I am able to remote to my server from within the LAN and I already have a physically installed firewall wall that is working. my question;
How do I remote/connect to my Windows server 2012 r2 standard out of my local area network and what are the bestpractices?Best practice is to ALWAYS VPN in to your network and then RDP to server just like you are on the LAN.
- Are you smarter than most IT pros?
- Where do you get cert training?
- MS Account Lockout Tools won't run from 2019 server ?
- Hyper-V Virtual Machine Error applying Hard Drive Changes
- ROM
- CPU
- RAM
- GPU
- 1
- 2
41 Replies
Best practice is to ALWAYS VPN in to your network and then RDP to server just like you are on the LAN.
A direct VPN to this network is going to be your best option, while others exist, they are not secure.
To emphasize all the above :] VPN is the way to go!
Depends on what you need access to, for Remote Desktop, a VPN connection would be best, then you can log on to Remote Desktop.. Or use vnc connect...
- Gary D WilliamsPure Capsaicin
Most routers, cisco, ubiquity, sonicwall, zyxel, have this built into them. Windows server also as this built in if you want to forward the ports required.
Yes, you need a static IP, or you can use dynDNS to make your dynamic IP static.
Ideally yes but if you don't have a static IP you can use dynamic DNS. You could set up something like soft ether or openvpn or see what VPN services your router offers.
Finally, have you considered hosting the server in the cloud? Azure and AWS will host a Windows 2012 R2 server quite happily.
the cloud option looks interestingI didn'tknow about it, to be honest, thanks
Have a look at this//azure.microsoft.com/en-gb/
I'll also tag Brittany who should be able to provide some more information
- Brittany for MicrosoftChipotle
Going back to the original question;
Enable Remote Access on the PC you want to access with Remote Desktop.
Enable Remote Desktop in your firewall andd open the port that you want to use.
Set a fixed IP address on the computer you want to connect to or use Dyndns for a fixed link.
Configure your router to forward TCP port 3389 to the destination computers IP address [the computer you want to connect to]
test it using remote desktop with the IP:3389 or dyndnslink:3389
One last suggestion open that port in your firewall is a security treat; change the default port to a different one.
Ricardo272 wrote:
One last suggestion open that port in your firewall is a security treat; change the default port to a different one.
security by obscurity is still a threat.
RDP isn't secure, I avoided suggesting this for obvious reasonsRicardo272 wrote:
Configure your router to forward TCP port 3389 to the destination computers IP address [the computer you want to connect to]
As others have said, use a VPN... Don't forward the RDP port through your router/firewall, even using a random external port.
What type of firewall do you have? Most of them come with VPN options built in and can take very little work to setup.
depends on the number of rdp, why not a RD Gateway?
it needs to forward 443 port on the firewall as it use a ssl tunnel and being installed on a 2012r2 server[is existing at least since 2008r2].
it might be easier to deploy, less expensive and security is suppose to be as good as a vpn.
I had to disconnect my physical firewall from the network in order to setup the VPN connection, then I did a port forward on my router firewall of 1723;
now that the VPNis working I will try to add the t30 WatchGuardfirewall to my network. I had to do this just to reduce my error margin since its the first time I am setting up something of this nature;
so far it's working but I don'thave accessto shared drives and printers when i connect to the VPN
- DaveA-DoITThai Pepper
- thomasperrinSonora
There is absolutely no need to port forward RDP when you have something likeDirect Accessat your disposal. It is pretty slick on Server 2012 R2. Normally an enterprise goes the VPN route, but depending on your company and equipment maybe your situation is different. I'd just like to mention this other option.
DirectAccess vs VPN comparison:
//directaccess.richardhicks.com/2016/02/08/directaccess-vs-vpn/
Another://channel9.msdn.com/Shows/OEMTV/OEM1715
Requirements:
//technet.microsoft.com/en-us/library/dn464273[v=ws.11].aspx
Lab it up and try it out. This is how we connect to our lab domain on a different ISP.
Be careful with the VPN... If you connect to SSL VPN from a home PC on Windows, you have effectively introduced that PC into your corporate network. That can have a lot of unintended consequences. Maybe not today, but someday. Especially if you start handing out VPN access to others...
So if this is a production, working, business network, please be extremely thorough and careful...
Why on earth don't you just use the built-in VPN capabilities of the Watchguard for VPN [SSL or IPSec]?!nevillet wrote:
I had to disconnect my physical firewall from the network in order to setup the VPN connection, then I did a port forward on my router firewall of 1723;
now that the VPNis working I will try to add the t30 WatchGuardfirewall to my network. I had to do this just to reduce my error margin since its the first time I am setting up something of this nature;
so far it's working but I don'thave accessto shared drives and printers when i connect to the VPN
For clarity sake, what, exactly is the Watchguard's role on your network? Is it your primary router and firewall or is there another device in the mix?
Reggie has a great point here.Reggie Hux wrote:
Be careful with the VPN... If you connect to SSL VPN from a home PC on Windows, you have effectively introduced that PC into your corporate network. That can have a lot of unintended consequences. Maybe not today, but someday. Especially if you start handing out VPN access to others...
So if this is a production, working, business network, please be extremely thorough and careful...
For the love, do NOT use your personal computers to manage your work systems. Keep work and personal devices completely separate.
Yes lugging 2 or 3 [or 4] laptops around isn't ideal, but you don't want to be "THAT GUY" who brought down the company network/systems because your personal device allowed malware/etc onto the company network.
My inner pedant had to fix that for you.security by obscurity is still a threat risk.
Edit: though apparently strike-through doesn't render properly? Anyway, just imagine the word threat struck through there.
Anytime you connect your network to an outside network you have a potential security problem. Adding layers to your connection protocol [such as initiating a VPN prior to establishing an RDP session] might be slightly more secure, but they introduce more variables intothe equation - such as additional security problems, support issues and increased complexity.
Personally, I allow RDP on the default port from whitelisted addresses only and have never had a breach. It's not infallible, but it's no less secure than establishinga VPN from an unmanaged device.
Incidentally, I ran a trace against my firewall logs a few minutes ago and haven't had a hit against port 3389 in over 2 days. Yes, there are still bots running that check consecutive ports on consecutive IPs in blocks, but the numbers clearly drop once your /26 range drops off of the "hot lists" circulating on the dark web.
This only works with Enterprise or greater OS versions.TAHIN wrote:
There is absolutely no need to port forward RDP when you have something likeDirect Accessat your disposal. It is pretty slick on Server 2012 R2. Normally an enterprise goes the VPN route, but depending on your company and equipment maybe your situation is different. I'd just like to mention this other option.
DirectAccess vs VPN comparison:
//directaccess.richardhicks.com/2016/02/08/directaccess-vs-vpn/
Another://channel9.msdn.com/Shows/OEMTV/OEM1715
Requirements://technet.microsoft.com/en-us/library/dn464273[v=ws.11].aspx
Lab it up and try it out. This is how we connect to our lab domain on a different ISP.
A few Different Ways to do this
1] Open up RDP on your Firewall via Port Forwarding. I would not recommend this as it is a
securityrisk.
2] RD Gateway Server, Requires setup and SSL Certs, You still need to Port Forward Port 443.
3] VPN Connection, Could be VIA your Firewall Provider or a 3rd Party Tool likeLogMeIn Hamachi [I have used this before but has been a long time, I think it is free for up to 5 computers]
4] 3rd party tools, Something Like Teamviewer
5] Microsoft Direct Connect, this is basically a SSL VPN, I think you need enterprise version of Windows Client to use this
- 1
- 2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.