|
| If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|||||||
|
|
Thread Tools | Display Modes |
|
#1
October 17th 04, 01:55 AM
|
|||
|
|||
More on Remote Desktop
Sorry on bugging you on this remote desktop issue but I really need to
remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike 
|
| Ads |
|
#2
October 17th 04, 12:42 PM
|
|||
|
|||
|
More on Remote Desktop
Hi Mike,
A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#3
October 17th 04, 12:48 PM
|
|||
|
|||
|
More on Remote Desktop
Are you calling the correct public IP of the router when you use the laptop to test this from a
remote site or via a dialout connection? You can find the current ISP assigned IP by going to the... http://www.whatismyip.com ....site from your desktop. One way to test if your router port forwarding is working correctly is to use this telnet test from a remote site... http://support.microsoft.com/default...;en-us;Q187628 Additionally if your ISP assigns a dynamic IP to your router, then another solution is to setup an account with one of the dynamic naming services that map a fully qualified domain name to the IP. In my case I use a FREE service from No-IP.com. The No-IP.com software runs on my XP Pro box and on a time schedule basis contacts the No-IP.com servers. The No-IP.com servers then know what your IP is and maps that to a fully qualified domain name. That information is then propagated over the public internet. You could then call the client PC using the fully qualified domain name. It works very well for me when I call my home network using Remote Desktop. http://www.no-ip.com Others... http://www.remotenetworktechnology.c....aspx?tabid=56 Please post additional questions concerning Remote Desktop to the microsoft.public.windowsxp.work_remotely news group. -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#4
October 17th 04, 05:47 PM
|
|||
|
|||
|
More on Remote Desktop
Dana,
Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#6
October 17th 04, 09:37 PM
|
|||
|
|||
|
More on Remote Desktop
You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link...
http://msdn.microsoft.com/library/de...p_protocol.asp ....so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news  Dana, Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#7
October 17th 04, 10:40 PM
|
|||
|
|||
|
More on Remote Desktop
Also note that if you use the default listening port for Remote Desktop there is no need to append
the port number to the address of the RD host PC your trying to connect to... That, ie. appending the port number, is only required if you use a non-default listening port... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Sooner Al" wrote in message ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... http://msdn.microsoft.com/library/de...p_protocol.asp ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news Dana, Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#8
October 18th 04, 05:04 AM
|
|||
|
|||
|
More on Remote Desktop
Hi Al,
I did not know that. That makes it a very different security story. However, a port scan would reveal 3389 open and could invite a brute force attack. Encryption is not authentication, and (particularly if he doesn't use adequately complex passwords) there is still a chance that someone could hack his system. Security aside, he's got the other requirement that he be able to "to retrieve files and faxes". Perhaps I'm taking this too literally to mean "download" and all he really want to do is be able to "view" them. If he doesn't want to download, then Remote Desktop should be fine. If he does want to download, or otherwise run locally on his laptop, then I don't believe there is actually a way to do this using Remote Desktop, though I'd love to know otherwise. Chances are good, though, that he's already got VPN capabilities on his current hardware, so I'm not sure he'd have to get anything new. It just seems like it's pretty commonly included these days. If not, he can get a firewall to do it for $100. Pretty small investment... I believe this one would meet his needs: http://www.linksys.com/products/prod...id=35&prid=537 Available at Amazon for $99.99 http://www.amazon.com/exec/obidos/tg...onics&n=507846 Thanks for the info. -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... http://msdn.microsoft.com/library/de...p_protocol.asp ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news Dana, Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#9
October 18th 04, 12:48 PM
|
|||
|
|||
|
More on Remote Desktop
I believe his requirement, at least as I read it is to...
Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. You can access both remote and local drives/print locally and remotely/etc, while in a Remote Desktop session, and subsequently cut-n-paste files between the local and remote PCs. The Remote Desktop connection simply needs to be configured for that in the Options - Local Resources - Local Devices configuration window when you open the connectoid... http://support.microsoft.com/default.aspx?scid=kb;[LN];313292 Yes a VPN will work just fine. I was simply trying to help the original poster save a few $$$$ by using the existing functionality of the OS...and to keep it as simple as possible...:-) If you need to feel a bit safer you can always change the listening port on the XP Pro box to something other than the default TCP Port 3389. If you do change the listening port then make sure you... a) reboot the PC after making the registry change and b) make the change to the router port forwarding also. READ THESE TWO KB ARTICLES FIRST... http://support.microsoft.com/default...b;EN-US;256986 http://support.microsoft.com/default...b;EN-US;322756 Change the Remote Desktop listening port and calling procedure... http://support.microsoft.com/default...;en-us;Q306759 http://support.microsoft.com/default...;en-us;Q304304 I always recommend that a "strong password" be used...AFAIK, the password exchange is encrypted also...You might reference Bill Sanderson's (MS-MVP) reply to a similar question... http://groups.google.com/groups?hl=e...%3D10%26sa%3DN You also might consider changing the default client connection encryption level to "High" versus the default "Client compatible" and *ALWAYS* prompt for a password.... Note this is done on the XP Pro Remote Desktop host machine... http://www.microsoft.com/resources/d...e_rem_uvnl.asp -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Hi Al, I did not know that. That makes it a very different security story. However, a port scan would reveal 3389 open and could invite a brute force attack. Encryption is not authentication, and (particularly if he doesn't use adequately complex passwords) there is still a chance that someone could hack his system. Security aside, he's got the other requirement that he be able to "to retrieve files and faxes". Perhaps I'm taking this too literally to mean "download" and all he really want to do is be able to "view" them. If he doesn't want to download, then Remote Desktop should be fine. If he does want to download, or otherwise run locally on his laptop, then I don't believe there is actually a way to do this using Remote Desktop, though I'd love to know otherwise. Chances are good, though, that he's already got VPN capabilities on his current hardware, so I'm not sure he'd have to get anything new. It just seems like it's pretty commonly included these days. If not, he can get a firewall to do it for $100. Pretty small investment... I believe this one would meet his needs: http://www.linksys.com/products/prod...id=35&prid=537 Available at Amazon for $99.99 http://www.amazon.com/exec/obidos/tg...onics&n=507846 Thanks for the info. -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... http://msdn.microsoft.com/library/de...p_protocol.asp ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news
Dana,Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#10
October 18th 04, 02:00 PM
|
|||
|
|||
|
More on Remote Desktop
learning learning learning....
cool stuff, that RDP, and a nice improvement over TS in Win2k I still won't be opening up a port on my firewall for it, but I've already got VPN. ;-) Thanks for the good info! -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... I believe his requirement, at least as I read it is to... Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. You can access both remote and local drives/print locally and remotely/etc, while in a Remote Desktop session, and subsequently cut-n-paste files between the local and remote PCs. The Remote Desktop connection simply needs to be configured for that in the Options - Local Resources - Local Devices configuration window when you open the connectoid... http://support.microsoft.com/default.aspx?scid=kb;[LN];313292 Yes a VPN will work just fine. I was simply trying to help the original poster save a few $$$$ by using the existing functionality of the OS...and to keep it as simple as possible...:-) If you need to feel a bit safer you can always change the listening port on the XP Pro box to something other than the default TCP Port 3389. If you do change the listening port then make sure you... a) reboot the PC after making the registry change and b) make the change to the router port forwarding also. READ THESE TWO KB ARTICLES FIRST... http://support.microsoft.com/default...b;EN-US;256986 http://support.microsoft.com/default...b;EN-US;322756 Change the Remote Desktop listening port and calling procedure... http://support.microsoft.com/default...;en-us;Q306759 http://support.microsoft.com/default...;en-us;Q304304 I always recommend that a "strong password" be used...AFAIK, the password exchange is encrypted also...You might reference Bill Sanderson's (MS-MVP) reply to a similar question... http://groups.google.com/groups?hl=e...%3D10%26sa%3DN You also might consider changing the default client connection encryption level to "High" versus the default "Client compatible" and *ALWAYS* prompt for a password.... Note this is done on the XP Pro Remote Desktop host machine... http://www.microsoft.com/resources/d...e_rem_uvnl.asp -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Hi Al, I did not know that. That makes it a very different security story. However, a port scan would reveal 3389 open and could invite a brute force attack. Encryption is not authentication, and (particularly if he doesn't use adequately complex passwords) there is still a chance that someone could hack his system. Security aside, he's got the other requirement that he be able to "to retrieve files and faxes". Perhaps I'm taking this too literally to mean "download" and all he really want to do is be able to "view" them. If he doesn't want to download, then Remote Desktop should be fine. If he does want to download, or otherwise run locally on his laptop, then I don't believe there is actually a way to do this using Remote Desktop, though I'd love to know otherwise. Chances are good, though, that he's already got VPN capabilities on his current hardware, so I'm not sure he'd have to get anything new. It just seems like it's pretty commonly included these days. If not, he can get a firewall to do it for $100. Pretty small investment... I believe this one would meet his needs: http://www.linksys.com/products/prod...id=35&prid=537 Available at Amazon for $99.99 http://www.amazon.com/exec/obidos/tg...onics&n=507846 Thanks for the info. -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... http://msdn.microsoft.com/library/de...p_protocol.asp ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news
Dana,Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#11
October 18th 04, 02:27 PM
|
|||
|
|||
|
More on Remote Desktop
You can still use Remote Desktop through the VPN tunnel. In fact that is one of the strategies if
you want to access more than one TS or Remote Desktop session, all of which are listening on the default port, *AND* not open multiple holes in the firewall (for different listening ports)... You can also "daisy chain" Remote Desktop sessions so you only open one hole. Meaning you establish the first RD session, then while on the remote desktop start another RD session to the second remote PC, etc, etc...etc... That, however, can get quite messy very fast trying to keep which desktop is which straight...:-) As you noted, there are lots of good reasons to use VPN for some users. For other users Remote Desktop is equally as good... It simply depends on your needs,etc... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... learning learning learning.... cool stuff, that RDP, and a nice improvement over TS in Win2k I still won't be opening up a port on my firewall for it, but I've already got VPN. ;-) Thanks for the good info! -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... I believe his requirement, at least as I read it is to... Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. You can access both remote and local drives/print locally and remotely/etc, while in a Remote Desktop session, and subsequently cut-n-paste files between the local and remote PCs. The Remote Desktop connection simply needs to be configured for that in the Options - Local Resources - Local Devices configuration window when you open the connectoid... http://support.microsoft.com/default.aspx?scid=kb;[LN];313292 Yes a VPN will work just fine. I was simply trying to help the original poster save a few $$$$ by using the existing functionality of the OS...and to keep it as simple as possible...:-) If you need to feel a bit safer you can always change the listening port on the XP Pro box to something other than the default TCP Port 3389. If you do change the listening port then make sure you... a) reboot the PC after making the registry change and b) make the change to the router port forwarding also. READ THESE TWO KB ARTICLES FIRST... http://support.microsoft.com/default...b;EN-US;256986 http://support.microsoft.com/default...b;EN-US;322756 Change the Remote Desktop listening port and calling procedure... http://support.microsoft.com/default...;en-us;Q306759 http://support.microsoft.com/default...;en-us;Q304304 I always recommend that a "strong password" be used...AFAIK, the password exchange is encrypted also...You might reference Bill Sanderson's (MS-MVP) reply to a similar question... http://groups.google.com/groups?hl=e...%3D10%26sa%3DN You also might consider changing the default client connection encryption level to "High" versus the default "Client compatible" and *ALWAYS* prompt for a password.... Note this is done on the XP Pro Remote Desktop host machine... http://www.microsoft.com/resources/d...e_rem_uvnl.asp -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Hi Al, I did not know that. That makes it a very different security story. However, a port scan would reveal 3389 open and could invite a brute force attack. Encryption is not authentication, and (particularly if he doesn't use adequately complex passwords) there is still a chance that someone could hack his system. Security aside, he's got the other requirement that he be able to "to retrieve files and faxes". Perhaps I'm taking this too literally to mean "download" and all he really want to do is be able to "view" them. If he doesn't want to download, then Remote Desktop should be fine. If he does want to download, or otherwise run locally on his laptop, then I don't believe there is actually a way to do this using Remote Desktop, though I'd love to know otherwise. Chances are good, though, that he's already got VPN capabilities on his current hardware, so I'm not sure he'd have to get anything new. It just seems like it's pretty commonly included these days. If not, he can get a firewall to do it for $100. Pretty small investment... I believe this one would meet his needs: http://www.linksys.com/products/prod...id=35&prid=537 Available at Amazon for $99.99 http://www.amazon.com/exec/obidos/tg...onics&n=507846 Thanks for the info. -- Dana Brash MCSE, MCDBA, MCSA "Sooner Al" wrote in message ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... http://msdn.microsoft.com/library/de...p_protocol.asp ...so opening one port for Remote Desktop, ie. TCP Port 3389, is not a big deal...IMHO... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or purchase additional/new hardware... -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Dana Brash" wrote in message ... Basic lowdown: You would use the Router's_public_IP :3389. On the router you would create a 'service' (or however your particular piece of hardware refers to port mapping) for port 3389 and point it to the Static IP of the internal server. But again, I would strongly recommend that you use VPN instead as opening this up is a huge security hole. If you open port 3389 on your firewall to the world, you will almost certainly get hacked. Please, please, please don't do it. Secure your communications through a VPN Connection. You shouldn't need any rules on your firewall to get between your clients and server on your own LAN. You will need something in place to get into your LAN from external. How it works: Your DSL or Cable Modem or whatever your using gets a public IP address, probably (99.9%) dynamically assigned. On the otherside, when you dial up to earthlink, your laptop also gets a public IP. So the first step in getting your laptop into that LAN server has got to be making these two public IP's talk to each other. But as you're using a home network, chances that your public IP is static are very, very slim: so you don't know where to point your laptop to connect. You will want to follow Al Jarvi's suggestion and go with something like http://www.no-ip.com or I use http://www.changeip.com. These services will let you map a DNS name to your dynamically assigned Public (Cable or DSL) IP address. When you use these services, you no longer have to know the IP because they keep a record and you just have to refer to the URL. Mine is dana.blahblah.com (not really, but for example's sake...) Even if you do decide to open 3389, you'll still want the Dynamic IP DNS service so that you can find your network in the first place. Your network must run a client-side service to update the Dynamic IP DNS servers directly when your public IP address changes. There are several ways to do it. The modem sometimes does it, the router/firewall sometimes does it, or you can install a small client on the OS that will do it. The key is, whichever machine holds the public IP needs to be making the update (updating the public IP address information with an internal IP address isn't going to help you). I have mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. My firewall can be configured to update ChangeIP.com. So when the PPPoE connection on the firewall gets a new public IP, ChangeIP knows about it. If I was using ICS or RRAS on my server, I would download and run the ChangeIP client on that server. So, when I want to connect to my internal server, here is how I do it. I set up a VPN connection on my firewall, using L2TP and IPSec with a pre-shared key. I configure my user there. I then create a VPN connection on my laptop. My VPN connection is configured to first open my dialup connection. It is then configured to connect to dana.blahblah.com AS A URL, and pass it the right username, password, and pre-sharedkey. It is also configured to use my LAN DNS servers for DNS resolution (so I can reference my internal servers by name). The firewall then authenticates and connects me, and gives me A LOCAL IP ADDRESS ON MY LAN. Once I've created the VPN 'tunnel' to my LAN, and gotten my LAN IP address, I can connect to resources just as if I'm sitting in my home office. Once you have an internal IP, you don't have to worry about ports anymore. Everything is dial-up slow now, but I can get there. I think this solution will better meet your needs for getting to files and faxes and what not anyway. Remote Desktop is not really going to be your best option for transfering files (as in it won't do it). This is not simple stuff. It would be impossible for me to give you all the information you need to get this up and running properly without you doing other reading. A Google search for "VPN overview" returns a bunch of great articles on the general nature of VPN. I would suggest looking up the VPN configuration information from your router/firewall vendor. If it doesn't perform this service, get a Linksys or a Vigor or a Netgear or a DLink or a Cisco or a Netscreen or a ...??? that does. Alternately, you can build up an RRAS box on Win2k/2003 that can allow VPN, or ISA server will also perform this function. Don't be tempted to use your server as the router, get a machine (an older one should do) amd dedicate it to the task. HTH, =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message news
Dana,Thanks for your prompt reply. I have a home network with two laptops, a desktop and two printers. The laptops are wireless and the desktop is wired to a router - sharing the DSL connection as stand alone workstation to access the internet. The desktop is being used as storage of huge files and as a fax server. So far, I configured the ip forwarding (desktop ip) on my router through TCP3389 and made the desktop ip static. On the laptops I made the IPs static as welll. Our needs are to be able to remotely access the desktop to retrieve files and faxes through the internet. From my laptop, I configured remote desktop to connect to as: ipdesktop:3389. When I am connected to my LAN I can connect with no problem, but when I try to connect via regular dial-up through my iISP (earthlink.net), I am getting the error messages that either the desktop is busy or I do not have the permissions to connect. Tell me, to connect - do I use the routersip:3389 or the desktopip:3389? Again thanks for your time and you are a valuable resources of information - keep up the good work. Mike "Dana Brash" wrote: Hi Mike, A bit more information about your environment would be helpful. Are you in a domain or workgroup? What are you using for a firewall (brand/model)? How are you connected to the internet? Do you have a static public IP? etc... It does sound like you're getting blocked at the firewall, except for one thing. You said: When I tried to connect via dial up outside of my LAN I am getting an error message(...) What are you dialing in to? Do you mean that your laptop is making a Dialup connection to the internet, are you dialing in to your firewall/router, do you have RRAS configured internally to accept dial-in connections? If you are simply trying to get to the server via the public IP of the firewall, then you could open up port 3389 and have it point to your internal server, but this would open it up for everyone. Not a great idea. Depending on your firewall, you may be able to create a policy that would allow only your laptop through, particularly if you have a static IP to use. However, since you're a laptop, I assume you move around and stay in hotels and get on wireless at the airport and Starbucks and what not, and that you're pretty much not going to have a static IP for your laptop. If you are trying to dial in to an RRAS server, you need to make sure that your user account has dial-in permission enabled. Are you in a Domain? Do this in Active Directory Users and Computers on your user properties. It doesn't sound like you're actually dialing in to an RRAS server, so I won't pursue this idea at this point.... So, I would suggest creating a VPN tunnel into your LAN from outside. Then your laptop will make a connection to the internet, and once connected to the internet can open a tunnel through your firewall. Your firewall can then authenticate you, encrypt your packets and let you in to the LAN 'just like' you're sitting on the LAN itself (albeit much, much slower). Many home products these days offer VPN capabilities, as do RRAS, and ISA server as well. HTH =d= -- Dana Brash MCSE, MCDBA, MCSA "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
|
#12
October 18th 04, 07:07 PM
|
|||
|
|||
|
More on Remote Desktop
Another option is to use WebEx access anywhere (
http://www.webex.com/go?accessone ) to install a small agent on your file server and then your laptop can access your desktop as long as it has an access to a browser and internet. You don't need to open any other ports, mess around with IP address. And it is secure with 128 bit encryption. It is having free trial until 2005. You can give it a try and see if this solves your problems. Jason "Sooner Al" wrote in message ... Are you calling the correct public IP of the router when you use the laptop to test this from a remote site or via a dialout connection? You can find the current ISP assigned IP by going to the... http://www.whatismyip.com ...site from your desktop. One way to test if your router port forwarding is working correctly is to use this telnet test from a remote site... http://support.microsoft.com/default...;en-us;Q187628 Additionally if your ISP assigns a dynamic IP to your router, then another solution is to setup an account with one of the dynamic naming services that map a fully qualified domain name to the IP. In my case I use a FREE service from No-IP.com. The No-IP.com software runs on my XP Pro box and on a time schedule basis contacts the No-IP.com servers. The No-IP.com servers then know what your IP is and maps that to a fully qualified domain name. That information is then propagated over the public internet. You could then call the client PC using the fully qualified domain name. It works very well for me when I call my home network using Remote Desktop. http://www.no-ip.com Others... http://www.remotenetworktechnology.c....aspx?tabid=56 Please post additional questions concerning Remote Desktop to the microsoft.public.windowsxp.work_remotely news group. -- Al Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "mchjr01" wrote in message ... Sorry on bugging you on this remote desktop issue but I really need to remotely access my desktop where I store my huge files and use it as a fax server. This is what I have done so far: On the desktop that I would like to access remotely, I changed the IP to static. On the router I enabled the virtual server and added the desktop static IP to forward through TCP3389. When I initiated remote access from my laptop I type: desktop ip:3389. I triied it while I am connected on the same LAN network where the desktop - I got through. When I tried to connect via dial up outside of my LAN I am getting an error message of either the remote PC is busy or do not have permissions to connect. My suspicion is I am being blocked by the router's firewall. Is there a way I can make my laptop's IP static and add the same IP on my router as trusted? Do I assign the static IP just like the way I did it on the desltop. I have SP2 update installed on my XP-Pro. Please advice and again many thanks to you. Mike
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| SP2 - Netmeeting remote desktop | aw | Windows Service Pack 2 | 2 | August 30th 04 08:59 PM |
| Remote access to XP desktop setup | Miazelli | Windows XP Help and Support | 1 | August 27th 04 04:48 AM |
| Remote Desktop | gerryR | General XP issues or comments | 4 | August 24th 04 03:21 PM |
| Remote Desktop | Dave Hoppel | Windows XP Help and Support | 1 | August 12th 04 08:44 PM |
| remote desktop not working after SP2 install. | Rob | Windows Service Pack 2 | 1 | August 12th 04 12:33 AM |
Linear Mode
