Can only connect via Remote Desktop when on local network?

[cgott42]

I have a server PC at home running Win 7 pro and connect to it from my laptop via windows remote desktop. I have no problem logging in while I am home on the same network as the server, and log in with the local IP (192.168...) However when I'm away from home and try to connect via the server's public IP (obtained from whatsmyip.org) it gives me an error message stating that the server is not there.
any idea?
thx

 

[Elixer]

Router / FW blocking the needed ports.

 

[John Connor]

Did you bother to port forwarded that server's IP address to the RDP port? Use this to verify. http://www.networkappers.com/tools/open-port-checker

You would be better using Team Viewer though. Having that RDP port open just begs for a hacker to come on in. With TV you can two factor the account and it will punch through a firewall. Plus TV is available on many platforms, even Android, Apple and Blackberry. Throw a good firewall on there and Peerblock at least using blacklists from China, Russia the Ukraine, Romania, Amazon, Azure and CloudFlare. I have these lists at my website.

I have my own little server in a netbook. It hosts Teamspeak and FTP. Great for transferring files between my smartphone and Comps.

If I was running Windows on a decent server I'd use VMware with CentOS.

 

[cgott42]

Did you bother to port forwarded that server's IP address to the RDP port? Use this to verify. http://www.networkappers.com/tools/open-port-checker

You would be better using Team Viewer though. Having that RDP port open just begs for a hacker to come on in. With TV you can two factor the account and it will punch through a firewall. Plus TV is available on many platforms, even Android, Apple and Blackberry. Throw a good firewall on there and Peerblock at least using blacklists from China, Russia the Ukraine, Romania, Amazon, Azure and CloudFlare. I have these lists at my website.

I have my own little server in a netbook. It hosts Teamspeak and FTP. Great for transferring files between my smartphone and Comps.

If I was running Windows on a decent server I'd use VMware with CentOS.

thanks, I opened the port and it worked perfectly. However, you have me nervous about hackers - ALthough I can (and do) access the server via Team Viewer, I can't use Team Viewer from my laptop (employer issued and they don't allow TV or any other software), any suggestion how to keep the open port secure, or other option?
Also, is this concern true of any port opened on my PC or just for Remote Desktop?
thx!

 

[PliotronX]

The thing is that in the very least you should translate a port to 3389 because its a commonly scanned port. With it wide open, script kiddies can attack it and try to gain access so you need to have strong passwords on all accounts etc.. The RD protocol uses TLS handshakes for authentication so your password is not transmitted in plain text. I prefer to RDP over a VPN but I have not seen any successful unauthorized access in places where its exposed to the internet.

 

[John Connor]

any suggestion how to keep the open port secure

I thought I mentioned Peerblock and a firewall. You could also try pfsense. There's this too. https://netgate.com/products/sg-1000.html

 

[cgott42]

I thought I mentioned Peerblock and a firewall. You could also try pfsense. There's this too. https://netgate.com/products/sg-1000.html

With peerblock can I block all IPs except the one from my laptop - so that my laptop is the only one able to access my server?

 

[Rifter]

With peerblock can I block all IPs except the one from my laptop - so that my laptop is the only one able to access my server?

That would work IF your laptop always has the same IP.

 

[Ichinisan]

This is why an incoming connection to your public IP would not work without port forwarding configuration in the router:

The router has the public IP address assigned. It creates a private/local network where all the devices behind your router get private/internal IP addresses from the router and they can all talk to each other freely and share things without exposing them to the entire Internet. Since the router does NAT, all the clients on the local/private network basically share one Internet IP address (assigned to the router). When an incoming connection to that IP address reaches the router, the router doesn't know which local device to send it to. Most protocols (including Remote Desktop) are associated with a default port number. If you configure the router to forward that specific port or protocol to the listening server on the local network, the incoming connection can finally get past your router and reach the correct computer/device.

One thing: You'll want to make sure the router has a DHCP reservation so it recognizes the unique MAC ID of your computer and always gives your computer the same IP address. Otherwise, the computer's assigned IP can change when the router reboots and all your devices get re-numbered. Then your rule doesn't work anymore because it's forwarding to some other computer/device that isn't even listening on port 3389.

As an alternative to DHCP reservation, you can enter a manual IP address on your computer. You'd still want to configure the router's DHCP range to avoid assigning that IP to anything else, which can cause a conflict. If the first automatic IP address your router gives is 192.168.1.100, then 192.168.1.99 would be a safe one to use manually on your computer. I configure DHCP to start with .10 and end with .200 -- plenty of automatic IPs and I can still assign some manually to network printers and other things where it can be a hassle for them to change the address.

 

[John Connor]

With peerblock can I block all IPs except the one from my laptop - so that my laptop is the only one able to access my server?

You can't block all IPs. The lists would be massive. I would look into that pfSense device I linked to.