Terminal Services Remote Desktop thru 2000 server

I have an XP PC SP2 at work, and one at home.
I want to make a remote desktop connection between them using terminal services. The work PC is behind a server running windows 2000 server and Zone Alarm Pro. What do I need to do on the server to be able to connect to the work computer?

 

depending on the server settings. basically, you need to open certain port. quoted from http://www.chicagotech.net/

Which port does Terminal Server use for client connection

By default Terminal Server and Windows 2000 Terminal Services uses TCP port 3389 for client connections. Microsoft does not recommend that this value be changed. However, if it becomes necessary to change this port, follow these instructions (Note: additional ports used by win2000 services is 445).

 

I changed the port to 7000 and then pointed an RDP connection to the server IP address and port 7000, but that didnt work. I am wonderring if I am doing something wrong.

 

If you are trying to connect from home into your business network and if your business network is using private addresses, you may have only a couple of options.

- Initiate a request from the work PC so there will be a return path for the connection from your home machine.
- Set the router to port forward all traffic to port 7000 (or whatever port you use) to your work PC.

Same sorts of issues if you are trying to remote your home PC from work unless it has a static, public (real, ISP assigned) IP address.

Otherwise, a little more detail about how things are set up is probably needed.

 

Well, the server is the gateway, so it has 2 NICs and a public IP, but the clients are on a private network. There is no router, only RRAS running on Windows 2000 Server. I have no idea how to forward a port in that. There is Zone Alarm Pro running on the server (even though they dont "support" that) and I dont see a way to forward ports in that. I am thinking that if I put a router in the place of the server as the gateway, I could probably just use that as the firewall and skip the Zone Alarm Pro, and then I could also forward the ports. Does that sound like a better idea? And - do you have a recommendation for a router that is easy to configure but still somewhat powerful and provides stateful packet instection, etc to protect a small business network?

Thanks,
Johnny5

 

A router does sound like a much better idea for all sorts of reasons. Hardware firewall greatly outperforms any software one.

Sorry I can't suggest specific equipment. I know the low end (SOHO stuff) pretty well and the high end pretty well but haven't worked with medium size networks since the mid-90s so I'm worse than out of date.

We do have some folks who know that end of the networking stuff though so you should get suggestions pretty quickly.

 

Great. For the sake of knowledge, what are the best SOHO class routers, in your opinion?

 

This week, I think NetGear FR314 (or FR318 depending on how many ports you want) is about as good as it gets.

 

Do you want to access a PC BEHIND the Windows Server (on the Server's LAN) via Terminal Services?

Or do you mean actually control the XP Pro machine remotely using Remote Desktop?

Because I am not sure I will list some facts that may help about Terminal Server and remote access.

Terminal Server users use the Remote Desktop connection client to log into Terminal Server. You can also use the same Remote Desktop client program to control a Windows XP Pro machine remotely with no Terminal Server present..

You cannot access PCs on the Terminal Server's LAN from a remote computer by going through the Terminal Server. And of course only the Terminal Server itself can host terminal server sessions, and it cannot give you a session on your XP Pro machine.

In Windows Server 2000 or 2003 the LAN access for remote users is restricted to printers for security reasons. So you have to bypass the server to get to the XP Pro machine.

You cannot run Terminal Server AND a Remote Desktop session on the same network. They use the same port (TCP port 3389), because they use the same client program (Remote Desktop) to log in as I mentioned before.

Therefore if you are running Terminal Server on the network, you cannot forward any of the incoming Remote Desktop traffic (TCP port 3389) to the XP machine using a router or other means, as you would intercept all your Terminal Server users as well. They wouldn’t be able to log into the Terminal Server as you would be forwarding them onto the XP machine!

What you need is 2 things whatever your scenario is above.

1) A router that can forward incoming traffic on specific ports to a LAN IP (ie your XP Pro machine) and

2) A program to connect to the XP Pro machine remotely. If you have Terminal Server running on your office network, you will need a third party remote control program like PCAnywhere that doesn’t use the same TCP port as Remote Desktop. You will have to set the XP Pro machine up as host and have it waiting for calls, and you would set the remote PC up as a remote client.

If you have not activated the Terminal Server on your network, you can use the Remote Desktop program built into Windows XP, to connect to and remotely control the XP machine.

In both cases you need to forward the incoming (port) traffic to your XP Pro machine, so need 1) above is essential.

Finally bit of Terminal Server Trivia

Only XP Pro machines can host remote desktop sessions. XP Home can only be a client PC.

You can download the Remote Desktop client program free from Microsoft to connect either to a Terminal Server or remote Desktop host, using any other version of Windows , even Windows 95!

There is no remote Desktop Host program for download. As i said it only comes with XP Pro.

Yes you can change the port Remote Desktop uses to communicate with Terminal Server, but it is not recommended at all, it is a headache and if the program resets to default values at any time, which i have seen it do, you have big trouble, which i have seen it be.

Hope this got you thinking

 

Had a thought in another direction after i wrote my last post.

What could be an idea is this.

If you have a Terminal Server licence (CAL) spare do this:

Put all your data on the server if not already. Security can be set up so only you can access it if need be.

When at work create an account on the server. Give it whatever username or password you like. Make this user a member of the remote users group.

Write down this account login, as well as the static WAN IP at work assigned by your ISP. Take this home later.

Go to your XP Pro machine. Create links to your data on the Server as needed. Ask for help how to do this if needed.

When you go home you can connect to the Terminal Server, using the Remote Desktop program, using the details you wrote down before. The IP will be the office's WAN IP address, the username and password as the account you created and wrote down.

You can then access the same data on the server using Terminal Server that way. You can customise your desktop etc in your TS profile as each account user has thier own that is the same as they left it each time they log onto the TS.

Of course for Terminal Server to work at all you first need these things:

>Windows 2000 Server or 2003 Server
>1 Terminal server licence (CAL) for each simultaneously connected user
>A router that can forward all incoming traffic on TCP port 3389 to your server's IP address.
>Terminal Server activated in Windows and listening for calls.
>A account on the server, as a member of the remote users group to log in with.

For email you could set the same account up on the home PC email program. At work only download copies of your mail. Ask how to do this. At home download and clear the mails (default email program behaviour). The home PC then also gets all the mails downloaded that day at work. But the work PC does not get mails downloaded after work by the home PC that it hadnt downloaded before. You woudl have to FWD them back if that happened.

Saying the last paragraph i assume he isnt (or considering) using Exchange Server so i havent mentioned the obvious solutions there also.

I assume the main reason to connect to the work PC is data. If you have Terminal Server, why would you need to connect to any other computer at work? Data should always be on the Server anyway, for accessibility and backup reasons.

 

Thanks for the loads of info!
I administer a server, and I use RDP to do so. This server is the gateway to a small LAN, and the head of this company wants to be able to access his desktop from home. His PC is on the server's LAN. So from what I read above "You cannot access PCs on the Terminal Server's LAN from a remote computer by going through the Terminal Server." and "You cannot run Terminal Server AND a Remote Desktop session on the same network." What I want to be able to do is adjust the RDP port on his PC to another port and forward that port through to the WAN. However I dont currently have a router which can port forward. Thus hthese questions - wondering if Windows 2000 Server has a way to forward the port on his PC through to the internet. I am thinking that if I just get a router and forward his RDP port in the registry and then open/map that port on the router, it should work. I havent had any troubles with this before, changing ports for terminal services/rdp. I have one other computer which is behind a router that I connect to regularly on a non-standard terminal services port for remote desktop.
Mainly, I just wanted to see if I could do this within Windows 2000 Server, or if I needed a router to do it.
I am thinking now that I need a router.
Thanks again!

 

Yes you certainly need a router, specifically one that can forward ports, and i would seriously consider setting up the terminal server for remote users to access thier data.

In terminal server each user gets thier own desktop that they can customise, so if the data was on the server, and the user customised thier desktop to suit thier needs, there would be little difference in accessing the Terminal Server and connecting to his own PC. If the user wanted to use the exact same desktop, perhaps he can use the terminal Server on the LAN as well?

Anyway good luck!