Windows 7 firewall - allow alternate ports for RDP

[scottfreeze]

Hi all,

I'm looking for help configuring Windows 7 (RTM) firewall to allow traffic for an alternate Remote Desktop listening port in the most secure way possible. I know how to just open up the port completely, which works, but I'd rather not do that if I can just open it up for the Remote Desktop program.

I don't seem to be able to just "copy" the built-in Remote Desktop rule and change the port because the port number cannot be edited in some of the built in rules (or copies thereof, I guess). If it matters, I need to be able to access this port with both "old" and "new" versions of Remote Desktop (from an XP machine, as well as another windows 7 machine, for example).

Can anyone offer any assistance or otherwise offer any advice for my situation?

Thanks,
Scott

 

[johngalt]

AFAIK, RDP has always used 3389 - why would you need separate posts? After all, you cannot have multiple RD sessions, anyway, coming into the machine, so I fail to see the need for alternate ports....

Have you tried editing the existing ED rule to just add another port?

 

[scottfreeze]

Thanks for the reply. The reason I'd like to open alternate ports is because I have two computers behind my router that I'd like to connect to with Remote Desktop. I have the router configured to forward requests on port 3389 to one computer, and another port for the other computer.

As for editing the existing rule, when I try to do that I get the following message:

"This is a predefined rule and some of its properties cannot be modified."

 

[johngalt]

Hmmm, doesn't your router allow port mapping? I mean that it takes incoming, say port 4455, and sends that to IP#1 @ port 3389, and takes incoming @ port 3389 and sends to IP #2 @ 3389?

As for editing the existing rule, yah, saw that myself when I started fooling with it.

However, I think using the path

%windir%\system32\mstsc.exe

I think you might be able to create a second rule if need be....and make it a separate port....

 

[scottfreeze]

I tried using:
%windir%\system32\mstsc.exe

as the program name, but this rule does not work. I'm trying to connect from an XP computer, so my guess is that the XP version and the windows 7 version of the mstsc.exe are different enough that the windows 7 firewall doesn't recognize them as the same for the purposes of the rule. That's the best I could come up with.

With respect to the port mapping, my router software (linksys wrt54g2) only allows me to forward incoming ports to IP addresses, not specific ports at that IP address. Maybe a third party firmware for the router would allow me to do this? That would be pretty slick, and would probably be a good solution to my problem... I'll look into it.

 

[rico83]

Hi,

You can change the listening port through regedit:

How to change the listening port for Remote Desktop

Then, on your RDP connection just append the port after the IP

192.168.0.1:4455


HTH,
Rico

 

[scottfreeze]

Hi all,

Thanks for the replies. In the end, I took JohnGalt's advice and set up port-to-port (single port) forwarding. Because the Linksys WRT54G2 default firmware doesn't allow this, I flashed my router with DD-WRT, which does allow port-to-port forwarding. This allowed me to keep the Remote Desktop listening at port 3389 (default) and also use the built-in Windows Firewall rules, while at the same time directing external Remote Desktop requests to two different computers on my home network by specifying the port from the RDP client.

 

[Kaosu]

scottfreeze,

I had this same problem and the solution is actually so rediculously simple that I wanted to slam my head against the wall after fighting with it for hours.

You create a custom rule with the program specifications set exactly like the preconfigured one. In other words, you assign the rule to a specific program and the path is "System". Set it to your custom TCP port and save it. Go back and edit it, go to the Advanced tab and make sure you allow Edge Traversal. As long as you port forward it in your router then you're golden.

I could do what you did, but I feel much more comfortable with it being on a completely different port.

 

[johngalt]

Hi all,

Thanks for the replies. In the end, I took JohnGalt's advice and set up port-to-port (single port) forwarding. Because the Linksys WRT54G2 default firmware doesn't allow this, I flashed my router with DD-WRT, which does allow port-to-port forwarding. This allowed me to keep the Remote Desktop listening at port 3389 (default) and also use the built-in Windows Firewall rules, while at the same time directing external Remote Desktop requests to two different computers on my home network by specifying the port from the RDP client.

I am highly surprised that the native Router did not allow port forwarding in the settings. however, you're still better off with DD-WRT - it rocks.

****

Good answer, Kaosu - I didn't think about the Edge traversal part of the FW settings. makes sense, in retrospect.

Stickified and Rep added.