10-12-2008 8:36 AM
Hello. I have ATT Uverse at home and would like to be able to access my home computer while I'm at work, preferably using RDC. I know that I need to have Windows XP Professional on my home computer (which I don't have yet). I assume that rather than just opening up the RDC port to the world, it's better to set up a VPN and then RDC over the VPN. I would like set up and connect to the VPN just as a test with my current XP Home operating system. I set up an Incoming connection that enables VPN. But I'm not sure how to configure the Firewall on the RG. Should I select PPTN server as the application whose ports to open up? Where would I configure the preshare key? Also, once the VPN is running, how would I open up the RDC port? So far I have figured out that I can't test this with another computer connected to the local network since RG doesn't forward internal packets. Therefore, I would like to have the exact setup steps so I can then leave the house and test it from outside (as opposed to just experimenting and modifying things to get it to work).
The home computer is connected using Wi Fi, if that changes anything.
Solved! Go to Solution.
10-12-2008 9:07 AM
Port forwarding of TCP Port 3389 through any firewall/NAT/router is required if the user needs to access a Windows XP Professional Remote Desktop from a remote location. The Windows XP SP2 Windows Firewall can be configured to allow Remote Desktop by simply checking a checkbox in the
10-12-2008 5:40 PM
Thanks, Randyl. Actually, I don't use the Windows Firewall at all; I only use the Firewall that is on the U-Verse modem/router/access point (3800-HGV-B--sorry, I was mistakenly referring to it as RG in my previous post). So, extrapolating from what you said, I would set up the port forwarding for RGB on my modem/router.
I guess my question is really whether setting up port forwarding will be secure enough, or whether I should establish a VPN first.
Often we have to log into individual servers on a statewide government network at my job. First, we VPN into the state network and then we use RDC to access a specific server. I guess I was just assuming that this is the most secure method of accessing a PC over the Internet. Is this overkill just to access my home PC? If I'm going to leave my home computer turned on and connected to the Internet all day in order for me to access it, I want to be sure that it is secure. Also, when I am sending information using RDC I want it to be secure.
I hope this clarifies my question.
10-12-2008 5:46 PM
You can set up a PPTP (VPN) server on a computer if you want to. I have my servers at work set up this way.
You just need to configure the RG firewall to assign the "PPTP Server" application to the computer that is running the VPN server. You'll then be able to connect to it using PPTP VPN from a remote location, and can then start an RDP session.
RDP by itself is encrypted and fairly secure, but I prefer to wrap the session in VPN anyway. This way, you can not only use RDP, but can do other things that may not be encrypted on their own, like mapping drive shares and mapping printers.
10-12-2008 7:12 PM
Hey SomeJoe7777. So, I don't need to set up a preshare key anywhere for the VPN?
Well, that's dependent on whatever VPN server software and client software you're going to use. The RG doesn't know or care about that ... it just passes the protocol between the client & server.
10-14-2008 7:43 AM
OK. Humor me with the answer to one more question: once the PPTN connection is established, the RDP protocol must take place at a higher network level, on top of the PPTN, right? So, I would theoretically open up the RDP port within the VPN software?
10-14-2008 4:50 PM
A PPTP connection establishes a route between networks where the traffic is secured by some mechanism (usually IPSec) and then tunneled inside a carrier protocol (usually GRE). The VPN "software" is not an application that you see a window with -- it's just a connection between the client and server.
Once the PPTP connection is established, when you open the RDP software (usually Windows Remote Connection), it asks the name of the server you want to connect to. That name will be resolved via DNS into an IP address. The local routing table on the client will determine that the destination IP address for this remote connection is on the other side of the PPTP tunnel, and will send the traffic through the tunnel to establish the connection.
The RDP protocol does not take place at a higher network level than it normally would. RDP is layer 5 (session), this is encapsulated in TCP (layer 4), this is encapsulated in IP (layer 3). Point-To-Point Tunneling Protocol (PPTP) is a layer 3 protocol that can tunnel other layer 3 protocols inside as payload. The IP packet for the RDP session (which would normally traverse over the public internet), is now encrypted and signed by IPSec (this makes another IP packet - type ESP - Encapsulated Security Payload), this packet is now encapsulated inside a GRE (Generic Routing Encapsulation) packet, which is also IP at layer 3. This GRE packet now traverses over the public internet.
The RG, when you've configured its firewall to open PPTP, will let the GRE packet through to the PPTP server. The PPTP server reverses all the encapsulation and encryption, and ends up with an IP packet (layer 3) that is now the part of the RDP session. If the RDP session is on the same server as the PPTP server, this now gets processed up the network stack to be sent to the RDP server. If the RDP session is on a different computer, then the PPTP server will send the IP packet to the RDP server.
I realize this may be a little more detail than you may have been looking for to answer your question, but I believe in being thorough. It's a character flaw of mine.
As an example, the PPTP client and server software that I use at work is Microsoft Windows Server 2003 Routing and Remote Access Service (this is the server). The client is built into all versions of Windows, you can set it up through the network setup wizard. I do not have this set up at home. At home I use LogMeIn for remote access.
10-16-2008 3:45 PM
VPN is obviously the most secure approach.
That said, I've been using terminal services/remote desktop "in the clear", on the default port since it first became available with Windows 2000 server. I've worked with several offices that have had similar setups going for years. I've never had an instance of being hacked through Remote Desktop.
To decrease hack likelyhood, you can disable or rename the Administrator account (now they must guess a username AND password), use strong passwords, and use an alternative port to avoid scans.
Now, VNC is a different story. Machines with RealVNC on their default port seem to get cracked within days. Seen it numerous times. Not really sure why.
12-21-2010 7:14 AM
Hello. I was googling for information on setting up a VPN behind an ATT Uverse router and found this discussion that I participated in two years ago! Funny.
So anyway, my situation is this: I work from home on my work laptop. When I log into the laptop I am joining the work domain somehow, but I am not actually connecting to the VPN until I double-click the Remote Access icon.
I also have a home laptop that has pictures on it. Both laptops connect to the Internet through the ATT uverse router/wireless access point.
My work laptop is connected to the printer, so I want to be able to access the files on my home laptop from my work laptop (the other way around is not necessary, and indeed I want to prevent any access happening to my work laptop from anywhere else just for security) so I can either copy or print them. I want to be able to do this while logged in to my work laptop as my regular work domain username (i.e. I don't want to create a separate login on this computer in order to join a workgroup or anything).
I access a lot of state networks through VPN, so I figure I can create a VPN and host it on my home laptop and access it from my worklaptop --it doesn't matter to me that the packets may go through China to get from one computer in the house to the other. My main concern is not to compromise or mess up my work computer in any way, since our IT support is "self-service" at our company (which is one of the largest tech companies in the world).
We use the Cisco VPN client to access the state networks, but I figure I would need to buy somethign to host a Cisco VPN on my home laptop.
12-21-2010 7:24 AM
I think a Cisco VPN is overkill for what you want to do. And, I don't think you can set up anything other than a Cisco Router to accept requests for and establish a VPN, i.e. I think you'd have to trick a client on your home laptop to initiate a VPN connection to your office VPN then use that connection to access your Home Laptop.
There are other solutions, but I'm not sure you'd find any of them secure enough. But, you can look at the product lines for "GoToMyPC" and "LogMeIn" and decide that for yourself.
12-21-2010 7:43 AM - edited 12-21-2010 7:51 AM
Hi. Thanks for the reply. Maybe I'm not being clear. I don't need the office VPN to be active during this connection to the home computer. For example, right at this moment I am connecting to the Internet from my work computer but I am not on the work VPN. (I am using the user profile/username that I do use to connect to the VPN, however.)
I'm probably making it sound more difficult than it needs to be. I think I just need to host a VPN on my home laptop, don't I? And then install the client for whatever software I choose on my work laptop.
I found this article which seems incorrect. IT says that you can host VPN through "windows" but Windows XP Home does not have a VPN server on it: http://www.wikihow.com/Set-Up-a-Virtual-Private-Ne
Someone recommended this freeware in reply to the above article. It is recommended by numerous sites including PC World: http://www.leafnetworks.net/index.jsp?pid=24
12-21-2010 7:53 AM
VPN doesn't have anything to do with this. You don't need any kind of VPN to map a network drive from the home computer onto the office computer.
You need to:
Once the drive is mapped, have at it.
12-21-2010 8:54 AM
Thanks, Joe (for reading through all of my unintentional obfuscations). And of course if my IP changes I have to remap it.
Can you describe the difference in what is going on with mapping a drive by IP vs. joining a workgroup? Is it that it's not using NETBIOS but only TCP/IP? And there is only a one-way relationship going on here, right? Mapping a drive on my work computer to access my home computer doesn't expose my work computer at all.
12-21-2010 9:29 AM
The underlying protocol used by Windows networking is TCP/IP, and has been ever since Windows 98. NetBEUI isn't used anymore. But there's some remaining NetBIOS protocols that run on top of TCP/IP. One of these is NetBIOS name resolution.
NetBIOS name resolution is the translation of Windows computer names into IP addresses. This is essentially an equivalent service to DNS, but doesn't usually operate with a central server except in older corporate environments (the NetBIOS name server/service used there is called WINS. WINS has been replaced in Windows Server 2003 and later by Active Directory-integrated DNS).
On Windows networks without a WINS or DNS server, NetBIOS name resolution is accomplished by broadcasts to a machine on the network that has been elected as the "master browser". The master browser is supposed to keep a list of every Windows machine in the workgroup and provide that to other machines on demand.
However, your office machine and home machine are in different workgroups (the office machine's workgroup is a centrally-managed workgroup, known as a domain). Because they're on different workgroups, they don't pay attention to each other's master browser. What this results in is a situation where your office machine will not be able to find the home machine on the network by name. There will be no NetBIOS name resolution for the home machine because whatever machine has been elected as the office workgroup's master browser (which will probably be your office machine since it's the only office domain machine on the network) will not keep track of machines in other workgroups.
So, to bypass this NetBIOS name resolution problem entirely, we simply map the home machine by IP address instead. That solves the first problem.
A second problem appears again because the two machines are on different workgroups. If you were mapping a drive from another machine joined to the office domain, your username and password that you used to log on to the office machine would be used for authentication and authorization on the machine serving the shared folder, and that machine would validate your username and password through the domain controller. But the home machine isn't a member of the domain and knows nothing about a domain controller, so it's only choice is to validate your username and password against it's local users table. This is why you have to supply a different username and password to map the drive, because it has to be a username and password that the home machine knows about.
Welcome to the internet boards! Check out our troubleshooting articles below and don’t forget to search the forums - your question may have been answered already!
Service acting up? Click here to troubleshoot now!
© 2017 AT&T Intellectual Property.This link will open a new window All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
Congratulations! You earned the Liz badge!