Need advice with Remote Desktop Connection

[Jim]

I would greatly appreciate some advice on why I cannot achieve a Remote
Desktop Connection from a remote location yet it works just fine between
computers on my LAN.



Here is my setup, 3 XP Pro computers plus a Windows Home Server (WHS)
running on a LAN with a Linksys BEFSR41 router.



Let’s assume the internal address of one of my computers is 192.168.1.123.
For this computer, I have the “Remote Desktop” box checked in both Windows
Firewall Exceptions and Advanced sections (TCP port 3389). I’m also port
forwarding 3389 for address 192.168.1.123 in the Linksys router. Shouldn’t
things now work from a remote location, what am I missing?



I should also point out that I have no problems accessing my WHS server from
a remote location. When I make a connection to this server I can view all my
LAN computers.



Thanks in advance

 

[Lanwench [MVP - Exchange]]

I would greatly appreciate some advice on why I cannot achieve a
Remote Desktop Connection from a remote location yet it works just
fine between computers on my LAN.



Here is my setup, 3 XP Pro computers plus a Windows Home Server (WHS)
running on a LAN with a Linksys BEFSR41 router.



Let’s assume the internal address of one of my computers is
192.168.1.123. For this computer, I have the “Remote Desktop” box
checked in both Windows Firewall Exceptions and Advanced sections
(TCP port 3389). I’m also port forwarding 3389 for address
192.168.1.123 in the Linksys router. Shouldn’t things now work from a
remote location, what am I missing?


I should also point out that I have no problems accessing my WHS
server from a remote location. When I make a connection to this
server I can view all my LAN computers.



Thanks in advance

In the Windows Firewall, is RDP allowed from any subnet (*)?
Does your ISP block ports?
Are you sure you're using the correct public IP? (I suggest using something
like www.dyndns.com or www.no-ip.com if you have a dynamic public IP).

 

[Jack [MVP-Networking]]

Hi
In principle you did that correct configuration.
Make sure that port 3389 is Only Used (opened) by 192.168.1.123.
A specific port can be used only by One computer, if you need more computers
available to Outside Remote you need to change the ports so that each one
has a unique port.
Here how-to, http://support.microsoft.com/kb/306759
Software Firewalls on computers blocks ports too, make sure that the ports
are forwarded correctly through the Software Firewalls as well.
Jack (MS, MVP-Networking)

 

[Jim]

Thanks to all who replied.



Let me first review - No problem doing a Remote Desktop Computer (RDC) from
within my LAN using either the computers internal IP address or its name.
However, doing this same thing on an external XP Pro computer does not seem
work. I'm also not sure I understand how the external RDC computer
understands an address such as 192.168.1.xxx.



The problem seems to be that my remote port 3389 is being blocked external
but how/why, is it because of the Windows firewall, my router, or by my ISP?
How can I test this?



I also understand that I can only use port 3389 on one of my LAN computer
and that I will have to edit my XP register to change port 3389 to something
else for the other computers - is this correct? If so, must I then make the
appropriate changes in there Windows firewall as well as my router? What
about HTTP port 80, must it be on?



I would certainly appreciate any follow-up advice, keeping in mind I'm not
an expert in this area.



Jim

 

[Malke]

Jim wrote:

Let me first review - No problem doing a Remote Desktop Computer (RDC)
from within my LAN using either the computers internal IP address or its
name. However, doing this same thing on an external XP Pro computer does
not seem work. I'm also not sure I understand how the external RDC
computer understands an address such as 192.168.1.xxx.

It doesn't. That's why you forward ports. Traffic comes in from the outside
over specific ports for the remote connection. That connection can only be
made to a public IP address. The router (which gets its public IP address
on the WAN side from the ISP) turns around and forwards any traffic over
those specific ports to the private IP address of a designated computer.
This is why it is easiest to do this when you have a static public IP
address. You have to pay your ISP extra for this or have a business account
with them that comes with a number of static IP addresses. The alternative
for people who have dynamic IP addresses is to use a service like the one
from DynDNS.com.

The problem seems to be that my remote port 3389 is being blocked external
but how/why, is it because of the Windows firewall, my router, or by my
ISP? How can I test this?

The port is configured on the router, not the computer.

I also understand that I can only use port 3389 on one of my LAN computer
and that I will have to edit my XP register to change port 3389 to
something else for the other computers - is this correct? If so, must I
then make the appropriate changes in there Windows firewall as well as my
router? What about HTTP port 80, must it be on?

No, this is not correct. You don't have to do anything in the registry. You
do port forwarding on the *router*. You set a static private IP address on
the computer that is the target for remote control. You set the IP address
on a computer by going to Control Panel>Network Connections and then
right-click on the Local Area Connection for the network adapter involved
(probably your ethernet card). Left-click on Properties. Double-click the
entry for TCP/IP and change the IP address from "obtain automatically" to a
specific address on the LAN outside of the router's DHCP range.

Example: If the router assigns IP addresses from 192.168.1.100 to
192.168.1.150, use a static IP address for that computer of something like
192.168.1.170.

Of course you also have to set the target computer's firewall to allow
remote desktop connections and/or the software that you're using to do this
(if not using the native XP software and are using something like
pcAnywhere or one of the VNC flavors).

Malke

 

[jim]

Malke,

Thanks for you detailed response, I just hope I understand.
I've now set the static private IP address on my "target" computer to
192.168.1.170 which is outside of the routers assignments of 192.168.1.100
to 150
In my router, I've forwarded port 3389 to 192.168.1.170.
My ISP is Comcast and my public IP address is usually fixed

If I follow you correctly, when I bring up "Remote Desktop Connection" on my
son's XP Pro computer, I enter my public static address? Expect to try this
later today.

Jim

 

[Jack [MVP-Networking]]

Hi
There are here tow parallel processes.
If you need to change the port of the RDT on a computer you follow the
Microsoft page that I pointed to (it is nothing to do with the Router, and
it does entails change in the registry).
Once the port scheme is established, you have to open the correct ports
toward the corresponded computers through the Router.
This page ( pass the middle) describes how to so it with another type of
Remote Control program. The same principle applies to RDT.
http://www.ezlan.net/vnc.html
Jack (MS, MVP-Networking).

 

[Malke]

Malke,

Thanks for you detailed response, I just hope I understand.
I've now set the static private IP address on my "target" computer to
192.168.1.170 which is outside of the routers assignments of 192.168.1.100
to 150

Did you check this on the router? I was just giving you examples.

In my router, I've forwarded port 3389 to 192.168.1.170.
My ISP is Comcast and my public IP address is usually fixed

That's fine although Comcast does give you a dynamic IP address. It tends
not to change much but it can so you might want to look at DynDns.com's
services.

If I follow you correctly, when I bring up "Remote Desktop Connection" on
my son's XP Pro computer, I enter my public static address? Expect to try
this later today.

Yes. When you are at your son's house you aren't on your own LAN. You need
to connect to the public IP address (which you would have gotten before
leaving home and written down).

Don't forget that the firewalls on both machines must have exceptions set to
allow this traffic. If you have a more elaborate router it might come with
its own firewall too, so make sure you check in its configuration before
you leave home.

BTW, there are easier ways such as using LogMeIn instead. I use TeamViewer
to support family and friends but the free version needs both parties to be
involved. The professional version is very expensive. I don't think LogMeIn
requires this but I don't know if you have to pay for it. With services
like LogMeIn you are actually connecting through *their* server so you
don't need to mess about with port forwarding, static IPs, knowing your
public IP and whether it has changed, etc. If you're going to want to do
this a lot, it might be easier.

https://secure.logmein.com/solutions/homeuser/personal/

Malke

 

[Jim]

Hi Malke,

Won't get to my son's till tomorrow to try this, will let you know the
results.

I did have my internal IP address set to 192.168.1.060 on the target PC but
changed it to 192.168.1.170 per your example. Then changed the port
forwarding for ...170 in my Linksys router.

Yes I did look at LogMeIn some time ago, maybe I'll consider it again if
this doesn't work.

Must double check both firewalls.

Thanks again

Jim

 

[Jim]

Malke,

Unfortunately I was not able to do a Remote Desktop Connection from my son's
PC, the connection just timed out. No luck even if I diabled the my son's
Windows firewall. I really don't understand this, any other suggestions!!

However, I have no problems connecting to my Windows Home Server. WHS gives
me full remote access to all my LAN computers, just like RDC. The main
reason I wanted Remote Desktop to work is because there is an iPhone
application which is supposed to "simulate" Windows Remote Desktop. This
would then be a way to access my home computer via my iPhone.

Jim

 

[Lanwench [MVP - Exchange]]

Hi Malke,

Won't get to my son's till tomorrow to try this, will let you know the
results.

I did have my internal IP address set to 192.168.1.060 on the target
PC but changed it to 192.168.1.170 per your example. Then changed the
port forwarding for ...170 in my Linksys router.

Yes I did look at LogMeIn some time ago, maybe I'll consider it again
if this doesn't work.

Must double check both firewalls.

Thanks again

Jim

NB: LogMeIn Free works very well, and is, as one might surmise, free.