Setting up RDP for LAN computers in Win Server 2003

[Booshanky]

Hi guys,

Never really played around with windows RDP stuff but I have a client who likes it and I have no idea where to begin.

Any good article on how to set up RDP for client computers on a Windows Server 2003 domain? Right now when I open up mstsc and input the public IP at the office it just logs me into the domain controller, not to the client computer I'm expecting.

Thanks,
-Mark

 

[RebateMonger]

Before we get too far, is there an SBS 2003 server on site, or just Server 2003 Standard?

SBS 2003 and Windows Home Server have Remote Access management built in. Users log into the network and are presented with a remote access menu where the select the appropriate PC to access.

Otherwise you'll want to set up each PC's RDP service to work on a unique TCP/IP port, modify each's inbound firewalls appropriately, and modify the Internet router to port forward TCP requests on each port to the appropriate internal IP address of each PC.

If using different ports, then each user will need to be instructed how to do an RDP connection to his or her unique TCP port. If using SBS or WHS, then everybody uses the standard TCP Port 3389 or uses the built-in Remote Access web sites provided by SBS and WHS.

 

[Booshanky]

"Microsoft Windows Server 2003 For Small Business Server" Is what's listed in the properties of My Computer on the server. I'm guessing that's SBS.

Here's the thing though, I open up MSTSC on my computer at home, input the public IP at the office, and it only gives me the option to log into the servers, not any of the client computers on the network. Is this because I'm using the Administrator account? I don't know any of the passwords for the client computers on the network there.


This is a screenshot of what I see when I do this,

See, it only gives me the option to log into the "fileserver" or "FS" which is the domain controller.

Any idea what's up?

 

[theevilsharpie]

Hi guys,

Never really played around with windows RDP stuff but I have a client who likes it and I have no idea where to begin.

Any good article on how to set up RDP for client computers on a Windows Server 2003 domain? Right now when I open up mstsc and input the public IP at the office it just logs me into the domain controller, not to the client computer I'm expecting.

Thanks,
-Mark

In order to connect to a client computer via RDP over the Internet, you'll need to choose from one of four options:

1. A static public IP for each computer
2. Different ports for RDP configured on each client (please don't actually do this)
3. Some sort of VPN that gives Internet clients access to the local network
4. Use Remote Web Workplace to proxy RDP connections (SBS only)

I suggest using RWW.

 

[Booshanky]

I guess I should explain the current situation.

This is a friends company and they just ditched their IT guy. I know quite a bit, but I'm not super familiar with Windows Server, and I know nothing about RDP.

The guy that was there has it set up so that it works for people, but it's just this one user that doesn't work.

I'm trying to figure out how it's currently set up, so that I can work from there, but I see nothing at all in the server about how to do it. I assumed that there was some setting that says "if client A logs in, they're directed to computer B", but there's nothing in there like that.

There are no static IPs in the office, just NAT on the 192.x.x.x range. The computers have statically assigned IP's on that network.

So where would I look to find out how RDP is currently configured for users?

 

[Red Squirrel]

What you'll want to do is setup a SSH server and open the SSH port to the outside (don't open RDP to the outside!) and then enable RDP on each computer that they want it enabled (right click my computer, go properties,then remote)

Users would have their own SSH account so they'd log in with that, then setup a SSH tunnel to the computer they want to RDP to. You could create preset putty config files or something to make it easier. In fact, I'm sure there are ways you can setup a linux box to authenticate with a DC, so they'd login to SSH with their domain credentials. I'm not sure how to do this, though, but I'm sure it can be done.

For extra security the SSH box should be fairly locked down, where they can't really connect to any other ports but RDP through it. Disable outside internet access from that box so they can't wget files off the internet and execute them or what not.

 

[theevilsharpie]

What you'll want to do is setup a SSH server and open the SSH port to the outside (don't open RDP to the outside!) and then enable RDP on each computer that they want it enabled (right click my computer, go properties,then remote)

Users would have their own SSH account so they'd log in with that, then setup a SSH tunnel to the computer they want to RDP to. You could create preset putty config files or something to make it easier. In fact, I'm sure there are ways you can setup a linux box to authenticate with a DC, so they'd login to SSH with their domain credentials. I'm not sure how to do this, though, but I'm sure it can be done.

For extra security the SSH box should be fairly locked down, where they can't really connect to any other ports but RDP through it. Disable outside internet access from that box so they can't wget files off the internet and execute them or what not.

Err, what?

The SBS server supports PPTP and L2TP/IPSec, which all modern versions of Windows natively support. There's absolutely no reason to complicate it by throwing SSH into the mix.

 

[Red Squirrel]

Err, what?

The SBS server supports PPTP and L2TP/IPSec, which all modern versions of Windows natively support. There's absolutely no reason to complicate it by throwing SSH into the mix.

Well I suppose a VPN is also a viable option. Just don't open RDP straight out to the internet. It provides no brute force protection, no logging, etc. Someone or a bot coulod sit there and brute force all day and eventually get in.

I also forgot to mention with the SSH route, an app like fail2ban is a must. 3 strikes yer out, is the policy I usually set. A non standard port helps a lot too. Most of the bots out there only bother checking the standard ports.

 

[theevilsharpie]

Well I suppose a VPN is also a viable option. Just don't open RDP straight out to the internet. It provides no brute force protection, no logging, etc. Someone or a bot coulod sit there and brute force all day and eventually get in.

All modern versions of Windows support account lockout after a set number of failed login attempts, through RDP, windows VPN's, or any other situation that requires authentication with an account managed by Windows.

 

[Booshanky]

I don't really like RDP because of how it always logs people off and all that stuff. Normally I just use Radmin on all the client computers as well as the server, but I only open the port main port (4899) to the server, and then direct all the client computers through the server. So I'll double click on the icon for a specific computer (192.168.1.10 say) and it'll first ask me for the radmin password for the server comp (on the public IP), then it prompts me for the radmin password of the client and lets me in.

I assumed that RDP in server 03 did something similar, but I'm guessing now that's not the case. Normally I'd just log into the router and check the port forwarding to see what's up, but nobody knows the router password and I'm going to have to reset it. I would rather not do that as it's going to wipe out a bunch of relevant info, so that's why I'm trying to figure out how this is configured first.

 

[dawks]

Err, what?

The SBS server supports PPTP and L2TP/IPSec, which all modern versions of Windows natively support. There's absolutely no reason to complicate it by throwing SSH into the mix.

Yes, you'll want to do a VPN, then a client can connect to the computer of their choice.

The only way to choose which computer to connect to is by specifying its IP. By giving a remote IP, the router is forwarding it to the server specified in the router.

sharpies suggestions are good. Building on the SBS note, Server 2008 has a new Terminal Services Gateway, which may let you choose a computer to connect to after establishing a connection to the TSG. I don't know if this is the case for sure, since I've never used it, but I have a feeling it is. Perhaps it could even forward the RDP client to a pre-configured system based on the username.

 

[RebateMonger]

SBS has a unique Remote Access Management web site, Remote Web Workplace. You can view it internally by typing:

http://servername/Remote

Similarly, RWW is accessed from the internet by opening:

https://publicservername/Remote

It's VERY secure, and not susceptible to "man-in-the-middle" attacks like, theoretically, standard RDP. You don't use standard RDP at all. Only a secure (SSL) web site and automatically encrypted communications throughout.

It requires port forwarding of TCP port 443 and TCP port 4125 to your SBS Server. Port 3389 isn't used at all.

When the User logs in with his/her Domain account, one of the options is to log into the computers in the office with a pull-down selection menu. By default, SBS Users are members of the Remote Web Workplace Users security group, which allows access to the RWW web site.

It's all very simple to set up and use, doesn't require individual PC setup, and can handle multiple people accessing multiple computers simultaneously. Users never see the actual SBS server.

Microsoft has reference papers on how to use all of this. If you are managing an SBS 2003 server without doing any reading about it, you are likely missing MANY of its built-in features that don't come with a Standard Server 2003. There are several good books on the topic.

 

[RebateMonger]

Youtube video on how to use SBS 2003 Remote Web Workplace:

http://www.youtube.com/watch?v=aayUR43KzPI

When PCs are joined to the SBS Domain, the remote access is automatically configured.

If RWW isn't already being used for remote access by that office, then the original IT person likely didn't know what he/she was doing.

 

[VinylxScratches]

edit

 

[Nothinman]

What you'll want to do is setup a SSH server and open the SSH port to the outside (don't open RDP to the outside!) and then enable RDP on each computer that they want it enabled (right click my computer, go properties,then remote)

Users would have their own SSH account so they'd log in with that, then setup a SSH tunnel to the computer they want to RDP to. You could create preset putty config files or something to make it easier. In fact, I'm sure there are ways you can setup a linux box to authenticate with a DC, so they'd login to SSH with their domain credentials. I'm not sure how to do this, though, but I'm sure it can be done.

For extra security the SSH box should be fairly locked down, where they can't really connect to any other ports but RDP through it. Disable outside internet access from that box so they can't wget files off the internet and execute them or what not.

All of that is pointless and just adds extra complexity for the users since RDP is already encrypted and is perfectly secure with a proper security policy.

 

[Booshanky]

SBS has a unique Remote Access Management web site, Remote Web Workplace. You can view it internally by typing:

http://servername/Remote

Similarly, RWW is accessed from the internet by opening:

https://publicservername/Remote

It's VERY secure, and not susceptible to "man-in-the-middle" attacks like, theoretically, standard RDP. You don't use standard RDP at all. Only a secure (SSL) web site and automatically encrypted communications throughout.

It requires port forwarding of TCP port 443 and TCP port 4125 to your SBS Server. Port 3389 isn't used at all.

When the User logs in with his/her Domain account, one of the options is to log into the computers in the office with a pull-down selection menu. By default, SBS Users are members of the Remote Web Workplace Users security group, which allows access to the RWW web site.

It's all very simple to set up and use, doesn't require individual PC setup, and can handle multiple people accessing multiple computers simultaneously. Users never see the actual SBS server.

Microsoft has reference papers on how to use all of this. If you are managing an SBS 2003 server without doing any reading about it, you are likely missing MANY of its built-in features that don't come with a Standard Server 2003. There are several good books on the topic.

I was looking around in the KB about RDP and all that stuff but I couldn't find anything relevant about how to set this up.

Additionally, when I do what you say on the local network there (server name is fsexchange so it'd be http://fsexchange/remote) I just get this stuff:

You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
--------------------------------------------------------------------------------

Please try the following:

Contact the Web site administrator if you believe you should be able to view this directory or page.
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

It really seems like RWW isn't even set up at all. So I doubt that's what they're using to log in remotely.



I think I'm just going to ask one of them to bring in their laptops that they work from home on so I can see exactly how the people who have RDP working for them actually log on. I've posted this stuff on multiple forums and I'm getting nowhere.