• Tjenester
  • PC
  • Server
  • Nettverk
  • Programmering
• Kontakt
• Om
  • Om psdigital
  • Referanser
  • Priser
• Annet
  • Datatips
  • Blog
  • bits & bytes
  • Artikler >
    • Telnet
    • Dualboot
    • Remote Desktop

Present location: Hjem --> Annet --> Artikler --> Remote Desktop (eng)

Norsk versjon

Configuring Remote Desktop

Written by: Peder Sverdrup June 2013. Updated September 2014.

Contents

• 1. Introduction
• 2. A typical Remote Desktop situation
• 3. The remote machine (the server)
• 4. The remote router
• 5. The local machine (the client)
• 6. References

List of figures

• Fig. 1 Remote Desktopping into a machine on a different network
• Fig. 2 RD Server with Network Level Authentication
• Fig. 3 Peter RD'ing into Paul RD'ing into Mary

1. Introduction

Remote Desktop (RD) is a technology that allows a local workstation (the client) to log into and control a remote machine (the server). The user interface is graphical: the screen view of the remote machine is displayed, and continuously updated, on the local machine. One controls the remote machine with the local mouse and keyboard.

Remote Desktop is an alternative to Telnet, and a more recent technology. The main differences:

• Interface: Telnet is text-based, RD has a graphical interface
• Security: Telnet has no encryption, RD uses encryption (for password and also for content)

We will configure Remote Desktop on a client and a server, both running XP Pro.

2. A typical Remote Desktop situation

Fig. 1 Remote Desktopping into a machine on a different network.

In Fig. 1, the employee working from home can use either his workstation (WorkstationL1) or laptop (LaptopL1) to remote into the office workstation (WorkstationR1), by entering the following string into the Remote Desktop client:

128.49.50.51:3389

If he wants to remote into the ServerR1 he should enter:

128.49.50.51:3390

3. The remote machine (the server)

1. Decide on which port the server should listen

   By default, the server listens on TCP port 3389 for incoming requests. Reasons to change the port:

   • Security
   • If two or more machines on the same LAN (behind the same router) should be available, each server needs to listen to its own unique portnumber. If this is not satisfied, port forwarding through the router will not work for all servers.

   To change the port number, change the value of the registry key

   HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp/PortNumber.

2. If you change the port number, you need to restart the machine
3. The service TermService (Terminal Services) needs to run.
4. The service TermService (Terminal Services) should have Startup type Automatic.

   If not, one will not be able to reconnect on a server restart. "Automatic" makes the service start before Windows log-in, which is neccessary, because this service allows Remote Desktop users to log in.

5. Set up Windows to accept remote desktop requests

   This is configured under the Systems Properties control panel applet, the Remote tab: "Allow users to connect remotely to this computer" should be selected.

   

   Fig. 2 Remote desktop server in Windows 10. In Windows XP there was originally no Network Level Authentication option. This is a security feature that protects against denial-of-service attacks (too many fake connection attempts make the server unavailable to legitimate clients).

6. Open up Windows firewall on the appropriate TCP port

   Now the firewall will not block incoming Remote Desktop requests

7. Open up other firewalls on the appropriate port

   Maybe the antivirus program has a firewall. There may also be other firewalls.

8. The Windows account must have a password

   A Windows account with no password is not allowed to log in over RD. An exception is for the Guest accont, which does not support password.

9. Configure the Windows account: Security Policies and password

   In order to log into the server, one authenticates with username/password of a local Windows account.

   To give an account permission to log in remotely, the account must have the Local Security Setting "Allow logon through Terminal Services". To check this setting, open the Local Security Settings window (secpol.msc), and navigate to Security Settings - Local Policies - User Rights Assignment - Allow logon through Terminal Services. By default, the groups Administrators and Remote Desktop Users are allowed.

   • Administrator accounts: by default, an administrator account is member of Administrators.
   • Limited account: the user should be added to the group Remote Desktop Users.
   • Guest account: the user should be added to the group Remote Desktop Users.
10. The server machine should have a static IP on the LAN

    We prefer to set this up in the router. One may instead do it at the server (TCP-IP settings). Without a static IP, portforwarding through the router may fail.

4. The remote router

The client connects to the server with a string on the following format:

(A)   remote-router-wan-ip:remote-desktop-server-port

or, often one can instead use

(B)   remote-router-wan-domainname:remote-desktop-server-port

It is clear that:

• We need to know the WAN IP of the remote router, or have a domain name for this address.
• We do know the port where the remote desktop server listens for connections. We need to set up a mechanism in the remote router so that requests to this port is forwarded to the correct machine on the LAN.

1. Keep track of remote router WAN IP, configure dyndns

   The procedure to keep track of the remote router WAN IP varies according to our ISP subscription.

   • Dynamic router IP

     If the router receives dynamic IP from the ISP, we at the very least need to remember this address. However, there is a good chance that the router at some point will receive a new IP, and then we will not be able to connect. Dyndns is a solution to this problem. Most routers today support dyndns. If, in a particular case, this is not the case, one can instead run dyndns software on a machine on the LAN. This machine must always be running. So the Remote Desktop server would be a good candidate. We need to create a dyndns account at their website in either case. There is even a free version available - the drawback is that one needs to confirm activity every month, or else the account will be deleted. dyndns gives you a subdomain (for instance: psdigital.dyndns.com) that points to the IP address of your router in a DNS database. When the router IP address changes, the dyndns software will detect and update the DNS database so that psdigital.dyndns.com still points to the correct IP.

     In this example, (B) becomes:

     psdigital.dyndns.com:remote-desktop-server-port

     Or one can easily determine IP from domainname

     ping -a psdigital.dyndns.com

     nslookup psdigital.dyndns.com

     In any case, one should also remember the remote router WAN IP. If dyndns for some reason fails, there is still a chance that one may be able to connect.

     dyndns has recently (early 2014) discontinued their free account. A good alternative is to instead use no-ip (www.noip.com). The service is the same and most routers also support no-ip.

   • Static router IP

     If the router receives a static WAN IP, one only needs to remember this address.

2. Configure portforward

   On the router one needs to configure a portforward such that requests to external port remote-desktop-server-port is forwarded to the correct machine (IP) on the LAN. The remote-desktop-server-port is TCP 3389 by default. It may be changed, as described above.

3. Configure firewall

   Usually the router has its own firewall. This needs to be opened up on the correct port. In some routers, a firewall rule is automatically created once a portforward is configured.

4. Configure remote router access

   Often there is a configuration error, making Remote Desktop not work. It may be a good idea to configure the router for remote management. Then there is a chance one may troubleshoot the configuration, and maybe correct a wrong setting from remote. Remember to not use http port 80 (because of security), and to also configure the router firewall for remote access.

5. The local machine (the client)

Usually, no configuration is neccessary. Open the Remote Desktop client by typing mstsc (MicroSoft Terminal ServiCes) into the Run window. (The client can also be started from the GUI). The Remote Desktop Connection window opens. Type the IP address of the remote router, and the the portnumber of the Remote Desktop server, into the "Computer" field, on the following format:

remote-router-wan-ip:remote-desktop-server-port

Press the Connect button. A Windows login window from the remote machine should appear. Enter a valid username/password. One should now see the desktop of the remote machine.

Fig. 3 Peter RD'ing into Paul RD'ing into Mary

1. Share harddisks

   If you would like to copy and paste files between the server and the client machine, you need to enable harddisk sharing. This is done at the client. Harddisk sharing may create security issues.

2. Also other connection parameters can be configured at the client

6. References

1. How Terminal Services Works
   http://technet.microsoft.com/en-us/library/cc755399(v=ws.10).aspx
2. Remote Desktop - Allow access to you PC. Network Level Authentication.
   https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access