7

I have Windows 2008 server. It works as a mail, ftp, web server. In my LAN there is other server and i want to reach this server with RDC from outside my lan, (example: domail.com:5555 -> 192.168.0.2:3389). Is there any solution to forward this port using Windows Firewall?

10 Answers 10

5

Try the following:

netsh routing ip nat add portmapping external tcp 0.0.0.0 5555 192.168.0.2 3389

This rule shall forward any incoming connection to port 5555 from outside to your specific LAN IP/port. Here external is the name of the external network interface.

Don't forget to have proper firewall rules that will allow traffic related to port 5555 to pass in both directions on the external NIC. You need to allow incoming traffic to port 5555 and outgoing traffic related to these connections.

I've never used the built-in Windows firewall, but I strongly suggest you to have a look at wipfw. It is smart enough to implement connection tracking.

2
  • 1
    +1 for the use of the word "shall"
    – Micah
    Commented Mar 30, 2011 at 13:15
  • 1
    The following command was not found: routing ip nat add portmapping external on Windows Server 2016 Commented Mar 18, 2018 at 16:31
2

If you want to use port forwarding as your scenario; you should "add role: RRAS" and manage NAT rules under RRAS in Administrative Tools.

Actually, isvery simple in 2K3 but 2k8? I'm shocked and disappointed

2

I believe this is the command you are looking for:

netsh interface portproxy add v4tov4 listenport=5555 listenaddress=192.168.0.1 connectport=3389 connectaddress=192.168.0.2

To view the result:

netsh interface portproxy show all
1
  • On a "Windows Server 2008 R2 Standard, SP1" the accepted answer does not work ("routing" command is unknown), but this one does.
    – monster
    Commented Oct 12, 2016 at 14:18
1

If your Windows server is behind a NAT device then I would recommend creating a port forwarding rule on your NAT that can accept an inbound connection on TCP/5555 and then forward to TCP/3389. This way you aren't modifying the server.

Also, if you have more than one server you would like to connect via RDP then I would recommend you check out Windows 2008 Terminal Services Gateway.

1

First of all,

W2K3's firewall can do that. But W2K8's firewall or advanced firewall cannot do this.

Aditional info: "netsh routing..." command doesn't works on W2K8 in any combination (sdvfirewall, firewall etc.).

I'm sorry:(

0

Another bit of info ... the Windows firewall is not like the Linux one where you can do fancy iptables stuff. The Windows one blocks/allows ports and programs and is stateful, but that is where it ends.

0

Just a suggestion but why not add a Remote Desktop Gateway. It's a built in role with W2K8+ that runs over SSL/443 which makes it pretty easy to route over any firewall. In addition you can then setup rules and use a Network Policy Server and rules to really control at a granular level who can access your server. Since you are already running a Web Server this may be the most secure solution. It will also allow you to RDP into any server behind the firewall without having to make any modifications to the firewall.

Works great at my multiple sites and it is VERY secure.

0

Is your Server 2008 R2 box acting as the 'head of your network', or simply put, your router?

If not, then you need to make these changes to your router/firewall at the front of your network. Setup the port forward exactly as you described above, forwarding the inbound port of 5555 to (serverip):3389

By default, if you do not set the destination port to 3389, it will not work without a registry change to the server you're connecting to.

0

You can use netsh command (does not require anything to install your server)

netsh interface portproxy add v4tov4 listenport=5555 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.0.2

To remove forwarding:

netsh interface portproxy delete v4tov4 listenport=5555 listenaddress=0.0.0.0
0

Reproduced from this article:

By default, a Terminal Server uses port 3389 for RDP traffic. By default, every single competent hacker in the world knows that a Terminal Server uses port 3389 for RDP traffic. That being the case, one of the quickest changes you can make to your terminal server environment to detour potential intruders is to change this default port assignment.

In order to change the default RDP port for a Terminal Server, open regedit and browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Locate the PortNumber key and replace the hex value 00000D3D (which is equivalent to 3389) to the appropriate hex value for the port you wish to use.

Alternatively, you can change the port number used by your Terminal Server on a per connection basis. While still using regedit, browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection name. Again, locate the PortNumber key and replace the hex value in place with the value you wish to use.

Keep in mind that when changing this setting on your server, all connecting clients will need to be sure they are connecting to the Terminal Server with the new port extension tagged on to the servers IP address. For example, connecting to a Terminal Server with an internal IP address of 192.168.0.1 which is now using the non-standard port 8888 would require a user to enter 192.168.0.1:8888 into the Remote Desktop Connection client.

alt text
(source: windowsecurity.com)

Please note that you would need to open the firewall to allow incoming connection on the new port. Also, don't forget to take some precautions before editing the registry, such as creating a system restore point.

You must log in to answer this question.