Re: More on Remote Desktop

From: Sooner Al (SoonerAl_at_somewhere.net.invalid)
Date: 10/17/04 

Date: Sun, 17 Oct 2004 15:37:38 -0500

You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/remote_desktop_protocol.asp

...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO...

Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or
purchase additional/new hardware... 

-- 
    Al Jarvi (MS-MVP Windows Networking)
Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
"Dana Brash" <dbrash@Phongsaly.com> wrote in message news:ucrRsXHtEHA.3052@tk2msftngp13.phx.gbl...
> Basic lowdown:  You would use the Router's_public_IP :3389.  On the router you would create a 
> 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and 
> point it to the Static IP of the internal server.  But again, I would strongly recommend that you 
> use VPN instead as opening this up is a huge security hole.  If you open port 3389 on your 
> firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. 
> Secure your communications through a VPN Connection.  You shouldn't need any rules on your 
> firewall to get between your clients and server on your own LAN.  You will need something in place 
> to get into your LAN from external.
>
> How it works:
> Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) 
> dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a 
> public IP.  So the first step in getting your laptop into that LAN server has got to be making 
> these two public IP's talk to each other.  But as you're using a home network, chances that your 
> public IP is static are very, very slim: so you don't know where to point your laptop to connect. 
> You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I 
> use http://www.changeip.com.  These services will let you map a DNS name to your dynamically 
> assigned Public (Cable or DSL) IP address.  When you use these services, you no longer have to 
> know the IP because they keep a record and you just have to refer to the URL.  Mine is 
> dana.blahblah.com (not really, but for example's sake...)  Even if you do decide to open 3389, 
> you'll still want the Dynamic IP DNS service so that you can find your network in the first place.
>
> Your network must run a client-side service to update the Dynamic IP DNS servers directly when 
> your public IP address changes.  There are several ways to do it.  The modem sometimes does it, 
> the router/firewall sometimes does it, or you can install a small client on the OS that will do 
> it.  The key is, whichever machine holds the public IP needs to be making the update (updating the 
> public IP address information with an internal IP address isn't going to help you).  I have mine 
> setup so that my firewall makes the PPPoE connection to my ADSL ISP.  My firewall can be 
> configured to update ChangeIP.com.  So when the PPPoE connection on the firewall gets a new public 
> IP, ChangeIP knows about it.  If I was using ICS or RRAS on my server, I would download and run 
> the ChangeIP client on that server.
>
> So, when I want to connect to my internal server, here is how I do it.  I set up a VPN connection 
> on my firewall, using L2TP and IPSec with a pre-shared key.  I configure my user there.  I then 
> create a VPN connection on my laptop.  My VPN connection is configured to first open my dialup 
> connection.  It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right 
> username, password, and pre-sharedkey.  It is also configured to use my LAN DNS servers for DNS 
> resolution (so I can reference my internal servers by name).  The firewall then authenticates and 
> connects me, and gives me A LOCAL IP ADDRESS ON MY LAN.
>
> Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to 
> resources just as if I'm sitting in my home office.  Once you have an internal IP, you don't have 
> to worry about ports anymore. Everything is dial-up slow now, but I can get there.  I think this 
> solution will better meet your needs for getting to files and faxes and what not anyway.  Remote 
> Desktop is not really going to be your best option for transfering files (as in it won't do it).
>
> This is not simple stuff.  It would be impossible for me to give you all the information you need 
> to get this up and running properly without you doing other reading.  A Google search for "VPN 
> overview" returns a bunch of great articles on the general nature of VPN.  I would suggest looking 
> up the VPN configuration information from your router/firewall vendor.  If it doesn't perform this 
> service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? 
> that does.  Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA 
> server will also perform this function.  Don't be tempted to use your server as the router, get a 
> machine (an older one should do) amd dedicate it to the task.
>
> HTH,
> =d=
>
> -- 
> Dana Brash
> MCSE, MCDBA, MCSA
>
> dbrash@gmail.com
>
> "mchjr01" <mchjr01@discussions.microsoft.com> wrote in message 
> news:D84E2E22-E96C-451F-AF67-728EC73745B4@microsoft.com...
>> Dana,
>>
>> Thanks for your prompt reply.
>>
>> I have a home network with two laptops, a desktop and two printers. The
>> laptops are wireless and the desktop is wired to a router - sharing the DSL
>> connection as stand alone workstation to access the internet. The desktop is
>> being used as storage of huge files and as a fax server. So far, I configured
>> the ip forwarding (desktop ip) on my router through TCP3389 and made the
>> desktop ip static. On the laptops I made the IPs static as welll.
>>
>> Our needs are to be able to remotely access the desktop to retrieve files
>> and faxes through the internet. From my laptop, I configured remote desktop
>> to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect
>> with no problem, but when I try to connect via regular dial-up through my
>> iISP (earthlink.net), I am getting the error messages that either the desktop
>> is busy or I do not have the permissions to connect. Tell me, to connect - do
>> I use the routersip:3389 or the desktopip:3389?
>>
>> Again thanks for your time and you are a valuable resources of information -
>> keep up the good work.
>>
>> Mike
>>
>> "Dana Brash" wrote:
>>
>>> Hi Mike,
>>>
>>> A bit more information about your environment would be helpful.  Are you in
>>> a domain or workgroup?  What are you using for a firewall (brand/model)?
>>> How are you connected to the internet? Do you have a static public IP?
>>> etc...
>>>
>>> It does sound like you're getting blocked at the firewall, except for one
>>> thing.  You said:
>>>
>>> >When I tried to connect via dial up outside of my LAN I am
>>> > getting an error message(...)
>>>
>>> What are you dialing in to?  Do you mean that your laptop is making a Dialup
>>> connection to the internet, are you dialing in to your firewall/router, do
>>> you have RRAS configured internally to accept dial-in connections?
>>>
>>> If you are simply trying to get to the server via the public IP of the
>>> firewall, then you could open up port 3389 and have it point to your
>>> internal server, but this would open it up for everyone.  Not a great idea.
>>> Depending on your firewall, you may be able to create a policy that would
>>> allow only your laptop through, particularly if you have a static IP to use.
>>> However, since you're a laptop, I assume you move around and stay in hotels
>>> and get on wireless at the airport and Starbucks and what not, and that
>>> you're pretty much not going to have a static IP for your laptop.
>>>
>>> If you are trying to dial in to an RRAS server, you need to make sure that
>>> your user account has dial-in permission enabled.  Are you in a Domain? Do
>>> this in Active Directory Users and Computers on your user properties.  It
>>> doesn't sound like you're actually dialing in to an RRAS server, so I won't
>>> pursue this idea at this point....
>>>
>>> So, I would suggest creating a VPN tunnel into your LAN from outside. Then
>>> your laptop will make a connection to the internet, and once connected to
>>> the internet can open a tunnel through your firewall.  Your firewall can
>>> then authenticate you, encrypt your packets and let you in to the LAN 'just
>>> like' you're sitting on the LAN itself (albeit much, much slower).  Many
>>> home products these days offer VPN capabilities, as do RRAS, and ISA server
>>> as well.
>>>
>>> HTH
>>> =d=
>>>
>>>
>>> -- 
>>> Dana Brash
>>> MCSE, MCDBA, MCSA
>>>
>>> dbrash@gmail.com
>>>
>>> "mchjr01" <mchjr01@discussions.microsoft.com> wrote in message
>>> news:C6FC5687-8050-4D70-B6A5-81F4F3FBD4D2@microsoft.com...
>>> > Sorry on bugging you on this remote desktop issue but I really need to
>>> > remotely access my desktop where I store my huge files and use it as a fax
>>> > server.
>>> >
>>> > This is what I have done so far:
>>> >
>>> > On the desktop that I would like to access remotely, I changed the IP to
>>> > static. On the router I enabled the virtual server and added the desktop
>>> > static IP to forward through TCP3389.
>>> >
>>> > When I initiated remote access from my laptop I type: desktop ip:3389. I
>>> > triied it while I am connected on the same LAN network where the desktop -
>>> > I
>>> > got through. When I tried to connect via dial up outside of my LAN I am
>>> > getting an error message of either the remote PC is busy or do not have
>>> > permissions to connect.
>>> >
>>> > My suspicion is I am being blocked by the router's firewall. Is there a
>>> > way
>>> > I can make my laptop's IP static and add the same IP on my router as
>>> > trusted?
>>> > Do I assign the static IP just like the way I did it on the desltop.
>>> >
>>> > I have SP2 update installed on my XP-Pro.
>>> >
>>> > Please advice and again many thanks to you.
>>> >
>>> >
>>> > Mike
>>>
>>>
>>>
>
>