patseguin Global Moderator Posted March 6, 2018 Global Moderator Share Posted March 6, 2018 I was debating whether or not this would go here or in Windows support. I've set up RDP on my computer at work and have it working fine. I wanted to set it up so I could access at home in an emergency. I set up port forwarding and jotted down my public IP address. When I tried to log in last night, I got some error about NAT. I can't remember exactly what it said, but i was unable to connect. Anyways, here is the port forwarding I set up. Does it look right? It was in the firewall section of my router. I'm not sure if I need to set up anything additional on my Windows 2008 server since the computer is on a domain but I don't think so. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/ Share on other sites More sharing options...
satukoro Posted March 6, 2018 Share Posted March 6, 2018 On 06/03/2018 at 12:53, patseguin said: I was debating whether or not this would go here or in Windows support. I've set up RDP on my computer at work and have it working fine. I wanted to set it up so I could access at home in an emergency. I set up port forwarding and jotted down my public IP address. When I tried to log in last night, I got some error about NAT. I can't remember exactly what it said, but i was unable to connect. Anyways, here is the port forwarding I set up. Does it look right? It was in the firewall section of my router. I'm not sure if I need to set up anything additional on my Windows 2008 server since the computer is on a domain but I don't think so. Expand Did you check to see if your public IP changed between when you jotted it down and when you tried to log in? It looks like your router's firewall rules are correct, assuming x.x.x.105 is your target's local static IP address. Also, I would double check to make sure Remote Desktop Connections are allowed on your 2008 Server. (Ctrl Panel > System > Advanced System Settings > Remote tab) I used to have a web server set up behind a home router subject to ever changing public IPs. I found that a dynamic DNS provider is the solution. Personally, I used no-ip (https://www.noip.com/) to get a free dns address that looks like "example.ddns.com" and it would synchronize with its client software on a local server. My local server would tell no-ip what my public ip address was and update it every so often so I was always able to get to my home server. I'm not sure if this applies to you, but it helped me a lot. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209884 Share on other sites More sharing options...
patseguin Global Moderator Posted March 6, 2018 Author Global Moderator Share Posted March 6, 2018 On 06/03/2018 at 13:15, satukoro said: Did you check to see if your public IP changed between when you jotted it down and when you tried to log in? It looks like your router's firewall rules are correct, assuming x.x.x.105 is your target's local static IP address. Also, I would double check to make sure Remote Desktop Connections are allowed on your 2008 Server. (Ctrl Panel > System > Advanced System Settings > Remote tab) I used to have a web server set up behind a home router subject to ever changing public IPs. I found that a dynamic DNS provider is the solution. Personally, I used no-ip (https://www.noip.com/) to get a free dns address that looks like "example.ddns.com" and it would synchronize with its client software on a local server. My local server would tell no-ip what my public ip address was and update it every so often so I was always able to get to my home server. I'm not sure if this applies to you, but it helped me a lot. Expand I don't think the router public ever changes does it? That is the one on my cable modem/router from Spectrum. I checked the server and remote is already enabled with the (less secure) option. There were no users listed though. Could that be why I was getting that NAT error? Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209890 Share on other sites More sharing options...
+InsaneNutter MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 Windows Firewall is likely enabled on your work PC, have you allowed connections for RDP though that? Once you have RDP working for additional security you should only allow connections on port 3389 from whitelisted IP's (aka only your home IP). I'd be wary just leaving Remote Desktop totally open on the internet. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209892 Share on other sites More sharing options...
patseguin Global Moderator Posted March 6, 2018 Author Global Moderator Share Posted March 6, 2018 On 06/03/2018 at 13:26, InsaneNutter said: Windows Firewall is likely enabled on your work PC, have you allowed connections for RDP though that? Once you have RDP working for additional security you should only allow connections on port 3389 from whitelisted IP's (aka only your home IP). I'd be wary just leaving Remote Desktop totally open on the internet. Expand Nope, I have firewall disabled on every PC on the domain because of an issue with some software we use. That's a great recommendation on whitelisting. I'll look into that for sure after getting it working, thanks! Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209906 Share on other sites More sharing options...
xendrome Posted March 6, 2018 Share Posted March 6, 2018 I would recommend you use like port 3395 as your inbound port and have it forward to port 3389, under port triggering most likely. That way you don't have random connections to 3389 (the common RDP port) coming in all day long with people trying to hack their way in. Mando and +DonC 2 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209922 Share on other sites More sharing options...
patseguin Global Moderator Posted March 6, 2018 Author Global Moderator Share Posted March 6, 2018 On 06/03/2018 at 13:52, xendrome said: I would recommend you use like port 3395 as your inbound port and have it forward to port 3389, under port triggering most likely. That way you don't have random connections to 3389 (the common RDP port) coming in all day long with people trying to hack their way in. Expand How would that work though? In my research, they said that RDP uses port 3389. Wouldn't 3395 not work? Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209934 Share on other sites More sharing options...
+BudMan MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 Who did you ok this with at work? This is a HUGE security issue, If you need to access work resource while away you should vpn into your work network. +Warwagon, Danielx64, +Fahim S. and 9 others 12 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209936 Share on other sites More sharing options...
xendrome Posted March 6, 2018 Share Posted March 6, 2018 On 06/03/2018 at 14:08, patseguin said: How would that work though? In my research, they said that RDP uses port 3389. Wouldn't 3395 not work? Expand It does use 3389, but you can do a port trigger on port 3395 which will forward the traffic to internal port 3389. The goal is security by obscurity, if someone is using a port scanner for 3389 across a subnet of IP's, they won't see port 3389 open on your machine. It's by no means secure, but it's one extra step you can take without using a VPN as BudMan said above. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209944 Share on other sites More sharing options...
+Warwagon MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 On 06/03/2018 at 14:08, BudMan said: Who did you ok this with at work? This is a HUGE security issue, If you need to access work resource while away you should vpn into your work network. Expand You beat me to it. You couldn't pay me to put RDP Internet facing. Budman is right, just setup a VPN that's how I do it, in my case I have piVPN running in a virtual box. Works fantastic. goretsky 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209958 Share on other sites More sharing options...
patseguin Global Moderator Posted March 6, 2018 Author Global Moderator Share Posted March 6, 2018 On 06/03/2018 at 14:31, warwagon said: You beat me to it. You couldn't pay me to put RDP Internet facing. Budman is right, just setup a VPN that's how I do it, in my case I have piVPN running in a virtual box. Works fantastic. Expand It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications. satukoro and +Warwagon 2 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209968 Share on other sites More sharing options...
+Fahim S. MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 On 06/03/2018 at 14:40, patseguin said: It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications. Expand If you don't want to use a VPN, then at the very least use TeamViewer or something similar. It certainly is not worth the security implications. satukoro 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209972 Share on other sites More sharing options...
Daedroth Posted March 6, 2018 Share Posted March 6, 2018 Like others have said, don't use RDP on the open Internet. If you want to use that technology, you'd want an RDS server and probably a RDS Gateway server. If you don't want to use a VPN, what about using something like TeamViewer? satukoro 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209974 Share on other sites More sharing options...
farmeunit Posted March 6, 2018 Share Posted March 6, 2018 Teamveiwer or others like it. I use Remote Utilities for one location, because another guy use Teamviewer there. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209976 Share on other sites More sharing options...
+Warwagon MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 On 06/03/2018 at 14:40, patseguin said: It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications. Expand Oh absolutely. When I go to my girlfriend's house Friday and Saturday I connect into the VPN and from there RDP into my QuickBooks computer and bill out. It's amazing. So I know where you are coming from. The PiVPN is actually made for a raspberry pie. It's dirt simple to setup. http://www.pivpn.io/ Mando and satukoro 2 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209980 Share on other sites More sharing options...
sc302 Veteran Posted March 6, 2018 Veteran Share Posted March 6, 2018 There is openvpn, many routers support hosting vpn, all firewalls that I know of support it. FYI, canyouseeme.org is a great way to see if your port is actually open and accepting connections. But I would never put 3389 directly out there as there is nothing stopping brute force...don't give them the chance to attempt when there are other solutions that would be more secure and cost just as much as opening a port on your existing firewall. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598209988 Share on other sites More sharing options...
+BudMan MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 On 06/03/2018 at 14:13, xendrome said: The goal is security by obscurity Expand Which we all know is no security at all.. All changing a port does is possible lower the log spam.. It is in no way what so ever any sort of security. What is that make an model of that arris device? We can look to see if it supports vpn. If not the mentioned pi vpn would be a simple low cost option.. Personally if a company, I would really look into putting a real firewall between your network and the internet. Not just the router the isp gave you. Which I assume the arris device is? There are very low cost firewall/routers that have built in vpn support. I personally would suggest one of the netgate appliances (pfsense). https://www.netgate.com/solutions/pfsense/ https://www.pfsense.org/ Small company the sg-3100 prob a good option. Shoot even a sg-1000 might be enough depending on the bandwidth you have at the location. I personally updated from running on a VM to sg-4860 for my home setup I can personally vouch that it freaking screams for 500/50 connection with lots of packages running, snort, ntopng, etc. Have not been able to get it to even break a sweat. If you want to use remote desktop and you want to secure it, then since your only going to access this from your house. Then you could if your current device supports it lock down the access to the IP of your home public IP. +DonC and Mando 2 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210008 Share on other sites More sharing options...
xendrome Posted March 6, 2018 Share Posted March 6, 2018 On 06/03/2018 at 14:40, patseguin said: It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications. Expand Maybe use TeamViewer instead? DConnell and satukoro 2 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210020 Share on other sites More sharing options...
+DonC Subscriber² Posted March 6, 2018 Subscriber² Share Posted March 6, 2018 If VPN proves too tricky to set up with your current solution then RDP over SSH might be a useful stop-gap if you've got a public facing SSH server on your work network. The basic process is: * Use PuTTY or similar to set up a tunnel between your laptop and your work network that goes from port 3389 on your laptop to port 3389 on the target machine * Open a remote desktop session to localhost which then gets tunneled through to the target machine It's a small inconvenience but it's way better than having RDP accessible to the Internet at large. Mando 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210076 Share on other sites More sharing options...
+Warwagon MVC Posted March 6, 2018 MVC Share Posted March 6, 2018 On 06/03/2018 at 17:16, DonC said: If VPN proves too tricky to set up with your current solution then RDP over SSH might be a useful stop-gap if you've got a public facing SSH server on your work network. The basic process is: * Use PuTTY or similar to set up a tunnel between your laptop and your work network that goes from port 3389 on your laptop to port 3389 on the target machine * Open a remote desktop session to localhost which then gets tunneled through to the target machine It's a small inconvenience but it's way better than having RDP accessible to the Internet at large. Expand Ya, a when I configured a VPN on my router it was a pita .. but PiVPN makes it uber simple. The hardest part of the entire process is just getting OPVN file out of the virtual machine. satukoro 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210118 Share on other sites More sharing options...
satukoro Posted March 6, 2018 Share Posted March 6, 2018 On 06/03/2018 at 13:24, patseguin said: I don't think the router public ever changes does it? That is the one on my cable modem/router from Spectrum. I checked the server and remote is already enabled with the (less secure) option. There were no users listed though. Could that be why I was getting that NAT error? Expand If you're paying for a business connection, it's possible your Public IP doesn't change. Especially if you have a domain or something hosted on site. After reading the other responses in this thread, I agree that Teamviewer or a similar solution is certainly the way to go security-wise. DConnell 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210132 Share on other sites More sharing options...
Mando Posted March 6, 2018 Share Posted March 6, 2018 On 06/03/2018 at 14:40, patseguin said: It's my company, so me. I just wanted a connection because once in a while if I am out, I need to do something that I can only do on my work PC. I've only ever used RDC so I'd have to do more research into VPN and how to do it. Maybe you guys are right though and it's not worth the security implications. Expand Id be sacked doing such a thing for my corp mate, never ever ever ever have RDP public facing, hell no mate. May as well paint a huge red target on your work premises with a sign saying help yourself! Deploy a hardware VPN gateway at your workplace (plenty of them also work as a realtime UTM device to boot!), trust no other option, Teamviewer, nope, logmein pro wont install on server Os and any other remote access piggy backing MSTSC should also be avoided. +Warwagon, +DonC, patseguin and 1 other 4 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210230 Share on other sites More sharing options...
patseguin Global Moderator Posted March 6, 2018 Author Global Moderator Share Posted March 6, 2018 On 06/03/2018 at 19:18, Mando said: Id be sacked doing such a thing for my corp mate, never ever ever ever have RDP public facing, hell no mate. May as well paint a huge red target on your work premises with a sign saying help yourself! Deploy a hardware VPN gateway at your workplace (plenty of them also work as a realtime UTM device to boot!), trust no other option, Teamviewer, nope, logmein pro wont install on server Os and any other remote access piggy backing MSTSC should also be avoided. Expand OK I'm taking everyone's advice and dropping it. I'll look into VPN. @Mando - someone suggested Teamviewer. Is that a good idea or also not the best plan to leave that active either? Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210270 Share on other sites More sharing options...
satukoro Posted March 6, 2018 Share Posted March 6, 2018 You could always rock Google Chrome Remote Desktop if that's your thing. Mando 1 Share Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210272 Share on other sites More sharing options...
+DonC Subscriber² Posted March 6, 2018 Subscriber² Share Posted March 6, 2018 On 06/03/2018 at 19:41, patseguin said: OK I'm taking everyone's advice and dropping it. I'll look into VPN. @Mando - someone suggested Teamviewer. Is that a good idea or also not the best plan to leave that active either? Expand Personally, I would set up a hardware VPN device and drop all other incoming connections unless part of your business is to provide web services. Anything like RDP, Google whatever, etc. should just be dropped. SSH is the only other thing I would consider but unless you're already using it then there's not much point in starting once you've got a VPN in place. Link to comment https://www.neowin.net/forum/topic/1357616-rdp-question/#findComment-598210286 Share on other sites More sharing options...
Recommended Posts