Re: More on Remote Desktop

From: Sooner Al (SoonerAl_at_somewhere.net.invalid)
Date: 10/18/04 

Date: Mon, 18 Oct 2004 06:48:45 -0500

I believe his requirement, at least as I read it is to...

>>>> Our needs are to be able to remotely access the desktop to retrieve files
>>>> and faxes through the internet.

You can access both remote and local drives/print locally and remotely/etc, while in a Remote
Desktop session, and subsequently cut-n-paste files between the local and remote PCs. The Remote
Desktop connection simply needs to be configured for that in the Options -> Local Resources -> Local
Devices configuration window when you open the connectoid...

http://support.microsoft.com/default.aspx?scid=kb;[LN];313292

Yes a VPN will work just fine. I was simply trying to help the original poster save a few $$$$ by
using the existing functionality of the OS...and to keep it as simple as possible...:-)

If you need to feel a bit safer you can always change the listening port on the XP Pro box to
something other than the default TCP Port 3389. If you do change the listening port then make sure
you...

a) reboot the PC after making the registry change and
b) make the change to the router port forwarding also.

READ THESE TWO KB ARTICLES FIRST...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756

Change the Remote Desktop listening port and calling procedure...

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306759
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q304304

I always recommend that a "strong password" be used...AFAIK, the password exchange is encrypted
also...You might reference Bill Sanderson's (MS-MVP) reply to a similar question...

http://groups.google.com/groups?hl=en&lr=&c2coff=1&threadm=OOCmgheZDHA.736%40TK2MSFTNGP09.phx.gbl&rnum=14&prev=/groups%3Fq%3Dpassword%2Bencryption%2Bgroup:*.work_remotely%26hl%3Den%26lr%3D%26c2coff%3D1%26scoring%3Dd%26start%3D10%26sa%3DN

You also might consider changing the default client connection encryption level to "High" versus the
default "Client compatible" and *ALWAYS* prompt for a password.... Note this is done on the XP Pro
Remote Desktop host machine...

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_uvnl.asp 

-- 
    Al Jarvi (MS-MVP Windows Networking)
Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
"Dana Brash" <dbrash@Phongsaly.com> wrote in message news:emc3ZeMtEHA.220@TK2MSFTNGP15.phx.gbl...
> Hi Al,
>
> I did not know that.  That makes it a very different security story. However, a port scan would 
> reveal 3389 open and could invite a brute force attack.  Encryption is not authentication, and 
> (particularly if he doesn't use adequately complex passwords) there is still a chance that someone 
> could hack his system.
>
> Security aside, he's got the other requirement that he be able to "to retrieve files and faxes". 
> Perhaps I'm taking this too literally to mean "download" and all he really want to do is be able 
> to "view" them.  If he doesn't want to download, then Remote Desktop should be fine.  If he does 
> want to download, or otherwise run locally on his laptop, then I don't believe there is actually a 
> way to do this using Remote Desktop, though I'd love to know otherwise.
>
> Chances are good, though, that he's already got VPN capabilities on his current hardware, so I'm 
> not sure he'd have to get anything new.  It just seems like it's pretty commonly included these 
> days.  If not, he can get a firewall to do it for $100.  Pretty small investment...
>
> I believe this one would meet his needs:
> http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=537
>
> Available at Amazon for $99.99
> http://www.amazon.com/exec/obidos/tg/detail/-/B00008WM9J/qid=1098071495/sr=8-1/ref=pd_csp_1/002-7150240-6237613?v=glance&s=electronics&n=507846
>
>
> Thanks for the info.
>
> -- 
> Dana Brash
> MCSE, MCDBA, MCSA
>
> dbrash@gmail.com
>
> "Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in message 
> news:%23EualkItEHA.3556@TK2MSFTNGP10.phx.gbl...
>> You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link...
>>
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/remote_desktop_protocol.asp
>>
>> ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO...
>>
>> Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or 
>> purchase additional/new hardware...
>>
>> -- 
>>    Al Jarvi (MS-MVP Windows Networking)
>>
>> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
>> The MS-MVP Program - http://mvp.support.microsoft.com
>> This posting is provided "AS IS" with no warranties, and confers no rights...
>>
>> "Dana Brash" <dbrash@Phongsaly.com> wrote in message 
>> news:ucrRsXHtEHA.3052@tk2msftngp13.phx.gbl...
>>> Basic lowdown:  You would use the Router's_public_IP :3389.  On the router you would create a 
>>> 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 
>>> and point it to the Static IP of the internal server.  But again, I would strongly recommend 
>>> that you use VPN instead as opening this up is a huge security hole.  If you open port 3389 on 
>>> your firewall to the world, you will almost certainly get hacked. Please, please, please don't 
>>> do it. Secure your communications through a VPN Connection.  You shouldn't need any rules on 
>>> your firewall to get between your clients and server on your own LAN. You will need something in 
>>> place to get into your LAN from external.
>>>
>>> How it works:
>>> Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) 
>>> dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a 
>>> public IP.  So the first step in getting your laptop into that LAN server has got to be making 
>>> these two public IP's talk to each other.  But as you're using a home network, chances that your 
>>> public IP is static are very, very slim: so you don't know where to point your laptop to 
>>> connect. You will want to follow Al Jarvi's suggestion and go with something like 
>>> http://www.no-ip.com or I use http://www.changeip.com.  These services will let you map a DNS 
>>> name to your dynamically assigned Public (Cable or DSL) IP address.  When you use these 
>>> services, you no longer have to know the IP because they keep a record and you just have to 
>>> refer to the URL.  Mine is dana.blahblah.com (not really, but for example's sake...)  Even if 
>>> you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find 
>>> your network in the first place.
>>>
>>> Your network must run a client-side service to update the Dynamic IP DNS servers directly when 
>>> your public IP address changes.  There are several ways to do it.  The modem sometimes does it, 
>>> the router/firewall sometimes does it, or you can install a small client on the OS that will do 
>>> it.  The key is, whichever machine holds the public IP needs to be making the update (updating 
>>> the public IP address information with an internal IP address isn't going to help you).  I have 
>>> mine setup so that my firewall makes the PPPoE connection to my ADSL ISP.  My firewall can be 
>>> configured to update ChangeIP.com.  So when the PPPoE connection on the firewall gets a new 
>>> public IP, ChangeIP knows about it.  If I was using ICS or RRAS on my server, I would download 
>>> and run the ChangeIP client on that server.
>>>
>>> So, when I want to connect to my internal server, here is how I do it.  I set up a VPN 
>>> connection on my firewall, using L2TP and IPSec with a pre-shared key.  I configure my user 
>>> there.  I then create a VPN connection on my laptop.  My VPN connection is configured to first 
>>> open my dialup connection.  It is then configured to connect to dana.blahblah.com AS A URL, and 
>>> pass it the right username, password, and pre-sharedkey.  It is also configured to use my LAN 
>>> DNS servers for DNS resolution (so I can reference my internal servers by name).  The firewall 
>>> then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN.
>>>
>>> Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to 
>>> resources just as if I'm sitting in my home office.  Once you have an internal IP, you don't 
>>> have to worry about ports anymore. Everything is dial-up slow now, but I can get there.  I think 
>>> this solution will better meet your needs for getting to files and faxes and what not anyway. 
>>> Remote Desktop is not really going to be your best option for transfering files (as in it won't 
>>> do it).
>>>
>>> This is not simple stuff.  It would be impossible for me to give you all the information you 
>>> need to get this up and running properly without you doing other reading.  A Google search for 
>>> "VPN overview" returns a bunch of great articles on the general nature of VPN.  I would suggest 
>>> looking up the VPN configuration information from your router/firewall vendor. If it doesn't 
>>> perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen 
>>> or a ...??? that does.  Alternately, you can build up an RRAS box on Win2k/2003 that can allow 
>>> VPN, or ISA server will also perform this function.  Don't be tempted to use your server as the 
>>> router, get a machine (an older one should do) amd dedicate it to the task.
>>>
>>> HTH,
>>> =d=
>>>
>>> -- 
>>> Dana Brash
>>> MCSE, MCDBA, MCSA
>>>
>>> dbrash@gmail.com
>>>
>>> "mchjr01" <mchjr01@discussions.microsoft.com> wrote in message 
>>> news:D84E2E22-E96C-451F-AF67-728EC73745B4@microsoft.com...
>>>> Dana,
>>>>
>>>> Thanks for your prompt reply.
>>>>
>>>> I have a home network with two laptops, a desktop and two printers. The
>>>> laptops are wireless and the desktop is wired to a router - sharing the DSL
>>>> connection as stand alone workstation to access the internet. The desktop is
>>>> being used as storage of huge files and as a fax server. So far, I configured
>>>> the ip forwarding (desktop ip) on my router through TCP3389 and made the
>>>> desktop ip static. On the laptops I made the IPs static as welll.
>>>>
>>>> Our needs are to be able to remotely access the desktop to retrieve files
>>>> and faxes through the internet. From my laptop, I configured remote desktop
>>>> to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect
>>>> with no problem, but when I try to connect via regular dial-up through my
>>>> iISP (earthlink.net), I am getting the error messages that either the desktop
>>>> is busy or I do not have the permissions to connect. Tell me, to connect - do
>>>> I use the routersip:3389 or the desktopip:3389?
>>>>
>>>> Again thanks for your time and you are a valuable resources of information -
>>>> keep up the good work.
>>>>
>>>> Mike
>>>>
>>>> "Dana Brash" wrote:
>>>>
>>>>> Hi Mike,
>>>>>
>>>>> A bit more information about your environment would be helpful.  Are you in
>>>>> a domain or workgroup?  What are you using for a firewall (brand/model)?
>>>>> How are you connected to the internet? Do you have a static public IP?
>>>>> etc...
>>>>>
>>>>> It does sound like you're getting blocked at the firewall, except for one
>>>>> thing.  You said:
>>>>>
>>>>> >When I tried to connect via dial up outside of my LAN I am
>>>>> > getting an error message(...)
>>>>>
>>>>> What are you dialing in to?  Do you mean that your laptop is making a Dialup
>>>>> connection to the internet, are you dialing in to your firewall/router, do
>>>>> you have RRAS configured internally to accept dial-in connections?
>>>>>
>>>>> If you are simply trying to get to the server via the public IP of the
>>>>> firewall, then you could open up port 3389 and have it point to your
>>>>> internal server, but this would open it up for everyone.  Not a great idea.
>>>>> Depending on your firewall, you may be able to create a policy that would
>>>>> allow only your laptop through, particularly if you have a static IP to use.
>>>>> However, since you're a laptop, I assume you move around and stay in hotels
>>>>> and get on wireless at the airport and Starbucks and what not, and that
>>>>> you're pretty much not going to have a static IP for your laptop.
>>>>>
>>>>> If you are trying to dial in to an RRAS server, you need to make sure that
>>>>> your user account has dial-in permission enabled.  Are you in a Domain? Do
>>>>> this in Active Directory Users and Computers on your user properties. It
>>>>> doesn't sound like you're actually dialing in to an RRAS server, so I won't
>>>>> pursue this idea at this point....
>>>>>
>>>>> So, I would suggest creating a VPN tunnel into your LAN from outside. Then
>>>>> your laptop will make a connection to the internet, and once connected to
>>>>> the internet can open a tunnel through your firewall.  Your firewall can
>>>>> then authenticate you, encrypt your packets and let you in to the LAN 'just
>>>>> like' you're sitting on the LAN itself (albeit much, much slower). Many
>>>>> home products these days offer VPN capabilities, as do RRAS, and ISA server
>>>>> as well.
>>>>>
>>>>> HTH
>>>>> =d=
>>>>>
>>>>>
>>>>> -- 
>>>>> Dana Brash
>>>>> MCSE, MCDBA, MCSA
>>>>>
>>>>> dbrash@gmail.com
>>>>>
>>>>> "mchjr01" <mchjr01@discussions.microsoft.com> wrote in message
>>>>> news:C6FC5687-8050-4D70-B6A5-81F4F3FBD4D2@microsoft.com...
>>>>> > Sorry on bugging you on this remote desktop issue but I really need to
>>>>> > remotely access my desktop where I store my huge files and use it as a fax
>>>>> > server.
>>>>> >
>>>>> > This is what I have done so far:
>>>>> >
>>>>> > On the desktop that I would like to access remotely, I changed the IP to
>>>>> > static. On the router I enabled the virtual server and added the desktop
>>>>> > static IP to forward through TCP3389.
>>>>> >
>>>>> > When I initiated remote access from my laptop I type: desktop ip:3389. I
>>>>> > triied it while I am connected on the same LAN network where the desktop -
>>>>> > I
>>>>> > got through. When I tried to connect via dial up outside of my LAN I am
>>>>> > getting an error message of either the remote PC is busy or do not have
>>>>> > permissions to connect.
>>>>> >
>>>>> > My suspicion is I am being blocked by the router's firewall. Is there a
>>>>> > way
>>>>> > I can make my laptop's IP static and add the same IP on my router as
>>>>> > trusted?
>>>>> > Do I assign the static IP just like the way I did it on the desltop.
>>>>> >
>>>>> > I have SP2 update installed on my XP-Pro.
>>>>> >
>>>>> > Please advice and again many thanks to you.
>>>>> >
>>>>> >
>>>>> > Mike
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>
>