jordan.terrell
Just trying to make sense of things...

Getting Remote Desktop to work thru most firewalls

Thursday, 4 October 2007 10:09 by jordan.terrell

If you are a software consultant like myself, you typically find yourself at the mercy of client firewalls at times.  There are times when I need to access a remote PC, but outgoing TCP connections on port 3389 (default Remote Desktop port) are not allowed.

However, most firewalls DO allow outgoing connections on port 443 (HTTPS; HTTP over SSL) to access secured web sites.  Since standard SSL connection's data is encrypted, filtering/inspection options are very limited (possible blocked IP addresses), so really almost any protocol can flow over that port (even though it is typically reserved for secure web site access) because the firewall is expecting not to be able to inspect the traffic.

In order to have Remote Desktop exposed over port 443, you have a two options that I can think of:

  1. Use a firewall or NAT to expose port 3389 on your target PC as port 443 to external (Internet) clients - most relatively modern cable/DSL routers have this capability
  2. Change the port Remote Desktop listens on to port 443 - requires a change in the Registry

 

After you've done this, you can access your remote PC using the standard Remote Desktop client by entering the IP address or DNS name followed by a colon (":") and the number 443 (MS KB Article 304304).  For example, if my IP address was 127.0.0.1, I would type in "127.0.0.1:443" (without the quotes).  This tells the Remote Desktop client to connect on the non-standard port.

SSL VPN

A more powerful approach that allows you to use more that just Remote Desktop is to use OpenVPN.  I'm not going to go into detail on how to set this up - there is a good bit of documentation available, not to mention a book written on the software package.  The great thing again is that you can expose OpenVPN on any port (including port 443) and it surfaces as at Ethernet card on both the client and server PCs.  This enables some pretty cool routing possibilities (e.g. routing only specific traffic through the VPN connection).

Enjoy!