Terminal Server Licensing is probably among the easiest for us to troubleshoot, however, there are so many different scenarios it gets confusing FAST! The story on Terminal Server Licensing changes dramatically from Windows 2000 to Windows Server 2003. Here I’d like to see if I can explain the Server 2003 scenarios.
What port(s) should I open/NAT to allow me to use Remote Desktop?
7 Answers
Remote Desktop requires TCP port 3389 to be open.
It is possible to change the port used by the terminal server (or PC which is accessed), see this Microsoft support article: 'How to change the listening port for Remote Desktop'
In addition to opening port 3389 for UDP and TCP, I had to go edit the windows firewall rule and set Edge traversal to allow. Like this:
The only exception to the previous answer (3389) is when using Small Business Server through Remote Web Workplace.
In this case the server NAT's the connection between you and server port 80 (HTTP) or 443 (HTTPS), and then to the internal computer; so only 80/443 is required.
If you don't want to use 3389 externally, open a different port externally, but point it to 3389 on the IP address of the machine you want RDC on. This is helpful for routing many systems with RDC. It's also nice because it won't require any registry edits.
What ports should I open for remote desktop - Answer: None.
Opening RDC to the Internet is a BAD IDEA. Port scanners will pick up an open 3389 pretty quickly and try to break your logon.https://www.grc.com/port_3389.htm
If security is concerned and you happen to have an Linux based router(e.g. OpenWrt), then don't add any NAT entry, for 3389 in this case.
Use your router as a jump server and create a SSH port forward.
- Your router's sshd listens on 22 port for LAN network.
- it also listens on port A for WAN network(the only one exposed), with only public-key authentication, so no brute force password attempts.
- create public/private key pair, put the private one on your client devices, copy the public one onto your router (into the authorized_keys file)
- establish the tunnel from your client devices: ssh -p [port A] -L:[port B]:RDP-box:3389 root@router (you can save this in SSH config or Terminal profiles for ease use in the future)
- connect RDP from localhost:[port B]
we can set custom RDP port numbers using following path >> HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp