RDP Port access

  • Thread starter Thread starter Rowland Costin
  • Start date Start date
R

Rowland Costin

Hi

I have a remote network to my offices, Its an active directory, using a PDC
server and a Terminal server and some smaller database servers. This network
is only ever accessed by remote clients, no local LAN clients. It has a
Cisco Pix 506 firewall.

So far I have had no problems. The remote users at my office can access
through our firewall (Firefox) and in through the Cisco without problem
using RDP.

I have a remote client elsewhere in the UK. They need to log onto this
network. I have sent them an RDP file already set up, (Tested at this end
ok). However, they cannot access my remote server using RDP through their
firewall. (Not sure yet what it is)

The Terminal server is accessing as standard using port 3389. I ran a TCP
port scan program on my PC while connecting to this remote server and this
confirms the server is listening on 3389. I have multiple other servers
here at my local LAN and connected to them as well. The scanner showed that
the RDP on my machine seems to vary the local port connection from my PC,
from about port 1646 to 1760.

Questions:

1) Is there a specific port range for the local port that RDP uses to go out
from the client PC? eg 1650 - 1800 maybe?

2) I know the clients firewall is extremely locked down, but they say they
have opened TCP port 3389 on the firewall, does RDP need anything else, UDP
etc?

3) They claim to have connected to my remote server ok with RDP when
bypassing the firewall. But I don't know if it is the same PC as they are on
other side of the country to us, so I haven't visited them yet. Can any
settings on the Desktop PC they are using have been closed down to prevent
getting from the PC to their firewall in the first place? eg would Windows
XP firewall shut these ports?

Their support people are based in their head office in Norway, so its
proving a bit difficult to organise information and things to try.

Anything else you can think of would be greatly appreciated.

Regards
Rowland Costin
 
Opening port 3389 on the firewall allows *incoming* traffic on port
3389. That is not what you want.

The RDP client uses local TCP port X (random port number between 1024
- 65534) to open a connection to RDP Server port 3389. The RDP
client also opens local UDP port X+1 for listening. You can easily
verify this by running the command "netstat -an" on the client.

When you establish a connection from inside a firewall to a Terminal
server, the firewall must allow *outbound* connections to the RDP
port (3389) coming from a dynamic port on the client. The firewall
should be smart enough to know that once the dynamic port is open
data should be able to flow both ways.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Back
Top