Configuring Remote Desktop
Written by: Peder Sverdrup June 2013. Updated September 2014.Contents
- 1. Introduction
- 2. A typical Remote Desktop situation
- 3. The remote machine (the server)
- 4. The remote router
- 5. The local machine (the client)
- 6. References
- Fig. 1 Remote Desktopping into a machine on a different network
- Fig. 2 RD Server with Network Level Authentication
- Fig. 3 Peter RD'ing into Paul RD'ing into Mary
Remote Desktop (RD) is a technology that allows a local workstation (the client) to log into and control a remote machine (the server). The user interface is graphical: the screen view of the remote machine is displayed, and continuously updated, on the local machine. One controls the remote machine with the local mouse and keyboard.
Remote Desktop is an alternative to Telnet, and a more recent technology. The main differences:
- Interface: Telnet is text-based, RD has a graphical interface
- Security: Telnet has no encryption, RD uses encryption (for password and also for content)
We will configure Remote Desktop on a client and a server, both running XP Pro.
Fig. 1 Remote Desktopping into a machine on a different network.
In Fig. 1, the employee working from home can use either his workstation (WorkstationL1) or laptop (LaptopL1) to remote into the office workstation (WorkstationR1), by entering the following string into the Remote Desktop client:
If he wants to remote into the ServerR1 he should enter:
- Decide on which port the server should listen
By default, the server listens on TCP port 3389 for incoming requests. Reasons to change the port:
- If two or more machines on the same LAN (behind the same router) should be available, each server needs to listen to its own unique portnumber. If this is not satisfied, port forwarding through the router will not work for all servers.
To change the port number, change the value of the registry key
- If you change the port number, you need to restart the machine
- The service TermService (Terminal Services) needs to run.
- The service TermService (Terminal Services) should have Startup type Automatic.
If not, one will not be able to reconnect on a server restart. "Automatic" makes the service start before Windows log-in, which is neccessary, because this service allows Remote Desktop users to log in.
- Set up Windows to accept remote desktop requests
This is configured under the Systems Properties control panel applet, the Remote tab: "Allow users to connect remotely to this computer" should be selected.
Fig. 2 Remote desktop server in Windows 10. In Windows XP there was originally no Network Level Authentication option. This is a security feature that protects against denial-of-service attacks (too many fake connection attempts make the server unavailable to legitimate clients).
- Open up Windows firewall on the appropriate TCP port
Now the firewall will not block incoming Remote Desktop requests
- Open up other firewalls on the appropriate port
Maybe the antivirus program has a firewall. There may also be other firewalls.
- The Windows account must have a password
A Windows account with no password is not allowed to log in over RD. An exception is for the Guest accont, which does not support password.
- Configure the Windows account: Security Policies and password
In order to log into the server, one authenticates with username/password of a local Windows account.
To give an account permission to log in remotely, the account must have the Local Security Setting "Allow logon through Terminal Services". To check this setting, open the Local Security Settings window (secpol.msc), and navigate to Security Settings - Local Policies - User Rights Assignment - Allow logon through Terminal Services. By default, the groups Administrators and Remote Desktop Users are allowed.
- Administrator accounts: by default, an administrator account is member of Administrators.
- Limited account: the user should be added to the group Remote Desktop Users.
- Guest account: the user should be added to the group Remote Desktop Users.
- The server machine should have a static IP on the LAN
We prefer to set this up in the router. One may instead do it at the server (TCP-IP settings). Without a static IP, portforwarding through the router may fail.
The client connects to the server with a string on the following format:
or, often one can instead use
It is clear that:
- We need to know the WAN IP of the remote router, or have a domain name for this address.
- We do know the port where the remote desktop server listens for connections. We need to set up a mechanism in the remote router so that requests to this port is forwarded to the correct machine on the LAN.
- Keep track of remote router WAN IP, configure dyndns
The procedure to keep track of the remote router WAN IP varies according to our ISP subscription.
- Dynamic router IP
If the router receives dynamic IP from the ISP, we at the very least need to remember this address. However, there is a good chance that the router at some point will receive a new IP, and then we will not be able to connect. Dyndns is a solution to this problem. Most routers today support dyndns. If, in a particular case, this is not the case, one can instead run dyndns software on a machine on the LAN. This machine must always be running. So the Remote Desktop server would be a good candidate. We need to create a dyndns account at their website in either case. There is even a free version available - the drawback is that one needs to confirm activity every month, or else the account will be deleted. dyndns gives you a subdomain (for instance: psdigital.dyndns.com) that points to the IP address of your router in a DNS database. When the router IP address changes, the dyndns software will detect and update the DNS database so that psdigital.dyndns.com still points to the correct IP.
In this example, (B) becomes:
Or one can easily determine IP from domainname
ping -a psdigital.dyndns.com
In any case, one should also remember the remote router WAN IP. If dyndns for some reason fails, there is still a chance that one may be able to connect.
dyndns has recently (early 2014) discontinued their free account. A good alternative is to instead use no-ip (www.noip.com). The service is the same and most routers also support no-ip.
- Static router IP
If the router receives a static WAN IP, one only needs to remember this address.
- Dynamic router IP
- Configure portforward
On the router one needs to configure a portforward such that requests to external port remote-desktop-server-port is forwarded to the correct machine (IP) on the LAN. The remote-desktop-server-port is TCP 3389 by default. It may be changed, as described above.
- Configure firewall
Usually the router has its own firewall. This needs to be opened up on the correct port. In some routers, a firewall rule is automatically created once a portforward is configured.
- Configure remote router access
Often there is a configuration error, making Remote Desktop not work. It may be a good idea to configure the router for remote management. Then there is a chance one may troubleshoot the configuration, and maybe correct a wrong setting from remote. Remember to not use http port 80 (because of security), and to also configure the router firewall for remote access.
Usually, no configuration is neccessary. Open the Remote Desktop client by typing
mstsc (MicroSoft Terminal ServiCes) into the Run window. (The client can also be started from the GUI). The Remote Desktop Connection window opens. Type the IP address of the remote router, and the the portnumber of the Remote Desktop server, into the "Computer" field, on the following format:
Press the Connect button. A Windows login window from the remote machine should appear. Enter a valid username/password. One should now see the desktop of the remote machine.
Fig. 3 Peter RD'ing into Paul RD'ing into Mary
- Share harddisks
If you would like to copy and paste files between the server and the client machine, you need to enable harddisk sharing. This is done at the client. Harddisk sharing may create security issues.
- Also other connection parameters can be configured at the client
- How Terminal Services Works
- Remote Desktop - Allow access to you PC. Network Level Authentication.