Alexander’s Blog

Windows Server 2008 (WS08) Server Core can be used in lots of useful scenarios. However, because WS08 does not have a GUI, you need to use the command prompt to accomplish the administrative tasks. You may find it convenient to manage the Server Core from another computer.

By default Remote Desktop is not enabled on the Server Core. There are two steps you need to take to get Remote Desktop working: Enable Remote Desktop & open default RDP port, which is TCP port 3889.

STEP 1 - Enable Remote Desktop

You can look at your settings by using the following command:

cscript c:\windows\system32\scregedit.wsf /AR /v

The scregedit.wsf script will either return a 1 or a 0. If you see a 1 then the Terminal Services (i.e. Remote Desktop) is disabled, a 0 means it is enabled.

To enable Terminal Services use the following command:

c:\windows\system32\scregedit.wsf /AR 0

To disable Terminal Services use the following command:

c:\windows\system32\scregedit.wsf /AR 1

NOTE: The /AR switch is used for Vista and WS08 computers. For Windows XP computers replace /AR with /CS.

STEP 2 - Open RDP Port

To open Remote Desktop, you need to make sure that your firewall is not blocking the default Terminal Services/RDP port 3389. On a WS08 Server Core, run the following command to open TCP port 3389.

netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

You should expect the following response when you execute the above command.

C:\Windows\system32>netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

Updated 2 rule(s).
Ok.

You might want to check out Microsoft KB article 947709 for additional information on opening ports at the firewall or how to enable ICMP requests.

---

Copyright ©2009 Zubair Alexander. All rights reserved.

Windows Server 2008 offers both Terminal Services Gateway (TS Gateway) and Terminal Services RemoteApp (TS RemoteApp) features. Although they both offer Remote Desktop Protocol (RDP) over HTTPS, the main difference between them is that TS Gateway allows you to publish the entire desktop while TS RemoteApp publishes only the application.

For example, if you have a need to allow one of the vendors access to an application on your network so the vendor can support it you might want to consider TS RemoteApp in Windows Server 2008 as a solution. You can simply publish the application on a Windows Server 2008 in the DMZ, or behind an ISA firewall, without having to worry about setting up Virtual Private Networks (VPNs) for the vendor. As an administrator, you can use the TS Gateway to have full, secure access to the entire desktop.

I recently ran into this situation where I had to configure a Windows XP computer located on an internal network behind a Windows Server 2003 running Routing & Remote Access service to connect to a Cisco VPN. After installing the Cisco VPN on the client the computer was not able to establish a VPN connection from the internal network. However, outside the internal network the connection worked fine. The Windows Server 2003 was configured as a router and the Windows firewall was enabled. I noticed that the firewall was not configured to forward the port required to establish a Cisco VPN connection. I configured the proper port (TCP port 10,000) and the client was able to connect successfully.

I should point out that this scenario doesn’t apply to only the situation I just described, it also applies to situations where computers are located behind a DSL or cable modem and are trying to use Cisco VPN client for VPN connectivity. The following procedure describes configuration of Routing and Remote Access on Windows Server 2003 to add a custom port for Cisco VPN. You should check your router documentation for specific instructions on how to configure ports on the router.

1. Start Routing and Remote Access management console on your Windows Server 2003.
2. Select “NAT/Basic Firewall” under IP Routing.
3. In the details pane on the right-hand side, right-click the network interface that is connected to the Internet and select Properties.
4. Click on Services and Ports tab.
5. Click the Add button and type a description of service, such as Cisco VPN.
6. Make sure that TCP is the selected protocol and then type “10000″ without the quotes in the Incoming port and Outgoing port boxes.
7. In the “Private address” box type the IP address of your external interface that is used to connect to the Internet. Do not use the IP address shown in the sample graphic because it is used only for demonstration purposes.
8. Click OK twice to close all boxes and exit the management console.

Your users should be able to connect to the Cisco VPN now. There is no need to reboot the Windows Server 2003.

By default, Terminal Services (and Remote Desktop) uses TCP port 3389. If you use Remote Desktop or Terminal Services to connect to your Windows computer, you might want to consider modifying the default port for security reasons. The default port can be changed by hacking the registry. Here’s the procedure.

- Open the registry editor (regedit.exe) and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

- Double-click PortNumber in the right-hand pane.

- Click on Decimal and change the Value data to a different port number that is not in use.

- Close the registry editor and reboot your computer.

This technique applies to Win2000/2003/XP. To connect to the remote computer enter the port number at the end of the domain name or IP address. For example, to connect to a domain called MSN.COM that has an IP address of 207.68.172.246 and is configured to use port number 5678, you can use either of the following in the Remote Desktop Connection:
MSN.COM:5678
207.68.172.246:5678

To determine which port number to use, click here for a list of TCP/IP port numbers. Port numbers 0 through 1023 are called well-known ports, while port numbers 1024 through 49151 are registered ports. You should pick one of the port numbers between 49152 and 65535 because these are dynamic or private ports, such as port 54321.