Need help with your equipment?
hermi14's profile

Teacher

 • 

16 Messages

Sunday, October 12th, 2008 3:36 PM

Closed

Host a VPN on Home Computer

Hello.  I have ATT Uverse at home and would like to be able to access my home computer while I'm at work, preferably using RDC. I know that I need to have Windows XP Professional on my home computer (which I don't have yet). I assume that rather than just opening up the RDC port to the world, it's better to set up a VPN and then RDC over the VPN. I would like set up and connect to the VPN just as a test with my current XP Home operating system. I set up an Incoming connection that enables VPN. But I'm not sure how to configure the Firewall on the RG. Should I select PPTN server as the application whose ports to open up? Where would I configure the preshare key? Also, once the VPN is running, how would I open up the RDC port? So far I have figured out that I can't test this with another computer connected to the local network since RG doesn't forward internal packets. Therefore, I would like to have the exact setup steps so I can then leave the house and test it from outside (as opposed to just experimenting and modifying things to get it to work).

 

The home computer is connected using Wi Fi, if that changes anything.

 

Thanks 

Accepted Solution

Official Solution

Expert

 • 

9.4K Messages

13 years ago

VPN doesn't have anything to do with this.  You don't need any kind of VPN to map a network drive from the home computer onto the office computer.

 

You need to:

 

  • Turn on file sharing on the home computer
  • Share a directory on the home computer, give it proper access permissions to a particular username/password
  • Map the drive on the office computer.  Because of the different domain on the office computer, you won't be able to see the home computer in the network listing, but you can still map the drive if you map it by IP address.  (e.g. map \\192.168.1.67\SharedFolder)
  • You'll have to provide a username/password during the mapping operation that exists on the home computer, and will need to include the home computer's name in place of the domain.  (e.g. username: HOMECOMPUTERNAME\Username)

Once the drive is mapped, have at it.

 

Accepted Solution

Official Solution

Expert

 • 

9.4K Messages

13 years ago

The underlying protocol used by Windows networking is TCP/IP, and has been ever since Windows 98.  NetBEUI isn't used anymore.  But there's some remaining NetBIOS protocols that run on top of TCP/IP.  One of these is NetBIOS name resolution.

 

NetBIOS name resolution is the translation of Windows computer names into IP addresses.  This is essentially an equivalent service to DNS, but doesn't usually operate with a central server except in older corporate environments (the NetBIOS name server/service used there is called WINS.  WINS has been replaced in Windows Server 2003 and later by Active Directory-integrated DNS).

 

On Windows networks without a WINS or DNS server, NetBIOS name resolution is accomplished by broadcasts to a machine on the network that has been elected as the "master browser".  The master browser is supposed to keep a list of every Windows machine in the workgroup and provide that to other machines on demand.

 

However, your office machine and home machine are in different workgroups (the office machine's workgroup is a centrally-managed workgroup, known as a domain).  Because they're on different workgroups, they don't pay attention to each other's master browser.  What this results in is a situation where your office machine will not be able to find the home machine on the network by name.  There will be no NetBIOS name resolution for the home machine because whatever machine has been elected as the office workgroup's master browser (which will probably be your office machine since it's the only office domain machine on the network) will not keep track of machines in other workgroups.

 

So, to bypass this NetBIOS name resolution problem entirely, we simply map the home machine by IP address instead.  That solves the first problem.

 

A second problem appears again because the two machines are on different workgroups.  If you were mapping a drive from another machine joined to the office domain, your username and password that you used to log on to the office machine would be used for authentication and authorization on the machine serving the shared folder, and that machine would validate your username and password through the domain controller.  But the home machine isn't a member of the domain and knows nothing about a domain controller, so it's only choice is to validate your username and password against it's local users table.  This is why you have to supply a different username and password to map the drive, because it has to be a username and password that the home machine knows about.

 

Master

 • 

7.1K Messages

15 years ago

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

 

Port forwarding of TCP Port 3389 through any firewall/NAT/router is required if the user needs to access a Windows XP Professional Remote Desktop from a remote location. The Windows XP SP2 Windows Firewall can be configured to allow Remote Desktop by simply checking a checkbox in the

Message Edited by randyl on 10-12-2008 11:08 AM

Teacher

 • 

16 Messages

15 years ago

Thanks, Randyl. Actually, I don't use the Windows Firewall at all; I only use the Firewall that is on the U-Verse modem/router/access point (3800-HGV-B--sorry, I was mistakenly referring to it as RG in my previous post). So, extrapolating from what you said, I would set up the port forwarding for RGB on my modem/router.

 

I guess my question is really whether setting up port forwarding will be secure enough, or whether I should establish a VPN first. 

 

Often we have to log into individual servers on a statewide government network at my job. First, we VPN into the state network and then we use RDC to access a specific server. I guess I was just assuming that this is the most secure method of accessing a PC over the Internet. Is this overkill just to access my home PC? If I'm going to leave my home computer turned on and connected to the Internet all day in order for me to access it, I want to be sure that it is secure. Also, when I am sending information using RDC I want it to be secure.

 

I hope this clarifies my question.

 

Thanks again,

hb

Expert

 • 

9.4K Messages

15 years ago

You can set up a PPTP (VPN) server on a computer if you want to.  I have my servers at work set up this way.

 

You just need to configure the RG firewall to assign the "PPTP Server" application to the computer that is running the VPN server.  You'll then be able to connect to it using PPTP VPN from a remote location, and can then start an RDP session.

 

RDP by itself is encrypted and fairly secure, but I prefer to wrap the session in VPN anyway.  This way, you can not only use RDP, but can do other things that may not be encrypted on their own, like mapping drive shares and mapping printers.

 

Teacher

 • 

16 Messages

15 years ago

Hey SomeJoe7777. So, I don't need to set up a preshare key anywhere for the VPN?

 

Thx

Expert

 • 

9.4K Messages

15 years ago


@hbourne wrote:

Hey SomeJoe7777. So, I don't need to set up a preshare key anywhere for the VPN?

 

Thx


 

Well, that's dependent on whatever VPN server software and client software you're going to use.  The RG doesn't know or care about that ... it just passes the protocol between the client & server.

 

Teacher

 • 

16 Messages

15 years ago

OK. Humor me with the answer to one more question: once the PPTN connection is established, the RDP protocol must take place at a higher network level, on top of the PPTN, right? So, I would theoretically open up the RDP port within the VPN software?

Expert

 • 

9.4K Messages

15 years ago

A PPTP connection establishes a route between networks where the traffic is secured by some mechanism (usually IPSec) and then tunneled inside a carrier protocol (usually GRE).  The VPN "software" is not an application that you see a window with -- it's just a connection between the client and server.

 

Once the PPTP connection is established, when you open the RDP software (usually Windows Remote Connection), it asks the name of the server you want to connect to.  That name will be resolved via DNS into an IP address.  The local routing table on the client will determine that the destination IP address for this remote connection is on the other side of the PPTP tunnel, and will send the traffic through the tunnel to establish the connection.

 

The RDP protocol does not take place at a higher network level than it normally would.  RDP is layer 5 (session), this is encapsulated in TCP (layer 4), this is encapsulated in IP (layer 3).  Point-To-Point Tunneling Protocol (PPTP) is a layer 3 protocol that can tunnel other layer 3 protocols inside as payload.  The IP packet for the RDP session (which would normally traverse over the public internet), is now encrypted and signed by IPSec (this makes another IP packet - type ESP - Encapsulated Security Payload), this packet is now encapsulated inside a GRE (Generic Routing Encapsulation) packet, which is also IP at layer 3.  This GRE packet now traverses over the public internet.

 

The RG, when you've configured its firewall to open PPTP, will let the GRE packet through to the PPTP server.  The PPTP server reverses all the encapsulation and encryption, and ends up with an IP packet (layer 3) that is now the part of the RDP session.  If the RDP session is on the same server as the PPTP server, this now gets processed up the network stack to be sent to the RDP server.  If the RDP session is on a different computer, then the PPTP server will send the IP packet to the RDP server.

 

I realize this may be a little more detail than you may have been looking for to answer your question, but I believe in being thorough.  It's a character flaw of mine. :smileyhappy:

 

As an example, the PPTP client and server software that I use at work is Microsoft Windows Server 2003 Routing and Remote Access Service (this is the server).  The client is built into all versions of Windows, you can set it up through the network setup wizard.  I do not have this set up at home.  At home I use LogMeIn for remote access.

 

Message Edited by SomeJoe7777 on 10-14-2008 06:52 PM

Guru

 • 

422 Messages

15 years ago

VPN is obviously the most secure approach.

 

That said, I've been using terminal services/remote desktop "in the clear", on the default port since it first became available with Windows 2000 server.    I've worked with several offices that have had similar setups going for years.   I've never had an instance of being hacked through Remote Desktop.  

 

To decrease hack likelyhood, you can disable or rename the Administrator account (now they must guess a username AND password), use strong passwords, and use an alternative port to avoid scans.

 

Now, VNC is a different story.  Machines with RealVNC on their default port seem to get cracked within days.  Seen it numerous times.  Not really sure why.

 

-- Rob

 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.