How to Configure a Port Proxy for RDP Connections

Friday, January 27, 2017
I'm working with a small business customer who uses my Hyper-V home lab server to run their lab. They have a Domain Controller and several application servers running behind an AT&T DSL consumer-grade wireless router and they want to be able to RDP directly to each VM. If you run your own home lab, you might want to do the same.

The trouble is, most consumer routers don't allow you to forward the same port to more than one IP address. You can create a port forwarding rule for TCP 3389 (RDP) to TCP 3389 on one, and only one, IP address. On a "real" router you could forward the external TCP ports 33891-33895 to the internal 3389 port on each of the five internal server IPs, but that's not an option here.

Traditionally, there are several ways of handling this problem, each with it's own limitations:

  • RDP to the one main server and then "leapfrog" to the other computers using RDP from the main server. This can cause confusion about which desktop you're working on, and provides a less than stellar experience.
  • Change the RDP listening port on all the other computers to use another port (for example, TCP 33891-33895). See How to change the listening port for Remote Desktop. The downside to this is that you will always need to specify the custom listening port when connecting both internally (on the LAN) and externally (from the Internet). This can be troublesome, especially in a larger environment where several admins need to use RDP. "What RDP port do I need to use for SERVER1 again?"
  • Install and configure Remote Desktop Gateway services on the server hosting HTTPS services. This has a fair amount of overhead and configuration, requires a valid SSL certificate, and RDP clients need to be manually configured to use the RDG for these connections.

A much more elegant solution is to use the netsh utility to configure a port proxy entry in the TCP stack for each server. With this configuration, each server will continue to listen on TCP port 3389 for normal internal RDP connections. External RDP connections to the proxy port, say TCP 33891, will be forwarded to TCP 3389. Brilliant! Here's how to configure it:

  • Run the following netsh command from an elevated CMD prompt on each server:
netsh interface portproxy add v4tov4 listenport=[ListeningPort] listenaddress=[ServerIP] connectport=3389 connectaddress=[ServerIP]

For example, the following netsh command configures TCP port 33891 to forward to TCP port 3389 for IP address 10.0.0.101:
netsh interface portproxy add v4tov4 listenport=33891 listenaddress=10.0.0.101 connectport=3389 connectaddress=10.0.0.101

  • Now configure port forwarding for each internal server on the DSL/cable router. Create a custom service for each new port - The external (base) port and internal (host) port both use the new custom port (i.e., 33891, 33892, etc.):

  • Then configure port forwarding for each of the new custom services to the IP addresses of the servers:


With this configuration, you can still make internal RDP connections to the each server using the traditional RDP port 3389 (no special configuration of the RDP client is needed). All external RDP connections are made to the same public IP address using one of the new custom ports (i.e., 33891):




No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.