I will read up on the SSH also, thanks for the link
Click to expand...

Does the machine have a software firewall on it? Can you RDP to it from inside the network using the local ip address? Did you enable RDP by right clicking on my computer and going to properties? Just stuff to recheck
 
For ultimate peace of mind....get a router that supports VPN connections to it. Securely connect to the router...then connect to whatever workstations you want..no need to dork with different ports for your clients.

However..remember that Remote Desktop is quite secure..there's a documented man in the middle attack on it..however I think it's only something that can replicated in a lab environment and not in the real world. Long as you have decent passwords on your accounts...simply change the local security policy to cancel the host after 3x failed attempts at login. Now you don't have to worry about dictionary/brute force attacks..and it would realistically take centuries to grind in.
 
You must log in or register to reply here.
Back
Top