Remote desktop connection through firewall

Published Thu, Oct 7 2004 7:34 AM

it's possible to connect to your home PC with Remote Desktop, even through the Firewall of your company.
Because Remote Desktop is using port 3389 by default, it is not possible to go through a firewall.

For example you can use port 443. Because this port is always open on your companies firewall to allow https.

For your pc at home:

  1. Configure Your pc to allow Remote Connections in your System Properties (windows - Break) tab Remote. Check 'Allow users to connect remote to this computer. (add users if needed)
  2. According http://support.microsoft.com/default.aspx?scid=kb;en-us;306759
    In the registry change

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

    to 443 (click Decimal radio button first)

  3. Configure your firewall to allow traffic through port 443

  4. When you have IIS running you have to change the port number of https. because it is already listening on this port.
    C:\WINDOWS\system32\cscript.exe c:\inetpub\adminscripts\adsutil.vbs SET w3svc/1/
    SecureBindings ":444:"

For your PC at work:

According to http://support.microsoft.com/default.aspx?scid=kb;en-us;304304
you can just type the port after the IP-Address of your home PC.

Alternatively
You can add the following to the rdp file. (which you can get to click on Save As on the tab General of Remote Desktop Connection)
server port:i:443

Extra tip: to have access to your clients hard disk on your remote desktop, check Disk Drives on the tab Local Resources of Remote Desktop Connection

(security risks are for your self)

by Pascal Naber

Comments

# Pascal Naber said on Thursday, October 07, 2004 12:18 PM

Well.... what about VPN over 443.. Then when you are connected with the VPN server you can just access your LAN computers just like you normaly would and no weird port changes for applications are necessary. You can even access your documents with a normal UNC path..

By the way.. I have seen LOTS of companies that won't allow 443 access. Most of them use a whitelist with endpoints that are marked as safe like banks. Most websites that use SSL for authentication won't work :(. Because this kind of traffic cannot be monitored/filtered it is not allowed.

If the companies policy won't allow this then just accept it, be a professional. Then just use the companies phoneline to dail-in to your server :-)

A much better option would be to not alter any ports at all. Just get along with your firewall admin and convince him/them that you just want to access your server and are responsible enough to don't do any weird things and that your virusscanners are up-to-date and homesecurity is above the companies level ;) and let them make a hole so you can only access YOUR server for it's VPN port.

# Pascal Naber said on Thursday, October 07, 2004 12:26 PM

> what about VPN over 443
i didnt know this was possible. and now i know, i should not know how.
please tell me in detail how to make this work.

> Then just use the companies phoneline to dail-in to your server
eh the customer where i'm located right now uses ip telefhone ? Won't work...

> Just get along with your firewall admin and convince him/them that you just want
> to access your server
whahahahahaha, please wait with the next joke. I'm falling of my chair.

# Pascal Naber said on Friday, October 08, 2004 11:54 AM

@Pascal: To be honest I did not test this. But I do not see any reason why it should not work.
First of all you must have a NAT client (private ip) or a direct internet connection (public ip). I assume the following:
a. THe client is XP
b. The VPN server is Windows 200x with Routing and Remote Access enabled.

1. Use the build in portproxy in XP to map a local port to the port listening for PPTP on the server. For example map localhost:1723 to your.server.com:443 . Start cmd and run netsh portproxy for help.

2. Configurure the basic firewall within Routing and Remote. Open a port and direct traffic that comes in at your public server is port 443 to your private server ip at 1723.

This way the client VPN application does not need any weird reconfiguration and virtually connects locally and the same for the server.

voip is shit if you want to dailout :).. if I really need to check mail I connect to my ISP through GPRS with a bluetooth sync between my notebook and my mobile.


I was not joking :) ofcourse there are assholes. But once in a while there are cool admins. As I said.. they will not (i hope!) allow access to the whole internet. Just your server on one port. Not a big deal. Your both adults and both professionals.


What ofcourse would be the most *coolest* thing the admin could do is to allow protocol (i think) 14 traffic which is ipv6.. Not at single system I know of in a business LAN (where I ever been) is configured for ipv6. So enabling this is not a security risk at all for computers in the network. And you can do almost anything you want if your server is also on the 6bone. So you could do a ipv6 tunnel over ipv4. Setup an VPN tunnel over your ipv6 tunnel. Do ipv4 over the VPN tunnel to access the whole internet behind your home NAT. But.. not at work times ofcourse, your a pro.... hahahaha


If I ever start my company I will create a white and black network. The black network will contain some WiFI AP's with a direct ADSL NAT internet connection without any restrictions. If the 8mbps is to low for A LOT of people that only requiring personal email checking and monitoring some apps at home then the solution is probably abbused for leeching.. and I won't give a shit :)

# Pascal Naber said on Tuesday, November 30, 2004 3:40 PM

Because no trackbacks are possible
http://blog.viergang.net/index.php?blog=10&title=access_through_port_443&more=1&c=1&tb=1&pb=1

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Please add 2 and 4 and type the answer here: