Remote Deskptop Access behind DSL Router and Hub

OK, here goes.
I am a little bit confused on how this is accomplished. I have Remote Destop running on XP Pro machine "A" and have accessed it from my local network using a 2000 Pro machine with the RD client installed. No problem. Now I want to access the XP Pro machine "A" with XP Pro machine "B" from home. Machine "A" is at work connected to a hub connected to a DSL router using IP address 192.168.1.100. I read in an earlier thread that i need a public IP address assigned to "A" to access from the web with "B ". "B" is connected at home behind a Cable router also, does this matter? How should I configure "A" to be accessed by "B "? EG: What should the IP address of "A" be? Can anyone help or is this impossible? Thanks to all ahead of time who post any suggestions.

 

I don't know. I don't do this.

Both machines behind a router using NAT?

Access to the PC behind a firewall, NAT or router requires that you forward calls to a specific port on to a specific internal IP address. If you can't do this, you are finished.

Obviously, the IP address of the target PC must be the currently assigned IP address so you can't use DHCP to deliver an IP address for the target PC (albeit if you can reserve an address for a specific machine, then you probably can) and must assign a fixed IP address to the target PC.

You should change the listening port for RD from the default. This is a registry hack. See Q306759.

Your firewall on the target should be configured to allow only the expected system to have access. This typically requires a fixed IP address for the initiator. Ergo one-to-one mapping on the router for IP-address to IP-address in an IP address NAT pool.

If you don't have a fixed IP address for your router, you will need to employ a Dynamic DNS service and you will be using an alias in place of an IP address. Again, if your router gets its IP address from DHCP, then configuring filters could be difficult to impossible.

Microsoft's Generic Site

 

To add on a little to what Bitbyter said - you can never get directly to a 192.168.x.x address from anywhere other than the network it is on. Those are "private" addresses and will not work over the internet or over most wide area networks (routers won't pass stuff to and from them).

If you can figure out a way to find out and use the IP address of your work router and can set that router to always forward packets for the IP port that remote desktop uses to your PC, then you can do it. Otherwise, you can't.

And you absolutely must do what he suggested about limiting the PCs that will have the remote desktop packets forwarded by your work router else anyone on the internet who tries to remote something at your work router's IP address will be directed to your PC. Not good.

 

The port is 3389 most routers have a port fowarding feature.

The Linksys looks like this:

 

Newt, what's up with the IMG tags not working?
I put a like (above) in surounded by "" and it converted it to a link.

 

Never mind. I see you guys have the IMG turned off

It's a lot easier to see than read examples.

 

It would be nice to hear from somebody that has done what you are trying to do. I have not.

I've connected to another machine using remote desktop, but only across a LAN and not across the Internet. The LAN is a W2K domain using a non-public FQDN and private IP address. The W2K domain has a DNS server that legitimizes the non-public FQDN for the LAN (i.e., the TLD isn't one that's recognized by the rest of the world.) DHCP is used for the host ip Address, but the address is reserved. The client is a member of the W2k Domain.

If I had to guess, to accomplish this across the Internet, you first have to create a VPN tunnel to the LAN across the Internet, and then use the Remote Desktop Client to log the host. In other words, the client would appear to be on the same LAN as the host before the connection could be made.

Ergo, the mapping set up on the Linsys won't accomplish anything.

Maybe.

 

I do this all the time at work.

Where I am now. Very busy.

Will post tonight from home.

Mike

 

Sorry guys had a rough day yesterday. Exhausted.

Will try tonight.

BitByter look in here at another problem if you can:

http://windowsbbs.com/showthread.php?s=&threadid=19370

mike

 

I have done it hundreds of times what do you want to know specificly?

No VPN tunnel needed. All handled in Remote Desktop.

 

I would like to know how this is accomplished. I would like to do this where there is no VPN capability.

Thanks.

 

Hi BitByter and all

Geeze some people drop in and make comments but sure failed to tell you how to do it!

Sorry guys but my assistant at the office is on vacation so I am holding down the fort single-hand. Just came in and crashed the last 2 nights.

BitByter I was not sure if you were interested in just XP remote desktop or TS (Terminal services) in general for use on a 2K server on a LAN.

Ok! Clarification on the VPN. Remote Desktop as included in XP is a version of Terminal services that is available with 2K Server. VPN is not necessary for a broadband connection unless you want to do one very important thing. That 1 thing is connecting to the computer you are calling as a network client. (browse across the WAN link as if you were on the LAN)

TS has no way of transferring files. There is an update (RDCLIP) that requires installing and manual registry edits that have to be done on both server and client. It allows copy and paste of files. I tried it and it works OK but a VPN connection is easier to setup and works as normal network browse/drive mapping.

Why do you need this VPN? YOU DON'T IF YOU ARE NOT GOING TO TRANSFER FILES FROM AND TO! In this case it (VPN) is a totally separate connection, TS not even needed, and will connect the client to the called computer and allow normal network browsing and therefore mapping of network shares.

Now if you were calling direct from modem to modem (not through broadband or even a dialup internet account) then the VPN is necessary as in that case actually provides the path for TS to connect to the host.

If you have never used remote desktop or terminal services there are a couple of things you need to understand.

First you must understand that the calling computer (client) is doing nothing but executing the Client software of Terminal services. While connected no matter how much intensive processing is going on in the TS session, this is executing on the computer you called (Host).

This is the reason a terminal server actually needs more processing horsepower than a normal file server. And also why it is a bad idea to have many terminal services on a busy file server. So while the file server is not idling but cruising (busy but not overloaded) with a File server load, adding just a few busy TS clients can drag it to its knees.

With this in mind, in comparison to say PcAnywhere you can only connect once to the same computer simultaneously as you then only take over the host screen. In terminal services you do not have this limitation (taking over the host console screen) as you connect in the background and if someone is working on the host computer they can be unaware that you are even connected.

EXCEPTION: M$ did not allow this to go into the background for XP. It actually runs on the main console in the foreground. So remember that the differences is that true Terminal services executes in the background and on the server console screen you would need to view connections to even know they were connected.

Additionally on server, you can have many connected at the same time, and all are invisible in the background.

Hence if you have many connected at the same time doing heavy processing it can drag a Terminal server to it knees.

In other words on a network all a server does basically is share files, the network client does all the processing. And even on a server (host) typically someone may start a couple of heavy processing jobs in the background (minimized) while working in the foreground.

But contrast this to 25 or more terminal services clients connecting in the background that are not only using the HD but the file server is now actually doing the processing.

This would be the same as starting 25 tasks and minimizing them to all busily processing at the same time. Except in this case the server is also doing processing to maintain the 25 TS sessions in addition to the actual processing the user is doing. Making it even heavier than someone just directly running and minimizing 25 busy processes.
=============================================
That said lets move on to how to do it. Specifically through a router.

This assumes you have terminal services installed and activated and have added the users and permissions to connect list. Or for XP that Remote Desktop is enabled and correctly configured.

First it must be port mapped (forwarded) on the router. So port 3389 (the std MS TS port) must be pointed to a specific local IP. So if the computer you wish to connect to locally is, say 192.168.1.101 then the router should forward connects to port 3389 to that IP.

After this is done then you must know the WAN IP of this HOST network. There are many ways to get this. From the router or ipconfig. But I use the following program on the host being called. This program is very handy if the WAN IP is dynamic. So on a site that has a dynamic IP and I need to connect to do support then when they call me I have them run this program and give me the current IP.

Get IP2 from: http://keir.net/software.html. The advantage of this program is I can tell the secretary to execute it and tell me the IP. If it is static then the client config will remember it.

So then on the calling computer (client) just set it to connect to to the WAN IP of the computer being called (host)! Wah La!

If you are calling from anything less than XP you will need to install TS Client software on the remote client.

I will help with the steps as you go through this.

If questions just ask!

This got too long but I got on a roll after I did get started.

Mike

 

Mike I guess you were busting my ba11s on that coment. I guess I deserved that

I was waiting for bitbyter to reply before I typed a book for no one to ever come back to this post as happens very often.

Sorry I didn't get back sooner.

I would like to add that if you go to the "Local Resources" tab on the configuration screen of Remote desk top there is a check box to map drives at connection and also one to map printers.

 

I'm around.

Thanks for the info, guys.

I've used the client software to connect to both TS on a W2k server and RDt on WXP, but over a LAN not the Internet.

Any Microsoft lit I've read seemed to indicate that you should use VPN over the Internet.

I guess with some creative firewall configuration, it might work ok without VPN from what you say.

Maybe I'll try this, but it would have to be at odd hours.

Unfortunately, my remote pipeline bandwidth probably won't tolerate much of this.

Over the LAN, I seem to be able to pull a consistent 1.4 Mbits when connecting to the host. This would flood the Internet connection/pipeline (which is quite anemic) at the other end and I can imagine that somebody might have something to say about that.

So if I was to try it over the Internet, it would probably be experimental only. At present, I have lots of experments lined up.

If it's as simple as the port mapping (to internal private IP address) shown in the Linksys screen shot in ridgeone's link above, then there should be enough information here to get it all done.

Hope ridgeone let's us know how it went.

 

BitByter

They will not notice any impact from the connection. I have seen 3 simultaneous connections thru a shared dialup connection.

TS/Remote Desktops load is on the computer that is running as Host. Remember that TS is only sending screens and keystrokes.

It is ammazingly effecient on bandwidth. Works very well even with a modem. I have a few installations where they have to use TS with a modem and TS is very quick. And speedwise blows PCAnywhere away.

Steve yes I guess I was coming down on you. But I have been stressed out the last few days. Couldn't seem to get back here to answer. So sorry. Especially in light of the new info about Remote desktop drive linking, thanks.

Since I use the Full TS and it client software I had only looked at Remote desktop once to see what it looked like. This is a plus for Remote desktop.

BitByter this recomendation of VPN with TS may have come from the fact that it is the only way to print to a remote printer from most DOS programs where you have to capture a printer port. It is the only way unless you but Citrix MetaFame.

Additionally it is nessesary for a modem to modem (no broadband or internet to ride in).

Do you need to know how to port map VPM thu a router?

Mike

 

There is also an experience tab where you can select the apropiate bandwidth you are using. As you cut back on band width it will elliminate things such as desktop background, Bitmap Caching, ect.

After you get the settings you desire select the "Save As" button and name the file. It will save it as an .rdp file so you can save multiple connections.

This is a little more technical but if your router has UPnP fowarding you can do multiple machines on the inside.

For Example; you can tell the router to listen for port 3380 on the WAN side and foward that request to 3380 @ 192.168.1.5 on the LAN side. When you set up the remote desktop connection you would enter your WAN IP example; 16.127.216.65:3380

Tell the router to listen for 3381 and foward to 3380 @ 192.168.1.6 and your remote desktop connection would be 16.127.216.65:3381



To enable an XP machine to listen for remote desktop connections you must go to the "Remote" tab of system properties and check off "Allow Remote Desktop Connections" and select users. The user accounts must have a password and not blank.

Hint;
Remote desktop will not work if the XP firewall is enabled.


Want more?

You can also edit the regestry to modify the port RD listens for HERE

 

Thank you for helping me. On the other hand, I only got interested because ridgeone asked the question. Nobody was answering, so I took a stab at it.

And while, just for argument's sake and a wup, I might actually configure all that is necessary and try it out so that we could say "success ", it ain't going to happen.

The remote site that would be my target site has a Linksys router, somewhat similar (but not exactly) to the one that ridgeone has. There is some difference in the network behind the router, however. The target host node, while behind the router is not on the subnet local to the router. There is yet another intervening router (two subnets on separated media behind the router with the WAN link.)

The problem here is that the Linksys will only forward mapped inbound port traffic to the subnet immediately attached. The Linksys does allow routing table entries that accomodate the second subnet for most client node stuff -- this does not require static mapping of a port to an IP address. Without the flexibility of specifying the second subnet in the forwarding table, however, the remote desktop session isn't going to happen.

OK, I could put a node on the first subnet, but now we're talking actual work and a need to scrounge up some resources.

I think we're waiting for ridgeone to show up on the scope.

 

BitByter

I have never done this, but I think all you would have to do is route 3389 on the first router that is connected to the WAN, to the second router and route again from there to your LAN IP!

Mike

 

It's a pretty dumb router. No NAT and no proxy on second router and no way of mapping a port call to an IP address. Except for the fact that there are different Windows domains on both sides of this internal router, the router acts as a bridge (albeit based on IP address) between subnets.

 

Hmmm

I reread his original message and I don't see any reference to exactly what brand of router he has. Is this in another thread or private message?

It seems I usually miss something and did miss the fact that he has 2 routers or is refering to the cable modem as a router by mistake.

If in fact he does have 2 routers then the routing/port forwarding steps would not work here as they need to extend thru the 2nd router.

Unless he or you have a very old Linksys or some base model I have never used, then it has all the important features needed to do this. They have forwaring, static routing, dmz, filtering etc.

mike