Terminal Services - Remote Desktop Connection with Unique


	Home
	Remote Desktop Portal
	Install Client Certificate

	Support Services
	Security Assessment
	Network Management
	Remote Desktop Help

Terminal Services WEB Access with Unique Port Numbers

Remote Computer	* Port #	Size


Redirect Drives	Redirect Printers
Redirect Ports	Redirect Smart Cards


	**NEW RDP Client for Windows XP SP2
	Mac Client Download
	Mini Client requires no installation user-rights
	Windows 2000 Client Connection Manager Download


SBCertified Remote Desktop Portal - using Custom Port Numbers with Microsoft Terminal Services Configuring a Remote Desktop Connection using a custom port number with a high value reduces the probability of the port be discovered by common internet port scans. It also provides the means to direct inbound Remote Desktop Connections to any number of internal computers by configuring port forwarding at the firewall. Caution: In addition to configuring the inbound connections for the computers you wish to connect to, make sure that you have outbound access on those ports from the network where you reside. CONFIGURING CUSTOM PORTS ON THE TERMINAL SERVER

The Terminal Service port number for Microsoft Servers 2000 and 2003 or a Windows XP workstation is configured in the registry. The default port number is TCP 3389. After changing the port number in the registry, you must restart the computer for it to take effect. The registry key is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PORT. We recommend that you use high value port numbers such a above 30,000 to evade discovery by all-port scans. CONFIGURING CUSTOM PORTS ON THE CLIENT

There are three ways to ways to use custom port numbers on the client side of the terminal service connection. If you have several connections that you wish to store, we recommend the Windows 2000 Client Connection Manager (Option 2 Below). It only supports 256 colors, but is the most bandwidth efficient for remote administration and provides the best method for maintaining configuration settings for several destinations with custom port numbers. The one potential disadvantage with the Windows 2000 Client Manager is that it is not FIPS 140-1 compliant. (Federal Information Processing Standard (FIPS) 140-1 encryption). It does support native 128 bit Terminal Services encryption used by most administrators. The four client side methods to connect to a Terminal Server using custom port numbers

1.	Use this web page, OR

2.	Install the Windows 2000 Client Connection Manager - available on the download menu above - Create a connection for each Server in the Client Connection Manager. - Export each connection as a .cnf file to your desktop. - Open each .cnf file with Notepad and change the port number to the same value you have set on the Server. - Import the modified .cnf files into the Client Connection Manager

3.	Use the command line to connect from a Windows XP workstation. MSTSC /v:server:port# Example - in Command Prompt on Windows XP Workstation: type: MSTSC /v:web1:33033 <enter> The Server Name can be an IP address, a public DNS address or internal computer name. type: MSTSC /? for other connection parameters, such as windows size

4.	Use "Remote Desktop Connection" from the Programs Menu. When you type the address of the Terminal Server, add the port number to the address. Example - in the address field type: hq.domain.com:33721 The connection can be saved from the Options menu in this interface. Several connections can be saved and used as shortcuts to terminal servers that you access regularly.

High security strategy for Remote Administration using Terminal Services ( see our security policy )

If you are an administrator who uses Terminal Services for remote administration of your network or your customers networks, your should NEVER store the connection links on a portable or replicate them to other locations. Some of the client connection methods include the ability to store the user names and passwords in a stored connection link to remote computers. If your computer is lost or stolen, you have just given away full control to your customers networks - a devastating prospect. Recommended: 1. Configure a well secured computer at your site with the connection links to remote computers. Do not include the passwords in the connections. 2. Configure FIPS 140-1 encryption from this secured computer to the servers you wish to connect to. 3. When you are off-site, away from your secure computer used to store connections, use your notebook or any other computer to access your site with a Terminal Services session, and then make a secondary Terminal Services connection to the site that you wish to administer.

BACK TO TOP