Remote Desktop Office to Home PC

[Frank]

I have a WinXP Pro at home and enabled for RD Web Connection (I have a
permanent DSL Connection and a DynamicDNS Account) - IT WORKS from
WAN-Side WHEN I USE A DIAL-UP CONNECTION FROM THE LAPTOP. But when I'm
in the office and try to RD connect, I get the message "Could not
connect to remote computer....". OF COURSE I AM AWARE THAT THIS IS A
PROBLEM WITH THE FIREWALL OF MY COMPANY! That's why I changed the
listening ports of Remote Desktop from 3389 to 8080 within the registry
and the tsweb-default.htm (This port is opened, I can connect from my
company to my home-router through this port!)Like I already mentioned
above: IT WORKS WHEN I USE A DIAL-UP CONNECTION FROM THE LAPTOP OR ANY
OTHER CONNECTION WITH NO FIREWALL BEHIND IT. Can somebody here tell me
if there are any other ports which need to be opened within my
company's firewall except for 8080 to get this working? Or what other
security setting wihtin my company could prevent the RD-Connection from
being established??

Frank

 

[Sooner Al [MVP]]

You need to talk to the network administrators at your office/work for guidance. Most likely network
security policies will preclude you from doing this without permission of the network
administrators...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Frank Hausmeister]

That doesn't answer my question: What port-blocking or other security
setting could prevent the RD-Connection from being established? Is that a
secret or does just nobody know that?

Frank

 

[Sooner Al [MVP]]

You office network administrators block the outbound ports...Contact them for further help...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Frank Hausmeister]

You office network administrators block the outbound ports...Contact them
for further help...

o.k, then why can I connect to my home-router through the same port (8080).
Is there no need for outbound-ports to be used? thanks for your patience ;-)

Frank

 

[Shenan Stanley]

o.k, then why can I connect to my home-router through the same port
(8080). Is there no need for outbound-ports to be used? thanks for
your patience ;-)

You may have this, I am coming in late.. but--

Do you have the port forwarded through your home router?

Essentially - you just said you have a home router (assuming cable modem or
DSL) that you can connect to (it's called remote management) through a web
interface if you type :8080 at the end of the public IP.. Have you
configured the router in such a way (forwarding) so that when a request
comes in on port 3389, it forwards to your home system sitting patiently
behind the router?

In other words...

WORK PC sends a request to HOME ROUTER IP:3389 (3389 is the default Remote
Desktop port) by ways of a Remote Desktop Client. The HOME ROUTER sees this
request coming in on port 3389 and looks at its list of FORWARDING rules,
where you have setup a rule that says "if there is a request on port 3389
from the Internet, you forward that request to internal IP xxx.xxx.xxx.xxx
(where that is the IP of the HOME PC.) The HOME ROUTER then forwards that
request as it rule says to and the HOME PC responds (if you have Windows XP
Professional and it's internal firewall is off/configured correctly and you
have Remote Desktop setup properly with passworded users setup to have
access) and the link is established between WORK PC and HOME PC..

So, if you have made any changes to the listening port on your home
computer - change them back to default.
Log into your home router management console (you seem to know about that)
and configure the forwarding so that it consistently forwards PORT 3389
requests to the HOME PC. Also, unless you changed/turned off remote
management on your router, then changing the listening port to 8080 on your
home PC may be ineffective to the outside world - as the router is going to
answer - not forward that.

What else could it be? Well, your admins may not block http traffic to
8080 - but they can be more particular than that.. Might as well ask if
they do not route the traffic needed to do remote desktop connections.

--

=- Shenan -=<
=- MS MVP -=<

--
The information above is intended to assist you; however, it is
suggested you research for yourself before you take any advice - you
are the one ultimately responsible for your actions/problems/solutions.
Whenever possible, the advice will include the method/places used in
compiling the answer. Also, questions may have been asked to clarify
your situation OR to give you an idea of where to look - do not dismiss
them lightly.

 

[Frank Hausmeister]

What else could it be? Well, your admins may not block http traffic to
8080 - but they can be more particular than that.. Might as well ask if
they do not route the traffic needed to do remote desktop connections.

IT MUST be something else, as it WORKS FROM ANY OTHER WAN-CONNECTION (i.e. a
dial-up connection) And the question is: What kind of traffic else than a
port-forwarding to 3389 (or 8080 in my case) is needed??

Frank

 

[Shenan Stanley]

Shenan Stanleywrote:

What else could it be? Well, your admins may not block http traffic
to 8080 - but they can be more particular than that.. Might as well
ask if they do not route the traffic needed to do remote desktop
connections.

IT MUST be something else, as it WORKS FROM ANY OTHER WAN-CONNECTION
(i.e. a dial-up connection) And the question is: What kind of traffic
else than a port-forwarding to 3389 (or 8080 in my case) is needed??

Do your IT people fire people for asking questions?

--

=- Shenan -=<
=- MS MVP -=<

--
The information above is intended to assist you; however, it is
suggested you research for yourself before you take any advice - you
are the one ultimately responsible for your actions/problems/solutions.
Whenever possible, the advice will include the method/places used in
compiling the answer. Also, questions may have been asked to clarify
your situation OR to give you an idea of where to look - do not dismiss
them lightly.

 

[Frank Hausmeister]

Do your IT people fire people for asking questions?

I'm working for a company with at least 100000 employees. I don't think
they will change any of their IT-processes just because of me. So I need to
know wheather there is a way to get this working inspite of restrictive
IT-guidelines.

Frank

 

[Shenan Stanley]

Do your IT people fire people for asking questions?

I'm working for a company with at least 100000 employees. I don't
think they will change any of their IT-processes just because of me.
So I need to know wheather there is a way to get this working inspite
of restrictive IT-guidelines.

People ask me questions like that all the time. I answer them. E-Mail is
quick and efficient.

When you say "any other", do you mean "from the same ISP that I have the
broadband with"? Because it may be a restriction of that ISP instead of one
by your company - I bet the ISP has more than a few customers and would be
willing to answer your questions as well.

The point being - no one knows your setup better than you and no one knows
your work network configuration better than your work IT people and no one
knows your ISPs network configuration than your ISP IT people.

*If* you have followed the instructions give about forwarding 3389 instead
of 8080 through your router (again - if you have remote management turned on
for your router, this 8080 forwarding could be conflicting external to your
network) and you have tested it with a WAN/Dial-Up connection that is
unrelated to your home ISP (not the same company) and that all works - yet
you still cannot do it from work, then your network administrators have
purposely blocked the Remote Desktop traffic. You are more than welcome to
try other products to see how thorough they were, I suppose - but you would
likely save yourself hours of time by simply emailing them with a question:

"I am attempting to control my desktop at home remotely and have found that
from anywhere other than work, this is possible. Is there some blocking you
have in place to prevent Windows XP Remote Desktop from functioning properly
to/from machines outside/inside our network here at work?"

You can try other applications (they may have their own special ports that
need to be configured..)

FREE:
- UltraVNC ( http://ultravnc.sourceforge.net/ )*
- MyWebEx PC ( http://www.mywebexpc.com/ )

*There are many "flavors" of VNC..

PAY:
- GoToMyPC ( https://www.gotomypc.com/ )
- Symantec pcAnywhere ( http://www.symantec.com/ )

--

=- Shenan -=<
=- MS MVP -=<

--
The information above is intended to assist you; however, it is
suggested you research for yourself before you take any advice - you
are the one ultimately responsible for your actions/problems/solutions.
Whenever possible, the advice will include the method/places used in
compiling the answer. Also, questions may have been asked to clarify
your situation OR to give you an idea of where to look - do not dismiss
them lightly.

 

[Frank Hausmeister]

Shenan Stanley wrote:
"I am attempting to control my desktop at home remotely and have found
that from anywhere other than work, this is possible. Is there some
blocking you have in place to prevent Windows XP Remote Desktop from
functioning properly to/from machines outside/inside our network here at
work?"

HOW can I block "Remote Desktop Traffic"? What else would a firewall-admin
have to configure if it's not the port-blocking to prevent "remote desktop
traffic from functioning ?(port 8080 is obviously opened) Are there other
ports that RD needs to be opened?

Frank

 

[Shenan Stanley]

I have a WinXP Pro at home and enabled for RD Web Connection (I have a
permanent DSL Connection and a DynamicDNS Account) - IT WORKS from
WAN-Side WHEN I USE A DIAL-UP CONNECTION FROM THE LAPTOP. But when
I'm in the office and try to RD connect, I get the message "Could not
connect to remote computer....". OF COURSE I AM AWARE THAT THIS IS A
PROBLEM WITH THE FIREWALL OF MY COMPANY! That's why I changed the
listening ports of Remote Desktop from 3389 to 8080 within the
registry and the tsweb-default.htm (This port is opened, I can
connect from my company to my home-router through this port!)Like I
already mentioned above: IT WORKS WHEN I USE A DIAL-UP CONNECTION
FROM THE LAPTOP OR ANY OTHER CONNECTION WITH NO FIREWALL BEHIND IT.
Can somebody here tell me if there are any other ports which need to
be opened within my company's firewall except for 8080 to get this
working? Or what other security setting wihtin my company could
prevent the RD-Connection from being established??

You need to talk to the network administrators at your office/work
for guidance. Most likely network security policies will preclude you
from doing this without permission of the network administrators...

That doesn't answer my question: What port-blocking or other security
setting could prevent the RD-Connection from being established? Is
that a secret or does just nobody know that?

You office network administrators block the outbound ports...Contact
them for further help...

o.k, then why can I connect to my home-router through the same port
(8080). Is there no need for outbound-ports to be used? thanks for
your patience ;-)

You may have this, I am coming in late.. but--

Do you have the port forwarded through your home router?

Essentially - you just said you have a home router (assuming cable
modem or DSL) that you can connect to (it's called remote management)
through a web interface if you type :8080 at the end of the public
IP.. Have you configured the router in such a way (forwarding) so
that when a request comes in on port 3389, it forwards to your home
system sitting patiently behind the router?

In other words...

WORK PC sends a request to HOME ROUTER IP:3389 (3389 is the default
Remote Desktop port) by ways of a Remote Desktop Client. The HOME
ROUTER sees this request coming in on port 3389 and looks at its list
of FORWARDING rules, where you have setup a rule that says "if there
is a request on port 3389 from the Internet, you forward that request
to internal IP xxx.xxx.xxx.xxx (where that is the IP of the HOME PC.)
The HOME ROUTER then forwards that request as it rule says to and the
HOME PC responds (if you have Windows XP Professional and it's
internal firewall is off/configured correctly and you have Remote
Desktop setup properly with passworded users setup to have access)
and the link is established between WORK PC and HOME PC..
So, if you have made any changes to the listening port on your home
computer - change them back to default.
Log into your home router management console (you seem to know about
that) and configure the forwarding so that it consistently forwards
PORT 3389 requests to the HOME PC. Also, unless you changed/turned
off remote management on your router, then changing the listening
port to 8080 on your home PC may be ineffective to the outside world
- as the router is going to answer - not forward that.

What else could it be? Well, your admins may not block http traffic
to 8080 - but they can be more particular than that.. Might as well
ask if they do not route the traffic needed to do remote desktop
connections.

IT MUST be something else, as it WORKS FROM ANY OTHER WAN-CONNECTION
(i.e. a dial-up connection) And the question is: What kind of traffic
else than a port-forwarding to 3389 (or 8080 in my case) is needed??

Do your IT people fire people for asking questions?

I'm working for a company with at least 100000 employees. I don't
think they will change any of their IT-processes just because of me.
So I need to know wheather there is a way to get this working inspite
of restrictive IT-guidelines.

People ask me questions like that all the time. I answer them. E-Mail is
quick and efficient.

When you say "any other", do you mean "from the same ISP that I have
the broadband with"? Because it may be a restriction of that ISP
instead of one by your company - I bet the ISP has more than a few
customers and would be willing to answer your questions as well.

The point being - no one knows your setup better than you and no one
knows your work network configuration better than your work IT people
and no one knows your ISPs network configuration than your ISP IT
people.
*If* you have followed the instructions give about forwarding 3389
instead of 8080 through your router (again - if you have remote
management turned on for your router, this 8080 forwarding could be
conflicting external to your network) and you have tested it with a
WAN/Dial-Up connection that is unrelated to your home ISP (not the
same company) and that all works - yet you still cannot do it from
work, then your network administrators have purposely blocked the
Remote Desktop traffic. You are more than welcome to try other
products to see how thorough they were, I suppose - but you would
likely save yourself hours of time by simply emailing them with a
question:
"I am attempting to control my desktop at home remotely and have
found that from anywhere other than work, this is possible. Is there
some blocking you have in place to prevent Windows XP Remote Desktop
from functioning properly to/from machines outside/inside our network
here at work?"
You can try other applications (they may have their own special ports
that need to be configured..)

FREE:
- UltraVNC ( http://ultravnc.sourceforge.net/ )*
- MyWebEx PC ( http://www.mywebexpc.com/ )

*There are many "flavors" of VNC..

PAY:
- GoToMyPC ( https://www.gotomypc.com/ )
- Symantec pcAnywhere ( http://www.symantec.com/ )

HOW can I block "Remote Desktop Traffic"? What else would a
firewall-admin have to configure if it's not the port-blocking to
prevent "remote desktop traffic from functioning ?(port 8080 is
obviously opened) Are there other ports that RD needs to be opened?

-- Is the dial-up/other WAN you tried using the SAME ISP as your broadband
access?
-- Is remote management turned on your router and set to default port?
-- Have you tried to forward port 6000 and above ports (excluding 8080) to
a different port (3389) to your home PC on your home network?
-- Have you tried just forwarding 3389 on your router to port 3389 on your
home PC?
-- Is your work network a public or private IP set (are you behind a NAT
at work as well?)

Normally an administrator would not block OUTGOING ports (3389, etc) without
good reason and most do not see Remote Desktop as a "good reason" yet.
Yes - they could listen for particular packets (RDP) and block that
traffic - but that is unlikely. Most of the time, network administrators
are concerned ONLY with INCOMING traffic - and the normal way of blocking
Remote Desktop is to block the port 3389.

Port 8080 may "obviously" be opened to outgoing/incoming traffic, but your
router - if configured for remote management (from an external subnet) may
not be properly forwarding the traffic as it may be trying to respond to the
port 8080 request with its remote management..

If you insist on changing the listening port (which would only be necessary
if you cannot properly configure your router to forward one port request to
a different port on the inside of the private network *if* you have multiple
machines behind the NAT device...) - change it to something above 6000 but
not something you know may be used by something else (like 8080 that would
be used for remote management of your router) and see if it works.

--

=- Shenan -=<
=- MS MVP -=<

--
The information above is intended to assist you; however, it is
suggested you research for yourself before you take any advice - you
are the one ultimately responsible for your actions/problems/solutions.
Whenever possible, the advice will include the method/places used in
compiling the answer. Also, questions may have been asked to clarify
your situation OR to give you an idea of where to look - do not dismiss
them lightly.

 

[Frank Hausmeister]

...

If you insist on changing the listening port (which would only be
necessary if you cannot properly configure your router to forward one port
request to a different port on the inside of the private network *if* you
have multiple machines behind the NAT device...) - change it to something
above 6000 but not something you know may be used by something else (like
8080 that would be used for remote management of your router) and see if
it works.

--

Hi,

the remote management port of my router is of course changed to another port
(80). I was just testing with port 8080 to see if that works with my
company's firewall configuration.
As this configuration works from WAN-connections other than my company's,
it's more than likely that RDP-Traffic is blocked in a way by my company I
don't know. And it seems that it's very difficult to find out WHAT it is
that's blocked if it's NOT the port Web-RDP is working with.

Frank

 

[Shenan Stanley]

-- Is the dial-up/other WAN you tried using the SAME ISP as your
broadband access?
-- Is remote management turned on your router and set to default
port? -- Have you tried to forward port 6000 and above ports (excluding
8080) to a different port (3389) to your home PC on your home network?
-- Have you tried just forwarding 3389 on your router to port 3389
on your home PC?
-- Is your work network a public or private IP set (are you behind a
NAT at work as well?)

the remote management port of my router is of course changed to
another port (80). I was just testing with port 8080 to see if that
works with my company's firewall configuration.
As this configuration works from WAN-connections other than my
company's, it's more than likely that RDP-Traffic is blocked in a way
by my company I don't know. And it seems that it's very difficult to
find out WHAT it is that's blocked if it's NOT the port Web-RDP is
working with.

So.. In short, from the questions I asked:

Q1: -- Is the dial-up/other WAN you tried using the SAME ISP as your
broadband access?
A1: -- Yes.. Well assumed.. you keep saying "works from other
WAN-coinnections other than my company" but never actually state that the
"other WAN-connections are not the same company as the service provider for
my home."

Q2: -- Is remote management turned on your router and set to default port?
A2: -- Turned on, yes. Changed to Port 80.


Q3: -- Have you tried to forward port 6000 and above ports (excluding 8080)
to a different port (3389) to your home PC on your home network?
A3: -- Unanswered.


Q4: -- Have you tried just forwarding 3389 on your router to port 3389 on
your home PC?
A4: -- Unanswered, but assumed (most likely) you would not be doing all this
if it would have worked on port 3389.


Q5: -- Is your work network a public or private IP set (are you behind a NAT
at work as well?)
A5: -- Unanswered.


As I pointed out, it is entirely possible for a network administrator to
listen for the packets that comprised a remote desktop connection and "drop
them". This type of filtering would have nothing to do with the port, so
changing the port would have no effect on your capability to remote desktop
to your home. You would not be getting around this type of filtering
easily.

Again - as suggested at least 3 times in this conversation - unless it is
explicitly against policy to ask questions to your IT staff or it is against
policy to connect to your home machine (any external machine) while at work
(or maybe it's against policy to do anything other than work.. *shrug*) then
your best bet is to ask. One email - you have nothing to lose.

--

=- Shenan -=<
=- MS MVP -=<

--
The information above is intended to assist you; however, it is
suggested you research for yourself before you take any advice - you
are the one ultimately responsible for your actions/problems/solutions.
Whenever possible, the advice will include the method/places used in
compiling the answer. Also, questions may have been asked to clarify
your situation OR to give you an idea of where to look - do not dismiss
them lightly.

 

[Frank Hausmeister]

So.. In short, from the questions I asked:

Q1: -- Is the dial-up/other WAN you tried using the SAME ISP as your
broadband access?
A1: -- Yes.. Well assumed.. you keep saying "works from other
WAN-coinnections other than my company" but never actually state that the
"other WAN-connections are not the same company as the service provider
for my home."

I tried that with three different providers and it always worked.

Q3: -- Have you tried to forward port 6000 and above ports (excluding
8080) to a different port (3389) to your home PC on your home network?

No, didn't try that. But I wouldn't know how to configure that on my home
router anyway (are you talking of "port triggering"?).

Q4: -- Have you tried just forwarding 3389 on your router to port 3389 on
your home PC?
yes.


Q5: -- Is your work network a public or private IP set (are you behind a
NAT at work as well?)

Of course I am behind a NAT at work.Frank