setting up RD without a VPN connection ?

  • Thread starter Thread starter Daniel Rascoe
  • Start date Start date
What error or problem are you having? Be specific as possible. Is this over a LAN? Is this over the
public internet? Is Remote Desktop enabled on the XP Pro box? How are you calling from the W2K box
to the XP Pro box, ie. using the IP of the XP box or a host name?

If the XP Pro box is behind a firewall/NAT/router you need to open TCP Port 3389. Call using the
public IP of the firewall/NAT/router. Also, is the SP2 Windows Firewall enabled? If so, you need to
get into the "Exceptions" window and configure Remote Desktop by checking the checkbox.

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
Keep talking to Al, but I just want to reiterate that the VPN is not
necessary for RD to work, nor is the VPN needed so that the information
being transmitted is encrypted.

A VPN connection does make the connection more secure--less susceptable to
certain types of attacks--"man in the middle" attacks.

You can definitely work without it and many of us do, regularly.
 
The client cannot connect to the host. This is over the public internet. The
client is in New Jersey. The host is in Rio de Janeiro, Brazil. The
connection in Brazil is very slow, sometimes as slow as 20 kbps with high
ping times. The client is running Win2K SP4. The host is running WinXP Pro
SP2. Remote Desktop is enabled in the remote tab of the system control
panel. The client is using the remote desktop client software and is typing
in the IP of the host to try to connect. Offhand I don't remember the exact
text of the error message but it was generic sounding, "unable to estable a
connection". The host has the windows firewall turned off. The host is
directly connected to the internet and is not using a router. What other
details would be helpful in diagnosing the problem?

Thanks for the reply.

Daniel
 
Can the client ping the host machine?

Running with no firewall at all is risky.

Are you certain that there are no other software firewalls involved? Have
you checked that the IP address as seen by the host is the same IP address
as seen by going to :

http://whatismyip.com/

from the host--I'm trying to be sure that the ISP isn't running a
transparent proxy.
 
The client can NOT ping the host. I turned the firewall off to make sure it
wasn't the problem. If I can connect with the firewall off, then I'll try to
turn it on and still keep the RD connection. I am not certain that there are
no other software firewalls involved. But I am certain that the host
computer only has the WinXP SP2 firewall and that it is turned off. I got
the following info from www.pcpitstop.com
Bandwidth down: 100 Kbits/sec
Bandwidth up: 346 Kbits/sec
Average Ping: 153 ms
Ping Loss: 0%
TCP Receive Window: (default)
External IP Address: 200.xxx.xx.xx
Internal IP Address: 10.xx.xx.xxx
Browser: MSIE 6.0; SV1
IE current cache: 54 MB
IE max cache: 80 MB

I put Xs in for some of the numbers above for security reasons.
http://www.whatismyip.com/ gives me that same IP address as the above
external IP address.
I'm pretty knowledgeable with PCs but not with networking. Thank you for
your help.

Daniel

--------------------------------------------
 
A friend of mine said
"Reserved IP addresses for private networks
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Yes. That is non-routable.
Therefore you cannot be a server.
unless they forward all 3389 ports to you."

Daniel
----------------------------------------------
 
Yep your friend is correct. It appears the PC your trying to connect to is behind a
firewall/NAT/router somewhere...

How is the PC your trying to connect to in Brazil accessing the public internet? Ie. a broadband
cable/DSL link or a dialup link or what?

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
This listing shows both an external and an internal IP address.

This implies that there are two network interfaces in this machine, with
software doing nat/routing between them. This may not be Microsoft's
Internet Connection Sharing, because that, in XP, uses 192.168.1.x for the
internal interface and isn't really modifiable.

You need to find out what software is doing the routing between the
interfaces, and how you open port 3389, TCP on the external interface in
that software.

If I'm mistaken, and this is ICS/ICF, then you would open the port by going
to the advanced tab in properties of TCP/IP on the external interface, and
clicking on the settings button.
 
The PC in Brazil (the host) is connected via radio internet connection. On
that computer in the Authentication tab of the local area connection
properties, "Enable IEEE 802.1x authentication for this network" is checked.
The EAP type is "Smart Card or other Certificate". Also, "Authenticate as
computer when computer information is available" is checked. I ready to toss
in the towel.

Another friend suggested Timbuktu Pro. Would that work in this situation?

Daniel
-------------------------------------------------------------------------------
 
According to their support FAQ Timbuktu Pro needs port forwarding so your going to fall into the
same situation. Actually even worse because of the large number of ports required...

http://www.netopia.com/en-us/support/technotes/software/tb22000/TP2000_005.html

Remote Desktop only needs TCP Port 3389.

Is there anyway the local folks in Brazil can contact their ISP to see if TCP Port 3389 can be
opened for Remote Desktop?

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
Can the remote client connect to any Terminal Server on the Public Internet?
This would be the first thing I would verify. If you do a search on Google
for Remote Desktop Web Connection, many public connections are listed (while
admins should probably block robots/spiders from picking these up) which
could be used to test your connectivity. I'm not recommending trying to
logon to any of them, but if you can get to their GINA Logon then you're
connected over port 3389 and know that the remote computer is working
properly.

Another thing you will have a problem with is a highly latent connection,
regardless of the measured thruput. 20Kbps is barely enough bandwidth to
work over a 800x600 desktop at 256 colors with mediocre performance when
latency is not a problem, but when you add a high latency to the connection
the performance may reach abismal.

The lowest speed connection I've found to be sufficient for a working RDP
session @ 800x600 & 256 color depth is 26.4Kbps.

As far as VPNs go, I not only do NOT recommend them for securing RDP
connection, but believe that unless they are managed IPSec/L2TP VPNs that
they are a security risk as you're allowing any garbage or services on the
remote computer to directly interact with a corporate network. PPTP VPNs add
zero extra security to an RDP Session, as the tunnel is setup with the
credentials provided by the end-user, not by PKI based certificates.

Secondary authentication (i.e. Safeword or SecureID) is a better way to
increase the already solid security of Windows Terminal Server, whether using
RDP or ICA protocol.

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
 
First I want to thank everyone for their replies. I've learned a lot.
Second, here is my understanding (Please correct any errors). The client has
been able to control 2 other computers using Timbuktu Pro. These 2 computers
didn't have WinXP Pro so I couldn't try RD. The key seems to be whether the
IP address is public or private. I check this by comparing the IP address
returned in ipconfig with the IP address returned by www.whatismyip.com . If
the IPs are the same then the address is public. If the IP addresses are
different, then the address if private. If the IP address is public then
there is no problem connecting remotely. If the IP address is private then
connecting remotely won't work unless port 3389 is forwarded. In order to
forward port 3389, I'll have to contact the ISP and see if 1) they are
willing to forward port 3389 and 2) will they actually forward port 3389. If
I make any progress forwarding the port, I'll post my experience to the
newsgroup.

The connection in Rio de Janeiro is highly variable. Usually early in the
morning, 7:30 am, the connection is at it's best (102 kbps d/l, 326 kbps
u/l, average ping time 200 ms). Throughout the day, the connection gradually
slows down so that the d/l speed slows to 20kbps. This remote connection is
not a connection that would be used often, only for troubleshooting,
security updates, etc. So I just want to get it working first and worry
about the speed later.

Once again, thanks to all responders.

Daniel
 
1. Port forwarding is done by you, not your ISP, although I have seen ISPs
that block TCP Port 3389 on their routers, in which case you'd have to
configure Terminal Server to listen on a different port. If the remote
computer can not telnet to port 3389 of the destination computer then Remote
Desktop will not work with the default configuration.

Screenshot of port forwarding with a Linksys router:
http://workthin.com/images/LinksysPortForwarding.JPG

2. The only time you can directly address a Private IP Address is if it's
on your network, i.e. not separated by the Public Internet. For a person to
allow traffic to their computer from the public internet (when they're behind
a NAT firewall) they forward trafic addressed to the firewall's WAN port to
their specific private IP Address for the type of traffic they desire, i.e.
TPC/UDP Port number. The remote user addresses the Firewall's WAN IP
Address, NOT the private IP Address of the destination computer.

3. A class or book on Cisco Routing Fundamentals or Networking Fundamentals
would make the IP Addressing a lot clearer.

Free online tutorial:
http://www.ind.alcatel.com/fundamentals/index2.html?pass=true

Book:
http://www.ciscopress.com/title/1587050676


Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
 
Patrick,

If you read back in the thread the gentleman seems to being trying to reach a PC (in Brazil) that is
connected to a wireless ISP of some sort. The PC is getting an address in the private range. They
claim there is no firewall/NAT/router involved at the host site... That is why I suggested, in one
of my replies, that the folks in Brazil get hold of the ISP to sort this out as far as opening TCP
Port 3389...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
If this is true then the remote desktop client will need to know the correct
router address to connect-to with mstsc, which would be available via
traceroute from the wireless client to any internet host on the second hop,
i.e. Localhost-> Default Gateway -> ISP Router WAN Port.

This is probably not going to happen, as I doubt the ISP will do a one to
one NAT for them so they can forward 3389 to a specific private address.

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

After RD connection, there are no icons 2
RD over VPN 4
Set up Remote Desktop, not working 5
Combining the best of RA and RD 3
VPN Endpoint tunnel connected but can't connect to RD 3
Remote Desktop Set up: Problems? 1
RDC and VPN 7
Can't Mak RD connection from ONE computer 1

Back
Top