Windows 7 Remote Desktop Firewall settings

In Part 1 of this tutorial series, we configured Windows to accept remote desktop connections, so we can log into and use a PC anywhere in the World with Microsoft’s Remote Desktop Connection client application. In Part 2, we configured Windows to accept remote connections via a Web browser, so the client application doesn’t have to be installed on the computer from which you are connecting.

However, neither of these methods will work until your firewall is configured to allow remote connections. This tutorial addresses that. Plus, to connect to your PC via the Internet, your router must be properly configured.

In this tutorial, we’ll tell the firewall on the PC that’s hosting the remote connection that it is okay to allow incoming connections on the appropriate port. We’ll also tell your router where to forward remote desktop connections. Let’s get started.

Letting the Traffic Past Your Firewall

Since you will be trying to connect to your PC from the local network or Internet, your firewall software must be configured to let the traffic through. Enabling the Remote Desktop feature on Windows automatically configures Windows Firewall with the appropriate settings; however, you must manually configure any other third-party firewall software you have installed on your computer. To do this, add UDP port 3389 (which Remote Desktop uses) to your firewall’s authorized list. If needed, refer to the help and documentation of the firewall program for assistance.

It’s possible to change your Windows Firewall settings and accidentally mess up the setting automatically made when you enabled Remote Desktop. Therefore, to be on the safe side we’ll verify Remote Desktop connections can pass through.

If you are also setting up Web access to the Remote Desktop Connection, you must add TCP port 80 (or the port you choose for IIS if you changed from the default) to your Windows Firewall and any other third-party firewall. Windows doesn’t automatically add this port to the authorized list, so you will have to do it yourself.

Follow these steps in Windows Vista to verify the Windows Firewall settings or add the Web access port:

1. Click the Start button and choose Control Panel.
2. On the Control Panel window, under the Security category, click the Allow a program through Windows Firewall link. If User Account Control is enabled, select an account and enter a password, if required, and click Continue on the prompt.
3. On the Windows Firewall Settings window that opened, click the General tab.
4. Make sure the Block all incoming connections check box is NOT checked; as Figure 1 shows.
5. Click the Exceptions tab and scroll down to make sure the Remote Desktop item is checked; as Figure 2 shows. This verifies Windows Firewall is set to allow the traditional Remote Desktop Connections.
6. If you are setting up Web access with IIS, as well, click the Add Port button. Then, on the Add a Port dialog box, type in a Name (such as Remote Desktop Web Connection) and enter the default port 80 or the port you manually changed IIS to into the Port Number field, select TCP for the Protocol, and click OK.
7. When you’re done, click OK.

If you’re using Windows XP, here’s how to verify the Windows Firewall settings and/or add the Web access port:

1. Click the Start button and choose Control Panel.
2. On the Control Panel window, click the Security Center category.
3. On the Windows Security Center window that opened, near the bottom of the window, click the Windows Firewall icon.
4. Make sure the Don’t allow exceptions check box is NOT checked.
5. Click the Exceptions tab and scroll down to make sure the Remote Desktop item is checked.
6. If you are setting up Web access with IIS, as well, click the Add Port button. Then on the Add a Port dialog box, type in a Name (such as Remote Desktop Web Connection) and enter the default port 80 or the port you manually changed IIS to into the Port Number field, select TCP for the Protocol, and click OK.
7. When you’re done, click OK.

If you are using other third-party firewall utilities, make sure you add these ports to them as well. If you find you’re having problems later when connecting, consider disabling all firewall software except Windows Firewall.

Configuring Your Router

If your PC isn’t directly connected to your Internet modem, and it is running through a wired or wireless router, you must configure the router to connect to the Remote Desktop connection via the Internet. This configuration lets your router know where to direct Remote Desktop connections that originate from the Internet.

Configuring your router consists of setting it to forward data, which comes in to certain ports, to the computer you have set up with the Remote Desktop Connection. For either Windows XP or Vista, TCP port 3389 (which Remote Desktop uses) must be forwarded to the Remote Desktop PC. If you are setting up Web access, you also must forward TCP port 80 (or the non-default port you set) to the host computer.

If you aren’t sure exactly how to set up these port forwards, these steps should help:

1. Access your router’s Web-based configuration utility by bringing up your Web browser, typing in the IP address of your router, and pressing Enter. If you don’t know the IP address, see your router’s documentation or reference the Default Gateway value that’s given in the connection status details of Windows.
2. When prompted, enter the username and password of your router. You should have set these login credentials when you had set up your router; however if not, you can reference the default values in the router’s documentation.
3. Find the Virtual Server or Port Forwarding tab of the router’s administration screens.
4. Enter the port details, for each port you need to forward (discussed in the previous paragraphs) by entering information into the appropriate text boxes or selecting options from list boxes. Figure 3 offers an example.)
   You may have to enter a name, which would be for your reference, like remote desktop or remote desktop Web access. Sometimes you can pick the computer (identified by the Computer Name) you want to forward to from a drop-down menu list, or you may have to enter the IP address of the computer. You can find your computer’s IP address by referencing the connection status details of Windows. Lastly, you’ll probably have to enter the port you want to forward, which were given earlier for both Remote Desktop and Web access.
5. Click a Save or Apply button.

Now you must make sure the port(s) are always forwarded to the correct computer. If you are using dynamic IP addresses on your local network (which is the default method), meaning they’re automatically assigned to your computers using the router’s DHCP server, you’ll need to do some additional configuration. You must assign a static IP address to at least the computer that’s going to be hosting the Remote Desktop Connection. This is because the IP address you just set up to forward the ports to will sometime be given to another computer or become unused if it’s being automatically assigned.

You have two ways you can go about giving your computer a permanent IP address. You can reserve an IP address for the computer in the router’s configuration utility, if your router supports it. This is preferred so you don’t have to change your computer’s actual settings and connecting to other networks will be much easier. However, if the feature isn’t available you can always manually assign your computer (network adapter) with a static IP address in Windows, such as Figure 4 shows.

These instructions are for Windows XP users who want to remote into a Windows 7 computer.

Setting up your office computer for a Remote Desktop session

1. Click on Start, select Control Panel and then double-click on System.
2. Select Remote settings on the left
3. When the window opens up select Allow connections from computers running any version Remote Desktop (less secure), as shown below.

1. Verify that you have the proper permission to connect to your computer by clicking Select Users…

1. Your domain and username should be listed as already having access (as shown below).

NOTE:  If you do not already have access, click on the Add.. button as shown above and a window similar to the one below will appear.  In the space below Enter the object names to select (examples):, type your domain (the domain for employees is Hamilton-d) and user ID.  For example Hamilton-d\dhubbard.  Click Check Names and, if it is a valid username, the domain name will disappear and your username will become underlined. For example, in the illustration below, hamilton-d\dhubbard will change to dhubbard. Click OK to close the Select Users window.

1. Click OK to close the Remote Desktop Users window and click OK again to close the System Properties window.
2. Next confirm your firewall is on and that it is set to allow Remote Desktop through. Click on Start, select Control Panel and then double-click on Windows Firewall.
3. Click on Allow a program or feature through Windows Firewall.
4. Click on Change settings. Scroll through the list to Remote Desktop and select boxes under Domain and Home/Work (Private), as shown on the next page.
5. Click OK.

1. Click on Start and then click on Run…
2. In the Open: field, type cmd and click OK.

1. A box with a black background and white text will appear.
2.  Type ipconfig at the blinking cursor and press the Enter key on your keyboard.

1. Make note of the IP Address (as shown above), you will need this number when you access your computer from home. (NOTE:  You should do this each time you plan to use Remote Desktop Access as IP addresses change periodically.) Close the window.
2. To access your computer using Remote Desktop, your office computer must be on and logged into the Hamilton Network. To prevent someone from using your computer while you are away, we recommend that you lock your desktop.  To do so, press the , , and <Delete> keys simultaneously and then click on Lock Computer. 
3. This completes setting up your computer.  These settings will remain in effect and do not need to be repeated.

Connecting to a Remote Computer

1. Click on Start, select All Programs, select Accessories, select Communications and double-click on Remote Desktop Connection.
2. In the Computer: field, type the IP address (from step 10 above) for your office computer.

NOTE:  If you need to transfer files back and forth between the remote computer and your computer you can click on Options.  In the expanded window, click on the tab called Local Resources, and at the bottom put a checkmark in the box next to Disk Drives.  When moving files from one computer to the next you will use Copy and Paste.  “Save as” and other familiar techniques will not work.

1. Click Connect.  If you made your disk drives available (see note above) you will see a security warning about sharing disk drives.  Click on OK.
2. In the Log On to Windows dialog box, type your username, password, and domain just as you would if you were in your office and then click OK.  For employees, the domain is Hamilton-d.

• The Remote Desktop window will open and you will see the desktop settings, files, and programs that are on your office computer. Your office computer will remain locked and no one will be able to work at your office computer without a password, nor will anyone see the work you are doing on your office computer.  To improve performance, you will not see your usual desktop picture if one is in use.  Instead it may be a solid color, usually black.

Printing using Remote Desktop

• At home your printer is the default printer.  To select your office printer, click on the drop-down menu where your printer is listed and select your office printer from the list. 

• Click OK to print as you normally would.

To log off and end a session

• In the Remote Desktop Session, click Start and select Disconnect

• You will be asked if you are sure you want to disconnect. Click on Disconnect.