Remote desktop – multiple computers behind firewall – changing RDP port

Published on September 15, 2014 by  in computernetworksserver

Summary:

  1. Change the port the computer receives RDP on through registry (regedit, search rdp-tcp, find 3389 and change port), reboot pc
  2. in windows firewall open the same port you changed above and allow connections
  3. in firewall port forward / virtual server setup the external port (same as above) to forward to IP of internal computer and same port
  4. from outside network put in WANIP:port –> x.x.x.x:portyouchangedabove
  5. detailed instructions below
  6. link back: http://www.wi-fiplanet.com/tutorials/article.php/3802226
——————————

In Windows Vista, right-click Computer on the Start menu and select Properties. On the System window, click the Remote Settings link on the left, and if needed, attend to the UAC prompt. On the Remote tab, choose Allow in the Remote Desktop section. If the computers that are going to connect to the host computer are using a newer version of the client, choose the more secure option.

Tip: To double-check if a client supports the Network Level Authentication (NLA) requirement for connecting to more secure connections, open the Remote Desktop Connection program, click the icon on the upper left corner of the program, and select About. If NLA is supported, it will be noted on the dialog.

To enable remote desktop in Windows XP, right-click My Computer on the Start menu and select Properties. On the dialog, select the Remote tab, check the allow option in the Remote Desktop option.

Tip: Don’t worry if computers aren’t shown in the browser that’s accessible when selecting Browse for more from the Computer field. This browsing capability only works when a Terminal Services gateway is installed, which is usually only done on enterprise networks.

Allocate port numbers to each PC and manually change the default

The only default port used by the remote desktop server and client is TCP port 3389. Thus, every computer enabled with this feature will be listening for or initiating connections on this port. This is fine if multiple remote connections are made to and from computers on the same local network, however by default, more than one computer cannot be set up at the same time to accept remote connections from the Internet.

When the router receives traffic on the remote desktop port, it forwards it to a specified computer—a single computer. Thus if Bob successfully remotes into his computer, his computer is the one configured in the router. When Sallie tries to remotely connect to her PC, she’ll just receive an error message. In order for Sallie to connect, someone must change the computer configured in the router that the remote desktop traffic is forwarded to.

The way around this problem is to use different port numbers on the computers. For example, Bob could use the default port; he doesn’t need to change the port used by the server or the default firewall rule allowing the incoming traffic. However, Sallie would need to use port 3390, and any others wanting remote access could use 3391, 3392, etc.

After allocating each additional computer with a port number, change the default port by editing the Windows Registry:

1.    Click the Start button, and in Vista type regedit into the search box and hit Enter, or in XP click Run, enter regedit, and hit Enter.

2.    On the left side of the Registry Editor, browse to the following folder:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-Tcp

3.    On the right side, find and double-click the PortNumber key, as shown in Figure 1 (below).

4.    On the editing dialog box, choose the Decimal option.

5.    Type in the allocated port number, click OK, and then close the Registry Editor.

In order for Windows to start using the new port, restart the computer and continue with opening up the firewall.

Tutorial -  fig1.jpg

Configure each PC’s firewall with allocated port numbers

Enabling the remote desktop feature should automatically create a firewall exception for the traffic on TCP port 3389. This is fine for computers set up with the default port; however, a firewall rule must be manually created on computers configured with a custom port. Additionally, it is best to remove the original rule to prevent an unnecessary open port.

Here’s how to add a firewall exception on computers using non-default ports:

1.    Open the Windows Firewall dialog from the Control Panel.

2.    Click the Exceptions tab.

3.    Click the Add Port button.

4.    Enter a Name, the Port Number, keep TCP selected, click OK, and close the dialogs and windows. Figure 2 (below) shows an example.

Tutorial - Geier E - 1096 - fig2.jpg

Set port forwards in the router, mapping ports to IP addresses

Now it is time to set the router with all the port forwards, mapping assigned ports to their respective computer. Again, this is required in order for the router to know what to do with remote desktop traffic that comes in from the Internet. All computers, whether using the default or a custom port, must have an entry configured in the router.

To access the router settings, type the IP address of the router into a Web browser and log in. Then find the Virtual Server or Port Forwarding settings. To create a new entry, use a combo box to select the desired computer or manually enter the computer’s IP address, type in the port number (using the same for public and private), and click Save. Figure 3 (below) shows an example.

Tutorial - Geier E - 1096 - fig3_sm.jpg

Figure 3. Click to enlarge.

Tip: Static IP addresses should be used for the computers, as DHCP or automatic addresses are periodically changed. Many routers include a DHCP reservation feature to force a certain IP address upon a specified computer. Otherwise, IP addresses should be manually assigned on the computers.

Making the remote connection

Now that we’ve enabled the remote desktop feature on the computers, configured custom ports, and set up the router, we can finally connect. Bring up Microsoft’s Remote Desktop Connection program, on the Start menu. Start by entering the information like usual. When connecting to a computer on the same network, enter the computer’s IP address or Computer Name. When connecting over the Internet, enter the IP address of the Internet connection or a host name. Then if connecting to a computer configured with a non-default port number, type a colon and the number, as seen in Figure 4 (below).

Tutorial - Geier E - 1096 - fig4.jpg

A final note: Some DNS service providers, such as No-IP, offer dynamic IP service. This provides a host name, such as ericshome.getmyip.com, that always points to the Internet IP address, even when it changes. This makes using remote desktop connections much easier if the Internet connection has a dynamic IP address, which is the case for most residential and small business accounts.