Changing Terminal Services Port

From Lockergnome Randy Nieland:

Change Terminal Services Port

I''ve been helping a friend out with a nasty Windows 2000 Active Directory flame out, and it has become a bit of a pain to have to restrict when we can be in the office. There are four servers involved, all Windows 2000. As you may know, the default TCP port that Microsoft''s Terminal Services functionality listens on is 3389. So how does one gain access to multiple servers through a firewall using Terminal Services? Actually, there are two equally good solutions for this situation, but I''ll get to that in just a bit. We''ll deal with the actual configuration of the server first.

One server can remain on port 3389, of course, but if you desire, you can change them all to something that will not make an easy probe point for hackers. That''s up to you. In the registry editor, navigate to the following location:

HKEY_LOCAL_MACHINE System CurrentControlSet Control Terminal Server WinStations RDP-Tcp

In the right hand pane, scroll down to the PortNumber REG_DWORD value, which should show 3389 in parentheses if it is still configured to default settings. The number in parentheses is the decimal equivalent of the hexadecimal value that is stored in the registry; in this case 0x00000d3d. Double-click the PortNumber entry, then enter the hexadecimal representation of the port you wish to use for incoming connections. A restart of the "Terminal Services" service (or reboot the server) is required in order to effect the change.

The RDP-Tcp key holds the default parameters used for new connections, and is always used for administrative remote control sessions. If you are using licensed Terminal Services sessions, and have created additional connections, you will see their respective keys listed under WinStations. These also default to port 3389 unless you change them.

The other half of this equation is the client. By default, the Terminal Services clients, including the Remote Desktop Connection application in Windows XP, connect to servers using port 3389. These are two distinct applications, and are handled differently when it comes to specifying a custom TCP port for connecting to a server.

After installing the Terminal Services client software on a workstation, open the Client Connection Manager, which should be located in the Terminal Services Client program group. Create a new connection as you normally would, then click File - Export to save the connection settings to a .cns file. Open this .cns file in a text editor (e.g. Notepad), change the "Server Port=3389" line to match the customized port on the target server and save the file. Now import it back into the Client Connection Manager and give it a whirl.

As for the Remote Desktop Connection software provided with Windows XP, all you need do is type the target server''s name or IP address followed by the port number, separated by a colon. For instance: or If all goes well, you should see the familar logon box. By saving the connection settings to a .RDP file, you can easily distribute this customized set of configuration options to other machines. These are also plain text files, meaning they can be directly modified using a simple text editor, though the format does differ greatly from the .cns file format of the older Terminal Services client.

Naturally, if you''re connecting through a firewall of some sort, you''ll have to configure it to pass these connections to the appropriate servers in order to connect. If you''re using Network Address Translation (NAT), then you can make life easier on yourself by configuring NAT to accept incoming connections on alternate ports, then map them to the IP address of the target server, but set the destination port on the inside of the NAT firewall to the default port of 3389. That way, you don''t have to change the server configuration at all, but you can still uniquely identify to the firewall which server you''re looking for.

However, not all firewalls will allow you to configure both the incoming and outgoing ports to your liking. In those cases, you''ll have to change the listening port on the server after all. You''ll have to consult the documentation for your firewall to figure that one out.


Popular posts from this blog

Using Windows 2012 NFS with VMware ESX