Home / server / Questions / 153913
In Process
CJ7
Asked: 2010-06-23 22:20:23 +0800 CST

Opening a router for Remote Assistance

  • 772

If I open up a router (port 3389) for Remote Assistance and point that traffic to one of the IP addresses on my LAN, how is it possible that I am able to use Remote Assistance over the internet successfully from one of the other machines on the LAN?

Is my router playing up? Or does Remote Assistance try going through other ports if 3389 is not open?

remote-desktop windows-xp

1 Answers

  1. OK, let me see if I have this straight.

    You have a machine on your LAN. You have port-forwarded 3389 from the firewall to this machine on your LAN. This permits systems on the internet to remote-desktop to that machine. Now, from a second machine on your LAN, you are trying to remote-desktop through that firewall, across the internet to a third machine (ie: one not on your LAN). You want to know why this works.

    (Note for nitpickers: this is a simplification.)

    Connections between machines have four parts:

    • for each side, an IP address; and
    • for each side, a TCP port.

    So a conversation between systems look like this:

    localIP:localPort <-> remoteIP:remotePort

    (This, incidentally, is how the remote servers keep track of multiple concurrent clients. Each connection has a unique expression like this.)

    When you connect to a remote service, the port is (usually) pre-selected for you. In the case of the remote desktop session, the remote component will be:

    remoteIP:3389

    Your local IP is the IP of your machine. But what isn't obvious is that the localPort (usually) does not have to be a specific port. So the local component of the conversation looks like:

    myIP:randomPort

    ...where "randomPort" is a port number that's not otherwise used (and subject to some other rules which are not important right now). There are some services where the local port matters, but the application which is initiating that conversation will take care of getting that local port, and will complain to you if it can't.

    So in summary, your remote desktop client does not use port 3389 for its side of the conversation because it isn't necessary to do so.

    Now you are probably aware of Network Address Translation (NAT) that is usually used to translate local LAN IPs into (usually) a common single Internet-reachable IP address. What you may not be aware of is that NAT also works for port numbers for outgoing conversations. This is so that the NATing device (usually a firewall) can deal with situations where two separate clients are using the same randomPort for their outgoing connections.

    So you might use Wireshark to watch the traffic between you and the remote server, you'd see connections like

    myIP:randomPort <-> remoteIP:3389

    ...if you were to run wireshark on the remote side, you'd probably see

    myFirewallIP:randomPortThatIsProbablyDifferent <-> remoteIP:3389

    ..instead, and it works because your firewall takes care of translating myIP:randomPort to myFirewallIP:randomPortThatIsProbablyDifferent and back again as necessary.

    • 1