Publishing Windows 2000 Terminal Services to a Non-Standard Port

Publishing Windows 2000 Terminal Servers To a Non-Standard Port

By Steve Moffat

Edited by Thomas W Shinder

Check out MSTerminalServices.org, a new resource for Windows Terminal Services and Citrix focusing on all aspects of server based computing and thin client computing.

Going by the number of posts in the ISAServer.org discussion list there are still a lot of Terminal Servers being published on the standard port of TCP 3389. This can have severe security implications as well as restricting the number of published terminal Servers to one.

Client Address Sets should be created and used to establish inbound access control to the Terminal Servers.

This tutorial will show you how to securely publish Terminal Server to ports other than 3389.

Step 1:

1. On the Terminal Server you want to publish.
   
2. Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

3. Right click on PortNumber in the right hand pane and change it to an unused port of your choice. Restart your Server

Step 2:

1. If publishing Terminal Services on the ISA Server computer, then you should also restrict the listening port to the internal network interface. This prevents connections to the Terminal Server on the machine’s external interface.
   
2. Start the Terminal Services Configuration Console, right click on RDP-Tcp connections

3. Select Properties, and then click on the Network Adapter tab. Select your internal interface via the drop down box.

4. Restart your Server

Step 3:

1. Open the ISA Management Console.
   
2. Create a new Protocol Definition for each Server and port to be published.
   
3. Right Click on on the Protocol Definitions node, point to New and then click Definition.

4. Click Next.

5. Enter the port number you have chosen to use, make sure it’s TCP and Inbound.
   
6. Click Next.
   
7. Do not use any Secondary Connections.

8. Click Next.

9. Click Finish.

Step 4:

1. Create your Publishing Rule.
   
2. In the ISA Management Console, Right click on Server Publishing Rules.
   
3. Point to New and then click Rule.

4. Click Next.
   
5. Enter your Terminal Server’s address on the internal network and the IP address address on the external interface of the ISA Server that you want to publish the Terminal Server on.

6. Click Next.
   
7. Choose the Protocol definition previously created

8. Click Next.
   
9. At this point I cannot stress how important security is therefore I recommend that you use Client Address Sets to allow or deny access.

10. Click Next.
    
11. Add your Client Address Set(s)

12. Click OK then click Next. (Just for a change)
    
13. Click Finish.

Step 5:

On the client PC you have to change the port within the RDP client to the Terminal Server port you wish to connect to.

I recommend downloading the RDP 5 Client from Microsoft as it is a lot easier to configure. It also have more features and works much better. Don’t worry about compatibility, it works on all Windows platforms, from Windows 95 and up.

You can get it from here

http://download.microsoft.com/download/whistler/tools/1.0/wxp/en-us/msrdpcli.exe

With the RDP 5 client just append the port no. to your server address xxx.xxx.xxx.xxx:12345

And that’s all there is to it. Test from outside of your firewall and every thing should work perfectly.

You can also use the FQDN to reach your server as long as the port no. is reflected in this also.

Check out MSTerminalServices.org, a new resource for Windows Terminal Services and Citrix focusing on all aspects of server based computing and thin client computing.

Steve Moffat

6/13/2002