• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

RDP Question

Recommended Posts

patseguin    1,147

I was debating whether or not this would go here or in Windows support.

 

I've set up RDP on my computer at work and have it working fine. I wanted to set it up so I could access at home in an emergency. I set up port forwarding and jotted down my public IP address. When I tried to log in last night, I got some error about NAT. I can't remember exactly what it said, but i was unable to connect.

 

Anyways, here is the port forwarding I set up. Does it look right? It was in the firewall section of my router. I'm not sure if I need to set up anything additional on my Windows 2008 server since the computer is on a domain but I don't think so.

 

 

screen.jpg

Share this post


Link to post
Share on other sites
satukoro    1,266

 

11 minutes ago, patseguin said:

I was debating whether or not this would go here or in Windows support.

 

I've set up RDP on my computer at work and have it working fine. I wanted to set it up so I could access at home in an emergency. I set up port forwarding and jotted down my public IP address. When I tried to log in last night, I got some error about NAT. I can't remember exactly what it said, but i was unable to connect.

 

Anyways, here is the port forwarding I set up. Does it look right? It was in the firewall section of my router. I'm not sure if I need to set up anything additional on my Windows 2008 server since the computer is on a domain but I don't think so.

 

 

screen.jpg

Did you check to see if your public IP changed between when you jotted it down and when you tried to log in?

It looks like your router's firewall rules are correct, assuming x.x.x.105 is your target's local static IP address.

 

Also, I would double check to make sure Remote Desktop Connections are allowed on your 2008 Server. (Ctrl Panel > System > Advanced System Settings > Remote tab)

 

I used to have a web server set up behind a home router subject to ever changing public IPs. I found that a dynamic DNS provider is the solution.

Personally, I used no-ip (https://www.noip.com/) to get a free dns address that looks like "example.ddns.com" and it would synchronize with its client software on a local server.

My local server would tell no-ip what my public ip address was and update it every so often so I was always able to get to my home server.

I'm not sure if this applies to you, but it helped me a lot.

Share this post


Link to post
Share on other sites
patseguin    1,147
6 minutes ago, satukoro said:

 

Did you check to see if your public IP changed between when you jotted it down and when you tried to log in?

It looks like your router's firewall rules are correct, assuming x.x.x.105 is your target's local static IP address.

 

Also, I would double check to make sure Remote Desktop Connections are allowed on your 2008 Server. (Ctrl Panel > System > Advanced System Settings > Remote tab)

 

I used to have a web server set up behind a home router subject to ever changing public IPs. I found that a dynamic DNS provider is the solution.

Personally, I used no-ip (https://www.noip.com/) to get a free dns address that looks like "example.ddns.com" and it would synchronize with its client software on a local server.

My local server would tell no-ip what my public ip address was and update it every so often so I was always able to get to my home server.

I'm not sure if this applies to you, but it helped me a lot.

I don't think the router public ever changes does it? That is the one on my cable modem/router from Spectrum.

 

I checked the server and remote is already enabled with the (less secure) option. There were no users listed though. Could that be why I was getting that NAT error?

Share this post


Link to post
Share on other sites
InsaneNutter    1,068

Windows Firewall is likely enabled on your work PC, have you allowed connections for RDP though that?

 

Once you have RDP working for additional security you should only allow connections on port 3389 from whitelisted IP's (aka only your home IP). I'd be wary just leaving Remote Desktop totally open on the internet.

Share this post


Link to post
Share on other sites
patseguin    1,147
16 minutes ago, InsaneNutter said:

Windows Firewall is likely enabled on your work PC, have you allowed connections for RDP though that?

 

Once you have RDP working for additional security you should only allow connections on port 3389 from whitelisted IP's (aka only your home IP). I'd be wary just leaving Remote Desktop totally open on the internet.

Nope, I have firewall disabled on every PC on the domain because of an issue with some software we use.

 

That's a great recommendation on whitelisting. I'll look into that for sure after getting it working, thanks!

Share this post


Link to post
Share on other sites
xendrome    4,922

I would recommend you use like port 3395 as your inbound port and have it forward to port 3389, under port triggering most likely. That way you don't have random connections to 3389 (the common RDP port) coming in all day long with people trying to hack their way in.

  • Like 2

Share this post


Link to post
Share on other sites
patseguin    1,147
15 minutes ago, xendrome said:

I would recommend you use like port 3395 as your inbound port and have it forward to port 3389, under port triggering most likely. That way you don't have random connections to 3389 (the common RDP port) coming in all day long with people trying to hack their way in.

How would that work though? In my research, they said that RDP uses port 3389. Wouldn't 3395 not work?

Share this post


Link to post
Share on other sites
+BudMan    3,145

Who did you ok this with at work?  This is a HUGE security issue,   If you need to access work resource while away you should vpn into your work network.

  • Like 12

Share this post


Link to post
Share on other sites
xendrome    4,922
4 minutes ago, patseguin said:

How would that work though? In my research, they said that RDP uses port 3389. Wouldn't 3395 not work?

It does use 3389, but you can do a port trigger on port 3395 which will forward the traffic to internal port 3389.

 

The goal is security by obscurity, if someone is using a port scanner for 3389 across a subnet of IP's, they won't see port 3389 open on your machine. It's by no means secure, but it's one extra step you can take without using a VPN as BudMan said above.

Share this post


Link to post
Share on other sites
+warwagon    11,203
23 minutes ago, BudMan said:

Who did you ok this with at work?  This is a HUGE security issue,   If you need to access work resource while away you should vpn into your work network.

You beat me to it. You couldn't pay me to put RDP Internet facing. Budman is right, just setup a VPN that's how I do it, in my case I have piVPN running in a virtual box. Works fantastic.

  • Like 1

Share this post


Link to post
Share on other sites
patseguin    1,147
7 minutes ago, warwagon said:

You beat me to it. You couldn't pay me to put RDP Internet facing. Budman is right, just setup a VPN that's how I do it, in my case I have piVPN running in a virtual box. Works fantastic.

It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications.

  • Like 2

Share this post


Link to post
Share on other sites
+Fahim S.    1,031
1 minute ago, patseguin said:

It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications.

If you don't want to use a VPN, then at the very least use TeamViewer or something similar.

It certainly is not worth the security implications.

  • Like 1

Share this post


Link to post
Share on other sites
Daedroth    465

Like others have said, don't use RDP on the open Internet. If you want to use that technology, you'd want an RDS server and probably a RDS Gateway server.

 

If you don't want to use a VPN, what about using something like TeamViewer?

  • Like 1

Share this post


Link to post
Share on other sites
farmeunit    584

Teamveiwer or others like it.  I use Remote Utilities for one location, because another guy use Teamviewer there.

Share this post


Link to post
Share on other sites
+warwagon    11,203
15 minutes ago, patseguin said:

It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications.

Oh absolutely. When I go to my girlfriend's house Friday and Saturday I connect into the VPN and from there RDP into my QuickBooks computer and bill out. It's amazing. So I know where you are coming from.

 

The PiVPN is actually made for a raspberry pie. It's dirt simple to setup. 

http://www.pivpn.io/

  • Like 2

Share this post


Link to post
Share on other sites
sc302    1,509

There is openvpn, many routers support hosting vpn, all firewalls that I know of support it.  

 

FYI, canyouseeme.org is a great way to see if your port is actually open and accepting connections.  But I would never put 3389 directly out there as there is nothing stopping brute force...don't give them the chance to attempt when there are other solutions that would be more secure and cost just as much as opening a port on your existing firewall.

Share this post


Link to post
Share on other sites
+BudMan    3,145
1 hour ago, xendrome said:

The goal is security by obscurity

Which we all know is no security at all..  All changing a port does is possible lower the log spam.. It is in no way what so ever any sort of security.

 

What is that make an model of that arris device?  We can look to see if it supports vpn.  If not the mentioned pi vpn would be a simple low cost option..  Personally if a company, I would really look into putting a real firewall between your network and the internet.  Not just the router the isp gave you.  Which I assume the arris device is?  There are very low cost firewall/routers that have built in vpn support.  I personally would suggest one of the netgate appliances (pfsense).

 

https://www.netgate.com/solutions/pfsense/

 

https://www.pfsense.org/

 

Small company the sg-3100 prob a good option.  Shoot even a sg-1000 might be enough depending on the bandwidth you have at the location.  I personally updated from running on a VM to sg-4860 for my home setup ;)  I can personally vouch that it freaking screams for 500/50 connection with lots of packages running, snort, ntopng, etc.  Have not been able to get it to even break a sweat.

 

If you want to use remote desktop and you want to secure it, then since your only going to access this from your house.  Then you could if your current device supports it lock down the access to the IP of your home public IP.

  • Like 2

Share this post


Link to post
Share on other sites
xendrome    4,922
1 hour ago, patseguin said:

It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications.

Maybe use TeamViewer instead?

  • Like 2

Share this post


Link to post
Share on other sites
+DonC    452

If VPN proves too tricky to set up with your current solution then RDP over SSH might be a useful stop-gap if you've got a public facing SSH server on your work network.

 

The basic process is:

 

* Use PuTTY or similar to set up a tunnel between your laptop and your work network that goes from port 3389 on your laptop to port 3389 on the target machine

* Open a remote desktop session to localhost which then gets tunneled through to the target machine

 

It's a small inconvenience but it's way better than having RDP accessible to the Internet at large.

 

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites
+warwagon    11,203
58 minutes ago, DonC said:

If VPN proves too tricky to set up with your current solution then RDP over SSH might be a useful stop-gap if you've got a public facing SSH server on your work network.

 

The basic process is:

 

* Use PuTTY or similar to set up a tunnel between your laptop and your work network that goes from port 3389 on your laptop to port 3389 on the target machine

* Open a remote desktop session to localhost which then gets tunneled through to the target machine

 

It's a small inconvenience but it's way better than having RDP accessible to the Internet at large.

 

 

Ya, a when I configured a VPN on my router it was a pita .. but PiVPN makes it uber simple. The hardest part of the entire process is just getting OPVN file out of the virtual machine.

 

  • Like 1

Share this post


Link to post
Share on other sites
satukoro    1,266
4 hours ago, patseguin said:

I don't think the router public ever changes does it? That is the one on my cable modem/router from Spectrum.

 

I checked the server and remote is already enabled with the (less secure) option. There were no users listed though. Could that be why I was getting that NAT error?

If you're paying for a business connection, it's possible your Public IP doesn't change. Especially if you have a domain or something hosted on site.

 

After reading the other responses in this thread, I agree that Teamviewer or a similar solution is certainly the way to go security-wise.

  • Like 1

Share this post


Link to post
Share on other sites
+Mando    5,113
4 hours ago, patseguin said:

It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications.

Id be sacked doing such a thing for my corp mate, never ever ever ever have RDP public facing, hell no mate. May as well paint a huge red target on your work premises with a sign saying help yourself!

 

Deploy a hardware VPN gateway at your workplace (plenty of them also work as a realtime UTM device to boot!), trust no other option, Teamviewer, nope, logmein pro wont install on server Os and any other remote access piggy backing MSTSC should also be avoided.

 

 

  • Like 4

Share this post


Link to post
Share on other sites
patseguin    1,147
22 minutes ago, Mando said:

Id be sacked doing such a thing for my corp mate, never ever ever ever have RDP public facing, hell no mate. May as well paint a huge red target on your work premises with a sign saying help yourself!

 

Deploy a hardware VPN gateway at your workplace (plenty of them also work as a realtime UTM device to boot!), trust no other option, Teamviewer, nope, logmein pro wont install on server Os and any other remote access piggy backing MSTSC should also be avoided.

 

 

OK I'm taking everyone's advice and dropping it. I'll look into VPN. @Mando - someone suggested Teamviewer. Is that a good idea or also not the best plan to leave that active either?

Share this post


Link to post
Share on other sites
satukoro    1,266

You could always rock Google Chrome Remote Desktop if that's your thing.

  • Like 1

Share this post


Link to post
Share on other sites
+DonC    452
30 minutes ago, patseguin said:

OK I'm taking everyone's advice and dropping it. I'll look into VPN. @Mando - someone suggested Teamviewer. Is that a good idea or also not the best plan to leave that active either?

Personally, I would set up a hardware VPN device and drop all other incoming connections unless part of your business is to provide web services. Anything like RDP, Google whatever, etc. should just be dropped.

 

SSH is the only other thing I would consider but unless you're already using it then there's not much point in starting once you've got a VPN in place.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.