Windows Change the RDP (Remote Desktop) Listening Port

KB ID 0000166

Problem

If you didn’t already know the Remote Desktop Protocol Port is TCP 3389, that fine but what if you want to change it to something else? That begs another question, Why?

Well some people like to change the port to something else, so that different ports are open in the even of a nasty type performing a port scan on your machine/firewall, even the most clueless script kiddies know that if they see TCP 3389 open then RDP is probably going to be on the other end of it. Or you might want to have all you servers available to the internet via RDP (people do) but you can only port forward TCP 3389 to one internal IP address. If you change the ports for each server then you only need to forward one port to one server.

Solution

Note: This works on Windows 2000/2003/2008/XP/Vista/Windows 7

1. On the machine in question Click Start > Run (or type in the Start Search) > Regedit {enter}.

2. The Registry Editor will open.

3. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp

4. In the right hand window locate PortNumber.

5. You will need to select Decimal, you will see by default its 3389 change it to something else (I suggest a number above 1024). In this case Ill use 3390.

6. Make sure that RDP is actually enabled on the machine in question. (Note: If this machine has a firewall enabled it will block the new port either enable that port or disable the local firewall)/

7. To connect to this machine from another one, use the same remote desktop client, Click Start > Run > MSTSC {enter} and the the target computers name or IP address then a colon then the new port number.

Related Articles, References, Credits, or External Links

NA

Cannot Remote Desktop over VPN connection

KB ID 0000845 

Problem

This one had me well and truly stumped! The client has two sites and from their remote site they could not open a remote Desktop connection to a server at the main site.

RDP Stuck at Securing remote connection.

At first, because the client had SBS at their main site I assumed this was the problem, but sadly it was not.

Solution

The following process goes through the steps taken to identify and rectify the problem.

1. Firstly, I’m assuming you can ‘ping’ the target server both by name and IP address, if you can’t do this, then read no further, you have a communication problem, fix that first!

2. Check that RDP (TCP Port 3389) is open by attempting to Telnet to that port on the destination server.

You may receive the following error;

Windows – ‘Telnet’ is not recognized as an internal or external command

If you simply see a ‘cursor’ then the port is open, if not it will give you an error. (If that is the case then you need to look at comms to make sure TCP Port 3389 is not being blocked, either by a hardware firewall/router, or a software firewall on either of the machines.)

3. Check no third party security software is blocking RDP, by issuing the following command;

[box]
fltmc[/box]

This indicates the machine I’m on is running, “Trend Micro’.

4. Try disabling the security software to see if that rectifies the problem,

After much hand wringing, and a few days of rebuilding firewall VPNs, patching servers, and installing hot-fixes, I admitted defeat and got Microsoft on the phone.

5. The fist thing they found, was if they attempted to open a UNC path to the destinations server IP address it worked.

6. BUT If they did the same to the server name it failed.

Error: The specified network name is no longer valid

7. Normally this is an indication that the secure channel between this machine, and the target machine is broken. Normally this can be fixed with the following commands;

[box]

net stop KDC

klist purge

netdom resetpwd /server:{IP address of domain controller}/userd:{your-domain-name}administrator /passwordd:*

Then supply the domain administrators password

net start KDC

[/box]

However this did not fix our problem, but indicated that it was not just RDP that was failing. Both the machine we were using, and the destination machine were domain controllers, so domain replication was checked and the following was found;

Event ID 1865

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1311
Task Category: Knowledge Consistency Checker
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following 
directory partition. 

Directory partition: CN=Configuration,DC=your-domain,DC=com There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. User Action Perform one of the following actions: – Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. – Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

Event ID 1311

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1566
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
All directory servers in the following site that can replicate the directory partition 
over this transport are currently unavailable. 

Event ID 1566

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1865
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: your-server-your-domain.com
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 
Sites:
CN=Your-OU,CN=Sites,CN=Configuration,DC=your-domain,DC=com 

8. So we DO have a communications problem, some things work others do not! Let’s make sure our traffic is not getting fragmented, you would expect a packet of 1500 bytes to be able to get though, ours did not, using trial and error Microsoft ascertained that 1320 was the highest we could get though without error.

[box]

ping -f -l {packet size}

[/box]

Note: To get the figure exactly right, you need to keep decreasing the packet size by 1, then when you have found the largest size permissible, you need to add 28 to it (for the overhead of the IP Header).

9. So the MTU was ‘locked’ at BOTH ENDS (source machine and destination server). To do so, Windows Key+R > regedit > Navigate to;

[box]

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Tcpip > Parameters > Interfaces

[/box]

Note: There may be many ‘keys’ here, check each one in turn, to find the one that equates to the IP address on your machine, (the one you are working on).

When you have located the correct key, create a new DWORD (32 bit) value (or edit one if it exists) set the DECIMAL value to the same size that you could get though without error in step 8.

10. Reboot the machines and try again.

Related Articles, References, Credits, or External Links

Special thanks and credit to Harprit Singh at Microsoft, for his hard work and outstanding support.

Install and Configure Remote Desktop Services (Web Access)

KB ID 0000104

Problem

Originally we had TS Web in 2003, and while I had a little play with it, it basically just gave you RDP over web, which would have been good if it ran over HTTP or HTTPS, but it didn’t. Also, as anyone who has ever done a complex Google search for “/tsweb” will testify, left a nice big security hole in to your servers.

With the release of Server 2008 we got TSWeb 2008, this was a whole different beast, and the web portal was very similar in operation to Citrix Web Presentation Server.

With Server 2008 R2, Terminal Services became Remote Desktop Services, so if you only have a couple of clients (i.e. don’t need an application farm etc,) then this might be just what you need, and buying licences for Remote Desktop Services is a LOT cheaper than buying the same licences plus Citrix licences that are about three times the price per seat.

I originally wrote this for TSWeb 2008, and updated it for Remote Desktop Services 2008 R2, I’ll leave the older information at the bottom for anyone who is still running 2008 R1.

Solution

Setup Remote Desktop Services Web Access on Server 2008 R2

1. In this example I’ve got a fresh server which is a domain member, and I’m going to put the Licensing server and the same box. From server manager (ServerManager.msc) >Roles > Add Roles > Next > Remote Desktop Services > Next > Next.

2. Everything is going on one server, you may want to split roles up in a larger production environment, but here we are adding Remote Desktop Session Host, Remote Desktop Licensing, Remote Desktop Gateway > Remote Desktop Web Access > Next > Next.

Note: When selecting role services, you will be prompted to “add required role services”, please do so.

3. I’m choosing the least secure method (choose this if you have older client running older versions of the RDP client) > Next > Either select a Licensing model (per user or per device, or select configure later) > Next.

Note: The licensing model chosen MUST match the CALS that will be in the licensing server. (If you are unsure configure it later, then you will have 120 days grace period to sort it out).

4. Add in which user groups to want to allow access to the host server > Next.

5. Decide which options you want to allow, to enrich your end user experience > Next > I dont need a scope as all my RD Servers will be 2008 R2, it you have TS servers as well you will need to configure a scope > Next.

6. If you already have a certificate you can select it here, I’m going to manually import the certificate into IIS at the end of the procedure > Select “Now” to configure the access policies > Next.

7. Add in which user groups you want to allow through the Remote Desktop Gateway > Next.

8. At the RD CAP screen, I’m just going to use passwords > Next > Then at the RD RAP screen, I’m going to allow connections TO ANY computer > Next > Next > let it install the Network Policy Server component > Next.

9. Install > Then go and have a coffee.

10. When completed, select yes to reboot which it will do (twice).

11. After you log back into Windows the installation will complete > Close

Import and Enable a Digital Certificate in IIS7

12. Start > Administrative tools > Internet Information Services Manager > Select the {server-name} > Server certificates > From here you can either create a certificate request, or complete a request, and import a certificate.

13. Here is my certificate with the “friendly name” WebServer.

14. To enable my certificate right click the “Default Web Site” (Assuming that’s where you have RDWeb installed) > Edit Bindings.

15. Select HTTPS > Edit > And select your SSL certificate > OK.

16. Restart the website (or run “iisreset /noforce” from command line).

17. Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager.

18. Anything that needs configuring will have a yellow warning triangle, or a red cross over it. First you will see it’s complaining that there are no computers in the “TS Web Access Computer ” group.

19. That’s just a LOCAL group on the server itself, launch ServerManager >Configuration > Local Users and Groups > Groups > Locate the group.

20. Add in your groups as required > Apply >OK.

21. Back in the RemoteApp Manger > Check the RD Session Host Server >Settings (on the menu on the right) > Make sure the PUBLIC name (which will be the CN on your digital certificate) is displayed NOT the LOCAL FQDN of the server. You can also tick the option (shown with the arrow) to display the RDP shortcut to your users on the web portal. > Apply > OK.

22. To do the next step, you need to have the applications you want to give to your users, actually installed on the server. > Either right click at the bottom, or select “Add RemoteApp Programs”.

23. Follow the wizard, and select the programs as required.

24. Click refresh > Make sure there’s no more red/yellow warnings > Close RemoteApp Manager.

25. To test it, connect to your server on https://{servername}/RDWeb and log in.

26. You applications should be shown, give them a test, here I’ll launch Outlook.

27. I already have Outlook configured on the Remote Desktop Server so mine just opens (your users will need to setup Outlook, if they don’t have a profile on the RD server already).

Setup Terminal Services Web Access on Server 2008 R1

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles..

2. Next.

3. Tick Terminal Services > Tick Web Server IIS.

4. As soon as you select IIS > In the Pop up Select “Add Required Features”.

5. Next.

6. Next.

7. Select Terminal Server > TS Licensing > TS Gateway > At The Popup Select “Add Required Roles Services”.

8. Select TS Web Access > At the Popup Select “Add Required Roles Services”.

9. Next.

10 Next.

11 I’m going to select “Do Not require Network Level Authentication” > Next.

12. Next.

13. Next.

14. .I’m selecting “Configure Later” for the licensing (Like previous versions you get 120 days grace to sort this out) > Next.

15. Allowing Access to TS > By default the “Remote Desktop Users” group on the TS server is allowed access you can add additional groups here > Next.

16. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.

17. Select the scope you require for TS Licensing > Next.

18. Later > Next.

20. Next.

21. Next.

22. Next.

23. Next.

24. Install.

25. The Roles will install.

26. Close.

27. Click Yes to reboot.

28. After reboot installation will continue.

29. Close.

Deploying Applications

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter)) > Expand > Roles > Terminal Services > TS Remote App Manager > Select “Add Remote App Programs” (Right hand window).

2. Next.

3. Select the application you require or browse to its Executable > Next. >

4. Finish.

Connecting from a client

1. On a Client PC open internet explorer > Navigate to http://{serverIP or name}/ts > Note: If you do not have ActiveX enabled and the latest RDP client you may see this error.

2. There’s your applications > simply select one.

3. Enter your login credentials.

4. Wait for the application to deploy.

5. And there you go 🙂

Related Articles, References, Credits, or External Links

Windows Server 2008 R2 Deploying Applications with RemoteApp /p>

Original Article Written 02/11/11

Enable RDP via Group Policy

KB ID 0000043

Problem

Rather than enabling on an ad-hoc basis, you want to turn on RDP for multiple machines via Group Policy.

Solution

Group Policy Location

To simply enable RDP, change the following policy;

[box]

Computer Configuration > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections

[/box]

Locate and change the “Allow users to connect remotely using Remote Desktop Service” policy.

Allow RDP on the Windows Firewall with Group Policy

Navigate to the following policy;

[box]

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules

[/box]

Right click > New rule > Change Predefines to “Remote Desktop” > Next > Next.

Allow the connection > Finish.

Allow users to connect via RDP though Group Policy

Any member of the machines ‘Remote Desktop Users’ group can log on via RDP, if you have a lot of machines you can create a global security group in active directory (mine below is called SG-Remote-Desktop-Users). And I’ve added it globally to all the computers local ‘Remote Desktop Users’ groups using ‘Restricted groups’.

Navigate to the following policy;

[box]

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

[/box]

Right click > Add Group > Browse > Add your group > In the LOWER (This group is a member of) section click Add > Type in Remote Desktop Users > OK > OK.

2008 RDP Policy Location

Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections.

“Allow users to connect remotely using Terminal services”

To enable Remote Desktop, click Enabled.

To disable Remote Desktop, click Disabled.

2000/ 2003 RDP Policy Location

Computer Configuration > Administrative Templates > Windows Components > Terminal Services.

“Allows users to connect remotely using Terminal services”

To enable Remote Desktop, click Enabled.

To disable Remote Desktop, click Disabled.

 

Related Articles, References, Credits, or External Links

Original article written 17/07/09

SBS 2008 – Cannot RDP to machines via VPN or from other sites

KB ID 0000193

Problem

The firewall policy that Server 2008 uses out of the box only allows RDP connections from the local LAN. This is great in an office environment, but it you have remote VPN clients (On a different IP range) that can’t get access to your client PC’s or member servers via RDP, not so good. If you have a member server running terminal services for example, then having RDP blocked will stop it working.

You would think that, to fix the problem you would change the policies either at..

Windows Firewall: Allow inbound remote administration exception.
or
Windows Firewall: Allow inbound Remote Desktop exceptions.

But I did that and it still didn’t work!

Solution

1. Assuming the affected machines are in the My Business > Computers > SBSComputers OU in Active Directory. (If not either move them or change policies accordingly).

2. On the SBS Server, Click Start > Administrative Tools > Group Policy Management > Navigate to Computer Configuration > Policies > Administrative Templates >Network > Network Connections > Windows Firewall > Domain Profile > Locate “Windows Firewall: Define inbound Port Exceptions” > Double Click it > Click Enabled > Click Show

3. CLick Add > In the “Enter the Item to be added” box type the following,

3389:TCP:*:enabled:RDP

Note: the asterisk denotes accept traffic from any IP, you can enter a range of IP addresses i.e. 192.168.1.0/24 or a single IP address like 172.16.3.1, or the word localsubnet, or a combination, seperated by commas e.g.

3389:TCP:192.168.1.0/24,172.16.3.1.localsubnet:enabled:RDP

4. Click OK > Apply > OK.

5. On the machine you are trying to get to Click Start > In the run/search box type cmd {enter} > At command line issue the gpupdate /force command.

 

Related Articles, References, Credits, or External Links

NA

RDP to Multiple Servers with a Cisco PIX/ASA Firewall

KB ID 0000167 

Problem

WARNING: Allowing RDP traffic from ‘any’ IP this is a monumentally bad idea, ONLY allow RDP traffic from trusted hosts/networks, or better still, limit RDP to clients/locations the have their traffic protected by VPN.

You want to connect via “Remote Desktop” to multiple servers behind your firewall. To do this you have three options.

Note: This is an old article that refers to ‘pre 8.3’ code, for modern firewalls see this article.

Solution

Option 1 (Use if you have multiple free Public IP addresses)

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode”, and create a names entity for each Servers public and Private Address.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External

[/box]

Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name “inbound” for yours.

[box]

Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside

[/box]

 

Option 2 (Uses Port Forwarding and uses a different port for each server).

To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode” then allow each port you are going to use (in this case 3389 and 3390).

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390
 netmask 255.255.255.255

[/box]

 

Option 3 (Uses Port Forwarding and uses a different port for each server).

This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 
netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Port Forwarding To A Different Port

Port Translation

KB ID 0001087 

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

A very long time ago I wrote an article about how to port forward from a public IP address to multiple servers for RDP. Basically you would connect to the firewall using various different ports, and the firewall would change the port to the correct one for RDP (TCP port 3389, unless you changed it on the machine). Then send it to the correct server, so you could manage multiple servers from the same public IP.

Now that was so long ago it was before the version 8.3 NAT changes. This week I was working on a problem where every change I made that had to be tested meant I had to swap VPNs, and reconnect to servers and test comms. This was getting a bit time consuming so I needed a public server to jump on for testing. I didn’t want to expose RDP to my server, so I planned to use a different port and translate that port on the firewall. But how to do that with modern ASA code?

Solution

1. Create the objects and NAT Rules;

[box]

 Petes-ASA> enable
 Password: ********
 Petes-ASA# configure terminal
 Petes-ASA(config)# object network Internal_RDP_Server-1
 Petes-ASA(config-network-object)# host 192.168.1.1
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3390
 Petes-ASA(config-network-object)# exit
 Petes-ASA(config)# object network Internal_RDP_Server-2
 Petes-ASA(config-network-object)# host 192.168.1.2
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3391
 Petes-ASA(config-network-object)# exit [/box]

2. Allow the traffic, (read this article before executing the access-group command).

[box] Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389 
 Petes-ASA(config)# access-group inbound in interface outside
 

[/box]

Whole Code

[box]

object network Internal_RDP_Server-1
 host 192.168.1.1
 nat (inside,outside) static interface service tcp 3389 3390
 object network Internal_RDP_Server-2
 host 192.168.1.2
 nat (inside,outside) static interface service tcp 3389 3391
 !
 access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389
 !
 access-group inbound in interface outside 

[/box]

OLD (Pre version 8.3) Port Forwarding to a Different port

So (as above), I’ll connect to the first server on port 3390, and the second on port 3391.

[box]

Petes-ASA> enable
 Password: *********
 Petes-ASA#configure terminal
 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
 Petes-ASA(config)#access-list inbound extended permit tcp any interface outside eq 3391

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.1 3389 netmask 255.255.255.255
 Petes-ASA(config)# static (inside,outside) tcp interface 3391 192.168.1.2 3389 netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA