Russ' Do It Yourself Home Workshop

Finding Fixes to Just About Anything and Everything

Setting Up RDP (Remote Desktop Connection) Through Verizon Fios

Posted by Russell Wright on January 15, 2012

I see lots of discussion about getting RDP (Remote Desktop Protocol) to work on a Verizon network.  Much of this discussion is pretty harebrained and doesn’t speak logically about the issues.  Here’s my process and discussion on the subject.

Why do you want to do this?  Because there’s are not many reasons to pay GoToPC or other companies for the privilege of accessing your computer remotely.  Most Windows computers have RDP built in, unless you get one of the “Home” versions of Windows 7, in which case you’ll have to work around that.

The main idea is you want to take RDP traffic coming from the internet (TCP default port 3389) and route it to a machine in your house on your local network.  This will be TCP traffic on port 3389 if you use the defaults.  It’s not much more complicated than that.

I have the Actiontec mi424wr router and my brother-in-law has the Westell 9100em.  I’ve got it working on the Actiontec and next up is the Westell.

This is what you need to do:

  1. Enable RDP on the machine for remote access
  2. Insure you have an account with a password that is an administrator or in the Remote Desktop Users group
  3. Add a port forwarding rule on the router (the hard part) to forward the RDP traffic to a specific machine
  4. Provide rules for any firewall(s) you have running to allow the RDP traffic to your computer
  5. Make sure your ISP or the router is not blocking the RDP port (TCP 3389) universally
  6. Change the RDP listening port to another port if 3389 is being blocked and adjust your port forwarding rule

Enable RDP on the machine for remote access

Type sysdm.cpl in the Start prompt to start the System control panel applet.  Select the Remote tab and allow connections using whichever method you want to allow.  The less secure method refers to the original RDP client on Windows XP and other prior operating systems (might also be the Mac RDP client).  The more secure client can be updated on XP and is part of Windows 7.  Don’t ask me about Vista…just like Windows ME it never existed in my book.

You can add users for remote desktop action if they are not already in the administrators group.

image

Insure you have an account with a password that is an administrator or in the Remote Desktop Users group

To enable remote desktop, you must have an account that has a password, otherwise you’ll never connect.  Unless, of course, you start the Group Policy Editor (gpedit.msc) and make some adjustments to the Security Options (Accounts: Limit local account use of blank passwords to console logon only).  You can also adjust the User Rights Assignment and Allow log on through Remote Desktop Services to other security groups.  But I digress…

image

 

image

Add a port forwarding rule on the router (the hard part) to forward the RDP traffic to a specific machine

On the Actiontec MI424WR router, log  in as admin and click on the Firewall Settings icon along the top.  Select Port Forwarding and select the machine to which you want to forward the RDP traffic. 

image

Next, select custom ports, as there is not a rule for RDP traffic.

image

Here’s how you have to define your port.  Protocol is TCP, Source Ports is Any and Destination Ports is 3389 (or whatever custom port you want to use).  I have performed some tests to change the source port from Any to 3389 (which would seem to make sense for me) and it no longer works. 

image

If you use a custom port the only difference is what you enter in the Destination Ports field.  There are some limits of allowable port numbers, so be aware and don’t enter something like 99999!

image

Provide rules for any firewall(s) you have running to allow the RDP traffic to your computer

You need to make sure the Windows firewall (or whatever extra firewall crap you have running) does not block the RDP traffic on your port to your computer.  Here’s the Windows Firewall version.

Start Windows Firewall (firewall.cpl).  You can simply start typing “Firewall” in the Start box and it will be displayed.  Or you can get at it through control panel.  Whatever…

image

After some testing (turning each profile on/off), I found that the Private Profile on the firewall is what does the blocking.  It makes sense, because the traffic coming from the internet is actually forwarded to the local network, hence it is traffic on the private network.  You open the Properties dialog on Windows Firewall with Advanced Security to easily turn the firewall scopes on and off to check them out.  You might want to turn them off until you get it working.

image

image

To allow the RDP inbound traffic on the standard port of 3389, you can enable the Inbound Rule called “Remote Desktop (TCP-In)” in the inbound rule set.  Simply right-click and enable it.image

If you need to create a custom rule for a custom port (in other words, you don’t want to use 3389 or it is blocked) you must create a new inbound rule.  To create a new inbound rule, select Inbound Rules and the right-click to start the Rule Wizard.

image

Select Port rule.

image

Select TCP for the protocol.

image

Select Allow the connection.

image

Select Private.

image

Give it a name.  This is for a custom rule I was using on port 5207.  

image

Your finished rule should look something like this. 

image

Make sure your ISP or the router is not blocking the RDP port (TCP 3389) universally

Now you need to make sure the port makes it through your router.  To do this, use the CanYouSeeMe.org web tool.  If you have set up your port forwarding rule an your firewall rule, the traffic should go to the port (3389 if the default port is used) you’ve set up.

image

Before I created and enabled the port forwarding rule.

image

Here you can see I’ve created the port forwarding rule.

image

image

Specifying the source port in the port forwarding rule as 3389 instead of An which, I think, should work, but doesn’t):

image

Response from Canyouseeme.org:

image

Specifying the source port as Any:

image

Response from Canyouseeme.org:

image

Change the RDP listening port to another port if 3389 is being blocked and adjust your port forwarding rule

If you want to change the listening port from the default of 3389, you can do this in the registry.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber is the key name.  Change it to the Decimal value of your choice (within limits, of course).

image

No need to reboot.  Simply start the services.msc applet and restart Remote Desktop Services so it picks up the new port.

image

It will also restart the Remote Desktop Service UserMode Port Redirector (which really makes sense).

image

Related links:

http://windows.microsoft.com/en-US/windows7/Connect-to-another-computer-using-Remote-Desktop-Connection

14 Responses to “Setting Up RDP (Remote Desktop Connection) Through Verizon Fios”

  1. ss said

    it doesn’t work for me. Only difference which I see in rule is that when i create custom rule to allow 3389 my rule shows Destination Ports 3389 / TCP Any -> 3389. however service shows listening but i am unable to connect from outside using mstsc. windows firewall is not blocking RDP. don’t know where the issue is

  2. John said

    Same as Ss,

    DestPC
    192.168.1.9
    Destination Ports 3391
    TCP Any -> 3391 All Broadband Devices Active

    And it doesnt work on a custom port. If I user 3389, it works great. But I wan to be able to remote to multiple computers inside my Fios network.

    HELP!

  3. Michael said

    Works perfectly for me. I’m able to access multiple computers remotely using the default and custom ports. Thanks a lot for posting this!!!

  4. Dewayne said

    There is reason why the source port must be set to “any.” That is because each TCP connection has two ports – the outgoing (source) port on the client computer and the incoming (destination) port on the server computer. When a client computer creates a request for a new TCP connection on a server, the destination port is the port of the service on the server, but the source port is some random port that happens to be free at the time on the client — it couldn’t be the same as the port of the service, or else the client could not run that service.

    So the first IP packages, which set up the connection, look like this:

    [client IP][random source port]:[server IP][service destination port]

    Once the connection is established, the destination port changes to some random port that is free on the server. If this didn’t happen, then the server could only ever have one connection to that service. So the server picks a new destination port, and communicates that back the client, so that the new IP packages (from the client) look like this:

    [client IP][random source port]:[server IP][random destination port]

    The router reads these IP packets, and keeps track of connections based on the these two IP:Port pairs. That’s how a server can handle thousands of simultaneous clients on the same service.

  5. Dave Carden said

    Working through your fix – I finally discovered that the machine that I could not get to connect somehow had the RDP-Tcp port number set to 3390. Once I changed it to 3389 it connected. Thank you very much for your help.

  6. kveerabathran said

    This demo helped.
    Thank you

  7. I’m with Ss and John. I haven’t had much luck with RDP either. I’ve been using RHUB’s appliance. I can access multiple PCs — as well as grant multi-party access.

  8. Khawar said

    My router doesn’t have ANY option under source port I have to give some number in order to save the configuration under router. Can you please assist

  9. Henu said

    Thanks for the info. It helped.

  10. John Anderson said

    Thank you so much! This ended days of uselessly fooling around and getting nowhere.

  11. Frank Bell said

    To RDP to multiple computers specify source ports as “any”, destination ports as the client side port (for example 3390), and “forward to port” as 3389. Then when you rdp add the client side port (“:3390” in this example) to the ip address. This works for me.

    Also it appears like a forwarding rule is required for each server mac address that is used. My servers can vary between wireless or wired, so a rule is required for each. This is required because the router assigns static ip addresses by mac address, not computer name. The Netgear dual wan router I was using was able to assign static address by computer name.

  12. Imran Ghumara said

    Thanks…for the post…Nice Information…

  13. Nate said

    Great posting, helped me a lot. I was getting confused on the source port, which I now realize should be Any. Thanks for taking the time and including screenshots.

  14. Brett Spector said

    Awesome documentation, Microsoft could take a point or two from this, concrete examples with screen shots and specific information we need more stuff like this

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: