Setting Up RDP (Remote Desktop Connection) Through Verizon Fios
Posted by Russell Wright on January 15, 2012
I see lots of discussion about getting RDP (Remote Desktop Protocol) to work on a Verizon network. Much of this discussion is pretty harebrained and doesn’t speak logically about the issues. Here’s my process and discussion on the subject.
Why do you want to do this? Because there’s are not many reasons to pay GoToPC or other companies for the privilege of accessing your computer remotely. Most Windows computers have RDP built in, unless you get one of the “Home” versions of Windows 7, in which case you’ll have to work around that.
The main idea is you want to take RDP traffic coming from the internet (TCP default port 3389) and route it to a machine in your house on your local network. This will be TCP traffic on port 3389 if you use the defaults. It’s not much more complicated than that.
I have the Actiontec mi424wr router and my brother-in-law has the Westell 9100em. I’ve got it working on the Actiontec and next up is the Westell.
This is what you need to do:
- Enable RDP on the machine for remote access
- Insure you have an account with a password that is an administrator or in the Remote Desktop Users group
- Add a port forwarding rule on the router (the hard part) to forward the RDP traffic to a specific machine
- Provide rules for any firewall(s) you have running to allow the RDP traffic to your computer
- Make sure your ISP or the router is not blocking the RDP port (TCP 3389) universally
- Change the RDP listening port to another port if 3389 is being blocked and adjust your port forwarding rule
Enable RDP on the machine for remote access
Type sysdm.cpl in the Start prompt to start the System control panel applet. Select the Remote tab and allow connections using whichever method you want to allow. The less secure method refers to the original RDP client on Windows XP and other prior operating systems (might also be the Mac RDP client). The more secure client can be updated on XP and is part of Windows 7. Don’t ask me about Vista…just like Windows ME it never existed in my book.
You can add users for remote desktop action if they are not already in the administrators group.
Insure you have an account with a password that is an administrator or in the Remote Desktop Users group
To enable remote desktop, you must have an account that has a password, otherwise you’ll never connect. Unless, of course, you start the Group Policy Editor (gpedit.msc) and make some adjustments to the Security Options (Accounts: Limit local account use of blank passwords to console logon only). You can also adjust the User Rights Assignment and Allow log on through Remote Desktop Services to other security groups. But I digress…
Add a port forwarding rule on the router (the hard part) to forward the RDP traffic to a specific machine
On the Actiontec MI424WR router, log in as admin and click on the Firewall Settings icon along the top. Select Port Forwarding and select the machine to which you want to forward the RDP traffic.
Next, select custom ports, as there is not a rule for RDP traffic.
Here’s how you have to define your port. Protocol is TCP, Source Ports is Any and Destination Ports is 3389 (or whatever custom port you want to use). I have performed some tests to change the source port from Any to 3389 (which would seem to make sense for me) and it no longer works.
If you use a custom port the only difference is what you enter in the Destination Ports field. There are some limits of allowable port numbers, so be aware and don’t enter something like 99999!
Provide rules for any firewall(s) you have running to allow the RDP traffic to your computer
You need to make sure the Windows firewall (or whatever extra firewall crap you have running) does not block the RDP traffic on your port to your computer. Here’s the Windows Firewall version.
Start Windows Firewall (firewall.cpl). You can simply start typing “Firewall” in the Start box and it will be displayed. Or you can get at it through control panel. Whatever…
After some testing (turning each profile on/off), I found that the Private Profile on the firewall is what does the blocking. It makes sense, because the traffic coming from the internet is actually forwarded to the local network, hence it is traffic on the private network. You open the Properties dialog on Windows Firewall with Advanced Security to easily turn the firewall scopes on and off to check them out. You might want to turn them off until you get it working.
If you need to create a custom rule for a custom port (in other words, you don’t want to use 3389 or it is blocked) you must create a new inbound rule. To create a new inbound rule, select Inbound Rules and the right-click to start the Rule Wizard.
Select Port rule.
Select TCP for the protocol.
Select Allow the connection.
Give it a name. This is for a custom rule I was using on port 5207.
Your finished rule should look something like this.
Make sure your ISP or the router is not blocking the RDP port (TCP 3389) universally
Now you need to make sure the port makes it through your router. To do this, use the CanYouSeeMe.org web tool. If you have set up your port forwarding rule an your firewall rule, the traffic should go to the port (3389 if the default port is used) you’ve set up.
Before I created and enabled the port forwarding rule.
Here you can see I’ve created the port forwarding rule.
Specifying the source port in the port forwarding rule as 3389 instead of An which, I think, should work, but doesn’t):
Response from Canyouseeme.org:
Specifying the source port as Any:
Response from Canyouseeme.org:
Change the RDP listening port to another port if 3389 is being blocked and adjust your port forwarding rule
If you want to change the listening port from the default of 3389, you can do this in the registry. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber is the key name. Change it to the Decimal value of your choice (within limits, of course).
No need to reboot. Simply start the services.msc applet and restart Remote Desktop Services so it picks up the new port.
It will also restart the Remote Desktop Service UserMode Port Redirector (which really makes sense).