RDP over VPN between two XP Pro machines

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,
Like many others I'm trying to setup a WinXP machine to be a vpn server and
a rdp server, so at work i can connect to my home pc, open a vpn tunnel and
then open a rdp session.


I have a few questions about this. Hopefully someone can help me out.

Both at work and at home I have a WinXP Pro machine. At work all ports are
open and at home, I'm behind a router on which I can do port forwarding. I'd
like to use my home pc when I'm at work.

The VPN server (the home pc) is behind a router so Port Mapping will need to
be done on the router I guess. Standard port usage is 1723 for PPTP and
IPSec is 500 I think. I also heard something about PPTP passthrough but I
don't know whether this is relevant?

The things I don't fully understand:

- how/where can I determine whether my VPN server should use PPTP
or Ipsec ?

- if I would use PPTP, why might I need to configure "PPTP
passthrough" ? And how?

- Currently the RDP service on my home pc is accepting RDP requests from
remote clients. But because this would be more secure over VPN I've added
the XP VPN service ("incoming connections"). My question : how can I make
sure that RDP will only work AFTER the tunnel has been created?

- Any other (security) issues I need to consider?


Thanks!

Rgds,
Kris
5 answers Last reply
More about machines
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    I'll go at these in somewhat of reverse order.

    If you open only the VPN port(s) in the router, you can be sure that RDP
    isn't accessable to the outside world except through the VPN.

    If you are going to use a PPTP VPN, you must open GRE protocol 47 (labelled
    as PPTP passthrough on some routers)--or it won't work!

    If you can't find such a setting, it may well be that the equivalent is
    automatic on your router. Open port 1723, TCP, forwarded to the machine
    hosting the inbound VPN connection, and test it out. If you have problems,
    check the web tech support resources at your router vendor--most vendors
    have some information about how to open incoming VPN connectivity.

    I think I'm going to leave IPSEC versus PPTP to someone else--I believe that
    you need fixed IP addresses at both ends to make effective use of IPSEC, and
    I've never had that luxury. IPSEC also has an equivalent of PPTP
    passthrough, I believe, and I'm not certain how it is specified.

    "Kris" <kvdv@easynet.be> wrote in message
    news:408a6ad5$0$11258$6c56d894@feed0.news.be.easynet.net...
    > Hi,
    > Like many others I'm trying to setup a WinXP machine to be a vpn server
    > and
    > a rdp server, so at work i can connect to my home pc, open a vpn tunnel
    > and
    > then open a rdp session.
    >
    >
    >
    >
    > I have a few questions about this. Hopefully someone can help me out.
    >
    > Both at work and at home I have a WinXP Pro machine. At work all ports are
    > open and at home, I'm behind a router on which I can do port forwarding.
    > I'd
    > like to use my home pc when I'm at work.
    >
    > The VPN server (the home pc) is behind a router so Port Mapping will need
    > to
    > be done on the router I guess. Standard port usage is 1723 for PPTP and
    > IPSec is 500 I think. I also heard something about PPTP passthrough but I
    > don't know whether this is relevant?
    >
    > The things I don't fully understand:
    >
    > - how/where can I determine whether my VPN server should use PPTP
    > or Ipsec ?
    >
    > - if I would use PPTP, why might I need to configure "PPTP
    > passthrough" ? And how?
    >
    > - Currently the RDP service on my home pc is accepting RDP requests
    > from
    > remote clients. But because this would be more secure over VPN I've added
    > the XP VPN service ("incoming connections"). My question : how can I make
    > sure that RDP will only work AFTER the tunnel has been created?
    >
    > - Any other (security) issues I need to consider?
    >
    >
    >
    > Thanks!
    >
    > Rgds,
    > Kris
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    L2TP/IPSEC VPN tunnels definately won't work over the NAT connection
    without one end running Windows 2003 Server or a UNIX variant that
    supports NAT-T (NAT Traversal)... Unfortunately, this technology is
    not available in the VPN server on Windows XP...

    IPSEC/L2TP Requirements:
    IP Protocol 50 (ESP)
    UDP Port 1701
    UDP Port 500

    (and if you can get a NAT-T server) UDP Port 4500

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Sat, 24 Apr 2004 11:15:33 -0400, "Bill Sanderson"
    <Bill_Sanderson@msn.com.plugh.org> wrote:

    >I'll go at these in somewhat of reverse order.
    >
    >If you open only the VPN port(s) in the router, you can be sure that RDP
    >isn't accessable to the outside world except through the VPN.
    >
    >If you are going to use a PPTP VPN, you must open GRE protocol 47 (labelled
    >as PPTP passthrough on some routers)--or it won't work!
    >
    >If you can't find such a setting, it may well be that the equivalent is
    >automatic on your router. Open port 1723, TCP, forwarded to the machine
    >hosting the inbound VPN connection, and test it out. If you have problems,
    >check the web tech support resources at your router vendor--most vendors
    >have some information about how to open incoming VPN connectivity.
    >
    >I think I'm going to leave IPSEC versus PPTP to someone else--I believe that
    >you need fixed IP addresses at both ends to make effective use of IPSEC, and
    >I've never had that luxury. IPSEC also has an equivalent of PPTP
    >passthrough, I believe, and I'm not certain how it is specified.
    >
    >"Kris" <kvdv@easynet.be> wrote in message
    >news:408a6ad5$0$11258$6c56d894@feed0.news.be.easynet.net...
    >> Hi,
    >> Like many others I'm trying to setup a WinXP machine to be a vpn server
    >> and
    >> a rdp server, so at work i can connect to my home pc, open a vpn tunnel
    >> and
    >> then open a rdp session.
    >>
    >>
    >>
    >>
    >> I have a few questions about this. Hopefully someone can help me out.
    >>
    >> Both at work and at home I have a WinXP Pro machine. At work all ports are
    >> open and at home, I'm behind a router on which I can do port forwarding.
    >> I'd
    >> like to use my home pc when I'm at work.
    >>
    >> The VPN server (the home pc) is behind a router so Port Mapping will need
    >> to
    >> be done on the router I guess. Standard port usage is 1723 for PPTP and
    >> IPSec is 500 I think. I also heard something about PPTP passthrough but I
    >> don't know whether this is relevant?
    >>
    >> The things I don't fully understand:
    >>
    >> - how/where can I determine whether my VPN server should use PPTP
    >> or Ipsec ?
    >>
    >> - if I would use PPTP, why might I need to configure "PPTP
    >> passthrough" ? And how?
    >>
    >> - Currently the RDP service on my home pc is accepting RDP requests
    >> from
    >> remote clients. But because this would be more secure over VPN I've added
    >> the XP VPN service ("incoming connections"). My question : how can I make
    >> sure that RDP will only work AFTER the tunnel has been created?
    >>
    >> - Any other (security) issues I need to consider?
    >>
    >>
    >>
    >> Thanks!
    >>
    >> Rgds,
    >> Kris
    >>
    >>
    >
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Guys,

    Thank you for all this great info.

    Meanwhile I've succesfully setup the VPN service on my XP home machine and
    connected over the internet with the VPN client on a WinXP machine.
    Everything worked.

    Only one question remains.

    Before using VPN I just used RDP. I had configured my router to listen on a
    obscure port and then forward to my internal workstation on the standard RDP
    port.
    Now my router is listening on the standard VPN port and forwarding to my
    internal workstation also on the standard vpn port.

    => Isn't there a way to change the vpn port?
    => And if I wouldn't change the vpn port, would this VPN approach still be
    safer than the obscure rdp port approach I used before?

    Thanks!
    Kris


    "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote
    in message news:h38m80pq82gfih4j48bnvhnrcdrikgq62a@4ax.com...
    > L2TP/IPSEC VPN tunnels definately won't work over the NAT connection
    > without one end running Windows 2003 Server or a UNIX variant that
    > supports NAT-T (NAT Traversal)... Unfortunately, this technology is
    > not available in the VPN server on Windows XP...
    >
    > IPSEC/L2TP Requirements:
    > IP Protocol 50 (ESP)
    > UDP Port 1701
    > UDP Port 500
    >
    > (and if you can get a NAT-T server) UDP Port 4500
    >
    > Jeffrey Randow (Windows Net. & Smart Display MVP)
    > jeffreyr-support@remotenetworktechnology.com
    >
    > Please post all responses to the newsgroups for the benefit
    > of all USENET users. Messages sent via email may or may not
    > be answered depending on time availability....
    >
    > Remote Networking Technology Support Site -
    > http://www.remotenetworktechnology.com
    > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
    >
    > On Sat, 24 Apr 2004 11:15:33 -0400, "Bill Sanderson"
    > <Bill_Sanderson@msn.com.plugh.org> wrote:
    >
    > >I'll go at these in somewhat of reverse order.
    > >
    > >If you open only the VPN port(s) in the router, you can be sure that RDP
    > >isn't accessable to the outside world except through the VPN.
    > >
    > >If you are going to use a PPTP VPN, you must open GRE protocol 47
    (labelled
    > >as PPTP passthrough on some routers)--or it won't work!
    > >
    > >If you can't find such a setting, it may well be that the equivalent is
    > >automatic on your router. Open port 1723, TCP, forwarded to the machine
    > >hosting the inbound VPN connection, and test it out. If you have
    problems,
    > >check the web tech support resources at your router vendor--most vendors
    > >have some information about how to open incoming VPN connectivity.
    > >
    > >I think I'm going to leave IPSEC versus PPTP to someone else--I believe
    that
    > >you need fixed IP addresses at both ends to make effective use of IPSEC,
    and
    > >I've never had that luxury. IPSEC also has an equivalent of PPTP
    > >passthrough, I believe, and I'm not certain how it is specified.
    > >
    > >"Kris" <kvdv@easynet.be> wrote in message
    > >news:408a6ad5$0$11258$6c56d894@feed0.news.be.easynet.net...
    > >> Hi,
    > >> Like many others I'm trying to setup a WinXP machine to be a vpn server
    > >> and
    > >> a rdp server, so at work i can connect to my home pc, open a vpn tunnel
    > >> and
    > >> then open a rdp session.
    > >>
    > >>
    > >>
    > >>
    > >> I have a few questions about this. Hopefully someone can help me out.
    > >>
    > >> Both at work and at home I have a WinXP Pro machine. At work all ports
    are
    > >> open and at home, I'm behind a router on which I can do port
    forwarding.
    > >> I'd
    > >> like to use my home pc when I'm at work.
    > >>
    > >> The VPN server (the home pc) is behind a router so Port Mapping will
    need
    > >> to
    > >> be done on the router I guess. Standard port usage is 1723 for PPTP and
    > >> IPSec is 500 I think. I also heard something about PPTP passthrough but
    I
    > >> don't know whether this is relevant?
    > >>
    > >> The things I don't fully understand:
    > >>
    > >> - how/where can I determine whether my VPN server should use
    PPTP
    > >> or Ipsec ?
    > >>
    > >> - if I would use PPTP, why might I need to configure "PPTP
    > >> passthrough" ? And how?
    > >>
    > >> - Currently the RDP service on my home pc is accepting RDP requests
    > >> from
    > >> remote clients. But because this would be more secure over VPN I've
    added
    > >> the XP VPN service ("incoming connections"). My question : how can I
    make
    > >> sure that RDP will only work AFTER the tunnel has been created?
    > >>
    > >> - Any other (security) issues I need to consider?
    > >>
    > >>
    > >>
    > >> Thanks!
    > >>
    > >> Rgds,
    > >> Kris
    > >>
    > >>
    > >
    >
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    AFAIK, there is no way to change the PPTP VPN port (ie. TCP Port 1723 and GRE Protocol 47).
    Otherwise, see my answer to you in the network_web news group.

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "Kris" <kvdv@easynet.be> wrote in message
    news:408b8241$0$11260$6c56d894@feed0.news.be.easynet.net...
    > Guys,
    >
    > Thank you for all this great info.
    >
    > Meanwhile I've succesfully setup the VPN service on my XP home machine and
    > connected over the internet with the VPN client on a WinXP machine.
    > Everything worked.
    >
    > Only one question remains.
    >
    > Before using VPN I just used RDP. I had configured my router to listen on a
    > obscure port and then forward to my internal workstation on the standard RDP
    > port.
    > Now my router is listening on the standard VPN port and forwarding to my
    > internal workstation also on the standard vpn port.
    >
    > => Isn't there a way to change the vpn port?
    > => And if I wouldn't change the vpn port, would this VPN approach still be
    > safer than the obscure rdp port approach I used before?
    >
    > Thanks!
    > Kris
    >
    >
    >
    >
    > "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote
    > in message news:h38m80pq82gfih4j48bnvhnrcdrikgq62a@4ax.com...
    >> L2TP/IPSEC VPN tunnels definately won't work over the NAT connection
    >> without one end running Windows 2003 Server or a UNIX variant that
    >> supports NAT-T (NAT Traversal)... Unfortunately, this technology is
    >> not available in the VPN server on Windows XP...
    >>
    >> IPSEC/L2TP Requirements:
    >> IP Protocol 50 (ESP)
    >> UDP Port 1701
    >> UDP Port 500
    >>
    >> (and if you can get a NAT-T server) UDP Port 4500
    >>
    >> Jeffrey Randow (Windows Net. & Smart Display MVP)
    >> jeffreyr-support@remotenetworktechnology.com
    >>
    >> Please post all responses to the newsgroups for the benefit
    >> of all USENET users. Messages sent via email may or may not
    >> be answered depending on time availability....
    >>
    >> Remote Networking Technology Support Site -
    >> http://www.remotenetworktechnology.com
    >> Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
    >>
    >> On Sat, 24 Apr 2004 11:15:33 -0400, "Bill Sanderson"
    >> <Bill_Sanderson@msn.com.plugh.org> wrote:
    >>
    >> >I'll go at these in somewhat of reverse order.
    >> >
    >> >If you open only the VPN port(s) in the router, you can be sure that RDP
    >> >isn't accessable to the outside world except through the VPN.
    >> >
    >> >If you are going to use a PPTP VPN, you must open GRE protocol 47
    > (labelled
    >> >as PPTP passthrough on some routers)--or it won't work!
    >> >
    >> >If you can't find such a setting, it may well be that the equivalent is
    >> >automatic on your router. Open port 1723, TCP, forwarded to the machine
    >> >hosting the inbound VPN connection, and test it out. If you have
    > problems,
    >> >check the web tech support resources at your router vendor--most vendors
    >> >have some information about how to open incoming VPN connectivity.
    >> >
    >> >I think I'm going to leave IPSEC versus PPTP to someone else--I believe
    > that
    >> >you need fixed IP addresses at both ends to make effective use of IPSEC,
    > and
    >> >I've never had that luxury. IPSEC also has an equivalent of PPTP
    >> >passthrough, I believe, and I'm not certain how it is specified.
    >> >
    >> >"Kris" <kvdv@easynet.be> wrote in message
    >> >news:408a6ad5$0$11258$6c56d894@feed0.news.be.easynet.net...
    >> >> Hi,
    >> >> Like many others I'm trying to setup a WinXP machine to be a vpn server
    >> >> and
    >> >> a rdp server, so at work i can connect to my home pc, open a vpn tunnel
    >> >> and
    >> >> then open a rdp session.
    >> >>
    >> >>
    >> >>
    >> >>
    >> >> I have a few questions about this. Hopefully someone can help me out.
    >> >>
    >> >> Both at work and at home I have a WinXP Pro machine. At work all ports
    > are
    >> >> open and at home, I'm behind a router on which I can do port
    > forwarding.
    >> >> I'd
    >> >> like to use my home pc when I'm at work.
    >> >>
    >> >> The VPN server (the home pc) is behind a router so Port Mapping will
    > need
    >> >> to
    >> >> be done on the router I guess. Standard port usage is 1723 for PPTP and
    >> >> IPSec is 500 I think. I also heard something about PPTP passthrough but
    > I
    >> >> don't know whether this is relevant?
    >> >>
    >> >> The things I don't fully understand:
    >> >>
    >> >> - how/where can I determine whether my VPN server should use
    > PPTP
    >> >> or Ipsec ?
    >> >>
    >> >> - if I would use PPTP, why might I need to configure "PPTP
    >> >> passthrough" ? And how?
    >> >>
    >> >> - Currently the RDP service on my home pc is accepting RDP requests
    >> >> from
    >> >> remote clients. But because this would be more secure over VPN I've
    > added
    >> >> the XP VPN service ("incoming connections"). My question : how can I
    > make
    >> >> sure that RDP will only work AFTER the tunnel has been created?
    >> >>
    >> >> - Any other (security) issues I need to consider?
    >> >>
    >> >>
    >> >>
    >> >> Thanks!
    >> >>
    >> >> Rgds,
    >> >> Kris
    >> >>
    >> >>
    >> >
    >>
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    There definately is no way to do this without writing your own VPN
    client software... :(

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Sun, 25 Apr 2004 06:16:19 -0500, "Sooner Al"
    <SoonerAl@somewhere.net.invalid> wrote:

    >AFAIK, there is no way to change the PPTP VPN port (ie. TCP Port 1723 and GRE Protocol 47).
    >Otherwise, see my answer to you in the network_web news group.
Ask a new question

Read More

VPN Servers Windows XP