Tech Line

Remote Desktop Dilemma

Need to accept Remote Desktop connections under a different port? Here's how to do it.

  • By Chris Wolf
  • 10/04/2005
Chris: I need to allow remote access to the front desk computer for our accountant. Right now he has to make a remote connection to our server, and from there he can remote into the front desk computer. I want to set it up so he doesn't have to remote to the server and can just go directly to the front desk.

We have 1 external IP address and DHCP running the internal addresses on a 192.168.1.0 scheme. Internally we are protected from the outside by one nasty little Cisco router. The problem is that the server answers on RDP, which I want. But, I'd also like to switch a port number around so that when that specific port number is sent to our external address, the router knows to pass it on to the front desk computer as a remote desktop connection. Can I have the front desk box respond to a different port number for RDP. If so, how do I specify it on the other side (the remote location, accountant's office)? I know how to let the port number by the router but don't know how to make the front desk respond to it.

Need help, brain overloading...
— Matt

Matt, nothing is worse than a brain overload. From my experience, this is often the first symptom of an administrator that's about to become a Solitaire zombie. Hopefully, my response hasn't come too late!

Since you've already stated that you have no problem setting up the port translation on your router, I'll focus on the Windows end. As you've already mentioned, the easiest way to map separate Remote Desktop connections to different systems on your internal LAN is to have Remote Desktop listen on a different port number on one of the internal systems. By default, port 3389 is used.

To change the Remote Desktop or Terminal Services listening port, you'll need to edit the following Registry value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
TerminalServer\WinStations\RDP-Tcp\PortNumber

This registry value is the same for Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 (see Microsoft Knowledge Base articles 187623 or 306759 for more information).

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

To access the value, run regedit and navigate to the PortNumber REG_DWORD value. Double-click on the value to change it. For hexadecimal fans out there, you'll probably appreciate that by default the value is displayed in hex. For the rest of us, just click the Decimal radio button and you'll see the value displayed in decimal. Note that the default port 3389 is listed. This can be changed to any available port. To steer clear of port conflicts, use a value between 49152 through 65535. These are the dynamic or private ports defined by IANA. In my testing, I changed the value to 49555.

Once you have changed the value, it is safest to reboot the system so that it will listen on the new port once Terminal Services restarts on the reboot. On my test system, Terminal Services was giving me the finger when I tried to restart the service, so I decided that a reboot would work just fine.

With the new port configured, you can test this by opening up a remote desktop connection on another system on the LAN and in the Computer field of the Remote Desktop Connection window, type in the name or IP address of the computer to connect to, followed by a colon and the new port number. For example, my test server's IP address is 192.168.0.10. To connect to it on port 49555, I entered 192.168.1.10:49555 in the Computer field.

For the external accountant, he would need to specify the external IP address of your company, followed by the port (for example: 64.239.183.76:49555). Once you set this up in his Remote Desktop Connection window, have him click the Save As button and just save the connection settings to his desktop. This will give him a shortcut to click any time he needs to access the front desk computer.

On your firewall, you'll need to set up a one-to-one mapping that redirects connections on port 49555 to your internal front desk computer. At this point, your firewall would map port 3389 to one host and port 49555 to another host. This should give you the flexibility you need. Also, by just giving the accountant a desktop shortcut, you won't have to watch his eyes glass over as you try and explain TCP ports to him.

[Chris Wolf has just released Virtualization: From the Desktop to the Enterprise (Apress) and also welcomes your virtualization questions for this column. —Editors]

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular