Set up RDP in firewall

[wood1e2 0]

Hi, 

I am trying to make an exception so I can access my laptop remotely.  I believe I have to enter something in the Firewall, but I canot figure it out, can you help?

 

Many thanks in advance

[Marcos 5,074]

By default, RDP is allowed within the trusted zone.

If you connect to the machine from a trusted device, you can add its IP address to the trusted zone and RDP should work.

Or create a permissive rule for inbound communication on the local port 3389 with the remote IP address specified.

[Hpoonis 7]

For a home user I would suggest you avoid RDP and just use RemotePC.  For one system it is ideal and, if you install the client end instead of using the web console, you can also do file transfer.   It is free for personal use but you can only have control over 1 system. So to remote to another you would have to halt the services on one, de-list it from RemotePC and start services on another and then list that one.

I would have suggested TeamVIewer but they have clamped down on that product if you are remoting to a personal system from within a corporate environment...although some users are also complaining that they are nowhere near a corporate network but are being penalised.  Currently, it is borked to an unusable time limit of 60 seconds - although they claim that the time limit is 5 minutes

Edited August 16, 2019 by Hpoonis

[itman 1,659]

4 hours ago, wood1e2 said:

I am trying to make an exception so I can access my laptop remotely.  I believe I have to enter something in the Firewall, but I canot figure it out, can you help?

If this is Win 10 Home version, remote RDP is not supported. You need to purchase a Pro+ version of Windows.

[wood1e2 0]

@itman I have WIN10 pro

@Hpoonis I am fed up of Remote PC just freezing on top of disconnecting every 30 minutes.

TeamViewer was good but as you say they only want high spending big business!! Such a shame!

So for me RDP seems the better solution although there is some hick ups.

A) can't get firewall to accept me

B) I have to use a new different account on WIN machine. I don't know why it won't accept my standard user when try to connect . So I am going to have to back up and install all software on this new win user!

C) I have to click on WIN machine to accept my remote access

 

I work from home and find it really handy to be able to remote into the WIN machine to run software whilst working on my Mac.

 

@Marcos the only way I have been able to get the system to connect is to turn off ESET firewall. If I don't the remote connection just doesn't happen.

[itman 1,659]

You need to first establish what the IPv4 address of the remote device you are trying to connect to via RDP.

Then add that IP address to Eset's Firewall -> Advanced -> Zones - edit. Then select Trusted Zone, then the Edit tab. Add the IPv4 IP address there. Click on the OK tab and any other OK tab shown to save your settings.

Edited August 16, 2019 by itman

[peteyt 393]

2 hours ago, wood1e2 said:

@itman I have WIN10 pro

@Hpoonis I am fed up of Remote PC just freezing on top of disconnecting every 30 minutes.

TeamViewer was good but as you say they only want high spending big business!! Such a shame!

So for me RDP seems the better solution although there is some hick ups.

A) can't get firewall to accept me

B) I have to use a new different account on WIN machine. I don't know why it won't accept my standard user when try to connect . So I am going to have to back up and install all software on this new win user!

C) I have to click on WIN machine to accept my remote access

 

I work from home and find it really handy to be able to remote into the WIN machine to run software whilst working on my Mac.

 

@Marcos the only way I have been able to get the system to connect is to turn off ESET firewall. If I don't the remote connection just doesn't happen.

I do use teamviewer myself but for personal use - my dad is useless with computers so often use it to fix stuff

[itman 1,659]

3 hours ago, wood1e2 said:

I have to use a new different account on WIN machine. I don't know why it won't accept my standard user when try to connect . So I am going to have to back up and install all software on this new win user!

By standard user account, I assume you literally mean just that and not the default local admin account. This is done obviously for security reasons. You can alter standard user account privileges using Group Policy. See this article for reference: https://community.spiceworks.com/topic/333331-how-do-i-enable-remote-desktop-for-local-standard-user

[wood1e2 0]

@itman  I have added the IP address, but it doesn't seem to work See here: 

As soon as I remove the firewall, bingo I am in. 

thanks for the article, I don't understand the scripts, and the 'Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups' don't exist on my WIN10 machine.

 

So I think I will just migrate over the backups to the new user...  But if I could solve the 'Zones' issue that would be great

@peteyt that's great I can't get it to work for me. 

 

[itman 1,659]

15 hours ago, wood1e2 said:

So I think I will just migrate over the backups to the new user...  But if I could solve the 'Zones' issue that would be great

To begin with, @Marcos instructed you to add the IP address to the existing Trusted Zone category; not created a new zone category. Delete that remote access zone you created. The existing Eset firewall rules refer specifically to the predefined Zones.

Next it appears you added the IPv4 address for your laptop? What you need to add to the Trusted Zone is the IPv4 address for each remote device you are using to remotely access the laptop. Note that any IPv4 address in the 192.168.xxx.xxx range is a dynamic assigned local network address. If you are trying to connect to another device on your local network via RDP, simply add its router DHCP assigned 192.168.xxx.xxx  address to the Trusted zone and your done with any further modifications.  One problem that can arise is that certain routers do not always assign the same local network IP address to a device. If this is your situation, the only secure solution is to ask your ISP for static fixed IP addresses for devices you wish to use for remote connection to the laptop. Many ISPs charge extra for static IP addresses. You then assign the static IP address to each remote network device and also add those IP addresses to Eset's Trusted Zone.

If your trying to connect to the laptop from a device external to your local network, proceed as follows.

To determine the external IPv4  address of the remote device, you will have to be logged on to it. Then in a browser use this URL, https://whatismyipaddress.com/ , to determine the device's external IPv4 addresses. Enter this IP address into Eset's Trusted Zone on the laptop. Important: Never ever enter an external IP address into Eset's Trusted zone unless the remote device is fully trusted such as your work computer's external IP address. Do not under any circumstances enter an IP address for any device that is publicly accessible such as a public library or hotel computer.

Note that the above only works in the situation where you always connect remotely to the laptop from the same remote devices and the external network those devices use never changes.

If you wish to do so from any remote device anywhere, obviously the above will not work. Since you are using the Win Pro version, verify if the Win firewall already has existing rules in place to allow inbound RDP traffic. If not, you will have to create these rules. Here's an article on how to do so: https://itstillworks.com/allow-tcp-port-3389-windows-firewall-22570.html . Note the reference at the end of the article about UDP rule activation. Since you can connect remotely to the laptop with the Eset firewall disabled, it appears the above Win firewall rules are already in place.

Next deactivate the existing Eset RDP rules by performing the following. Under Eset GUI Firewall, click on Advanced -> Services. Remove the check mark for Allow remote desktop in the Trusted zone . Click on OK tab to save your changes. This will in turn deactivate corresponding Eset firewall RDP rules.

By default and unless manually disabled, the Eset firewall will additionally use the Win firewall inbound rules. Note that I am not sure however this applies to inbound RDP traffic.

Note that by using the Win firewall RDP protection, your laptop will be vulnerable to RDP password brute force and like attacks. It is therefore strongly advised you use Group Policy and establish a 3 password attempts with lockout thereafter policy setting on the laptop.

Edited August 17, 2019 by itman

[wood1e2 0]

Hi 

thanks for the wonderful explanation. 

I found my external device DHCP IP and placed that into ESET existing 'trusted Zone' and logged in no worries

I only need access within the office, so this is perfect, I can now get rid of all remote software I have . 

Many thanks for that.  It is like breathe of fresh air 

[itman 1,659]

5 hours ago, wood1e2 said:

I only need access within the office, so this is perfect,

Hopefully the laptop you are referring to is a work issued and supported device. The quickest way to infect a corp. network is to allow employee personal devices to connect to it.

Also make sure that what you are doing is allowed under your employer's IT policies.

Edited August 19, 2019 by itman