LCTN0010 Remote Desktop Example
LCTN0010 Remote Desktop Example
LCTN0010 Remote Desktop Example
Technote LCTN0010
Proxicast, LLC
312 Sunnyfield Drive
Suite 200
Glenshaw, PA 15116
1-877-77PROXI
1-877-777-7694
1-412-213-2477
Fax:
1-412-492-9386
E-Mail:
support@proxicast.com © Copyright 2005-2008, Proxicast LLC. All rights reserved.
LAN-Cell 2:
LC2-411
CDMA:
1xMG-401
1xMG-401S
GSM:
GPRS-401
Page 1
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Introduction
One common use for the LAN-Cell 2 3G Cellular Router is to provide access to a PC at a remote site. Users at a
headquarters location (or on the road) want to be able to take control of a remote PC’s screen and keyboard to
operate the PC as if they were physically in front of the remote PC.
There are numerous “remote desktop” software packages available. Each one has unique and specific
requirements for how it communicates between the Host (HQ) PC and the Remote (target) PC.
For other packages, please consult with the software manufacturer to determine the necessary ports.
Usage Notes
• When configuring and testing remote desktop connections for the first time, it is helpful to have the
LAN-Cell and the target PC physically near each other so that you can view the configuration and logs of
each device while testing.
• In this example, the remote office LAN-Cell has a static WAN IP address (166.139.37.167). Some remote
desktop software packages support fully qualified domain names (FQDN) in addition to IP addresses as
the name of the target PC. If your LAN-Cell has a dynamic WAN IP address, you may be able to use a
DNS name (e.g. remote-office.prxd.com) by setting up a DynDNS account, hostname, and configuring the
remote LAN-Cell to update DynDNS with its current WAN IP address. See the LAN-Cell User’s Guide for
additional information on DDNS.
• Some cellular network operators restrict “inbound” traffic from the Internet to remote devices based on IP
ports, addresses or your account. Please check with your cellular carrier to ensure that the ports
necessary for your remote desktop software are not being blocked by their network. If the carrier is
unwilling to open the necessary ports, you must implement a VPN solution to access your remote PC.
• If your HQ PC is behind a firewall, you must ensure that it is configured to pass the necessary IP traffic on
the remote desktop software ports in both directions.
Page 2
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Overview
All remote desktop software works by employing a piece of “terminal server” software on the remote target PC
and a “terminal emulator” piece of software on the initiating (HQ) PC. The terminal server software “listens” on a
specific IP port for commands sent from the terminal emulator and then translates those commands into the
equivalent keyboard and mouse inputs on the target PC. The terminal sever software also captures the screen
(and sometimes audio) output of the target PC and sends that data back to the terminal emulator over an IP port
(sometimes the same port as the commands, sometimes using different ports). The terminal emulator then paints
the HQ PC’s screen with the updated image from the remote PC.
In order to configure the LAN-Cell 2 for remote desktop software, you will need the following information:
In the examples below, it is assumed that you have already installed and configured both the terminal server and
terminal emulator pieces of software on the respective PCs. Please consult your software application
documentation for further information. The examples also assume that the LAN-Cell configuration is at “factory
defaults” before starting the remote desktop configuration.
Configuring the LAN-Cell for remote desktop access is straight-forward and involves 3 basic steps:
1. Static LAN IP
You must assign the target PC a fixed IP address so that the LAN-Cell will know where to send remote
desktop traffic on its private LAN subnet. You can either manually assign a static IP address to your PC
using its operating system tools, or let the LAN-Cell’s DHCP server assign the same address to the PC
every time (see Appendix A).
2. Firewall
To protect your remote LAN-attached devices, the LAN-Cell blocks all traffic from the Internet (WAN) to its
LAN and WLAN subnets. To enable your remote desktop software to pass through the firewall, you will
create a “rule” which defines the specific conditions under which the firewall should allow traffic to your
remote PC. If your remote PC is on a DMZ subnet, you can skip the firewall configuration step, as all
traffic is permitted to the DMZ.
Page 3
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Step 1:
Ensure that your remote PC has Remote Desktop Connections enabled (Figure 2). This is configured in Control
Panel->System->Remote
Step 2:
In the LAN-Cell, go to the Firewall Rules Summary screen (SECURITY->FIREWALL) and select the packet
direction: Cell-to-LAN (Figure 3).
Page 4
LCTN0010: Using Remote Desktop Software with the LAN-Cell
As shown in Figure 4, there are already some example rules for this packet direction, but they are disabled. We
will insert a new rule for the RDP traffic. Click on the Insert button to display the Firewall Edit Rule screen.
As shown in Figure 5, you must give the Firewall Rule a descriptive Rule Name (up to 31 characters long).
The Edit Source Address section allows you to specify the source address of a specific device (or subnet) that is
permitted to send traffic through the firewall using this rule. This can be used to further secure your remote PC by
limiting access to only known IP addresses (such as the WAN IP address of your corporate Internet router). For
this example, we will permit any remote IP address send traffic to this rule.
Similar to the Source Address option, the Edit Destination Address section permits you to restrict this Firewall
Rule to specific IP addresses on the LAN-Cell’s LAN subnet. This can protect your LAN devices from be
accessed remotely if another PC on the LAN inadvertently has remote desktop enabled. In our example, we have
only 1 PC connected, so we will leave the destination as “Any” to allow traffic to any LAN IP address.
Page 5
LCTN0010: Using Remote Desktop Software with the LAN-Cell
The Selected Services section (Figures 6 & 7) is where we define which IP ports are to be “opened” through the
firewall by this rule. Microsoft RDP (TCP 3389) is a predefined service in the LAN-Cell 2, so scroll down to that
entry, highlight it and click the right arrow to move RDP into the list of selected services.
The remaining sections of the Firewall Edit Rule screen define when this rule should apply (default is always) and
what to do with an incoming packet that matches the rule (permit it to pass to the LAN). These settings are
appropriate for our application, so click the Apply button to define the new Firewall Rule.
Step 3:
Now go to the NAT Port Forwarding Rules screen (ADVANCED->NAT) as shown in Figure 8.
Page 6
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Ensure that the WAN Interface selected is “Cellular” (or “WAN” if your LAN-Cell has a wired WAN or serial
modem connection) and that the Default Server address is 0.0.0.0.
Create a new Port Forwarding Rule by marking the first line as Active and giving it a descriptive Name. For
Microsoft Remote Desktop, you need to forward Incoming Port 3389 to the remote PC (“server”) which has a
static LAN IP address of 192.168.1.2. You do not need to do Port-Translation in this example. Click Apply to
save this rule.
Configuration of the LAN-Cell is now complete. Use the Microsoft Remote Desktop software on your HQ PC to
initiate a connection to the remote PC using either its WAN IP address or FQDN (if defined). See Figure 9.
Page 7
LCTN0010: Using Remote Desktop Software with the LAN-Cell
VNC Example
Configuring VNC / RealVNC is the same as configuring Microsoft Windows Remote Desktop, except that VNC
uses TCP port 5900 instead of 3389. Follow the Microsoft RDP example but substitute the VNC port number in
the Firewall Rule and NAT Port Forwarding Rule screens. See Figures 10 & 11.
Page 8
LCTN0010: Using Remote Desktop Software with the LAN-Cell
pcAnywhere Example
pcAnywhere is similar to the other remote desktop applications, except that it uses 2 ports: a TCP port for data
and a UDP port for status messaging. Recent versions of pcAnywhere use TCP/5631 and UDP/5632. Older
versions use other ports (see Figure 16 below).
The pcAnywhere ports are not predefined services on the LAN-Cell, so you will have to define these ports before
creating the Firewall Rule.
Go to SECURITY->FIREWALL->SERVICE and add a new service for each pcAnywhere port (Figures 12-14).
When defining the Cell-to-LAN Firewall Rule, include both new pcAnywhere service ports in the Selected Services
list (Figure 14).
Page 9
LCTN0010: Using Remote Desktop Software with the LAN-Cell
For the NAT Port Forwarding Rule, include both incoming ports 5631 and 5632 as shown in Figure 15 (both TCP
and UDP packets are forwarded).
pcAnywhere version TCP (data) port number UDP (status) port number
2.0 65301 22
7.0 65301 22
CE 65301 22
Page 10
LCTN0010: Using Remote Desktop Software with the LAN-Cell
In Windows XP, you can assign a static IP address using Control Panel -> Network Connections -> Local Area
Connection and setting the properties of the TCP/IP protocol to be a fixed IP address. Do not select a static IP
address that falls within the LAN-Cell’s DHCP server range (.33 to .161 by default). Set the Default Gateway and
Primary DNS values to the LAN IP address of the LAN-Cell (Figure A-1).
Alternatively, you can use the “static DHCP” feature (also known as DHCP reservation) in the LAN-Cell’s DHCP
server to assign the same IP addressing parameters to a given MAC address every time that MAC address must
renew its DHCP lease. Go the NETWORK->LAN-STATIC_DHCP (Figure A-2).
Page 11
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Enter the remote PC’s Ethernet MAC address in the format 11:22:33:44:55:66. Enter the desired “static” IP
address for this PC. The selected IP address to be assigned must be within the defined DHCP pool range.
You can obtain the Ethernet card’s MAC address in Windows XP by examining the properties of your LAN
connection (Figure A-3). The MAC address is also called the Physical Address.
Now, every time the remote PC is assigned an IP address by the LAN-Cell’s DHCP server, it will receive the
address you defined. If you change the Ethernet card in your remote PC (or switch to a different PC) you must
update the Static DHCP table with the new MAC address.
Page 12
LCTN0010: Using Remote Desktop Software with the LAN-Cell
Appendix B: Troubleshooting
The most common difficulties encountered when setting up remote desktop access via the LAN-Cell involve:
1. Not being aware of all of the ports used by your remote desktop application
Please consult your documentation or contact the software manufacturer.
If you are unable to have the necessary ports opened and cannot move your application ports or use Port
Translation, please refer to the Proxicast Support web site for more information on configuring the
LAN-Cell for VPN access.
The LAN-Cell has extensive error logging features that you can use to help troubleshoot connectivity issues. On
the remote desktop Firewall Rule, check the Log option (Figure B-1) to have all matched packets written to the
LAN-Cell’s log (dropped packets are already automatically logged). After attempting a connection, check the log
for a record of the attempt. If packets are reaching the LAN-Cell, they will be recorded (Figure B-2). If no log
entries are recorded, then packets are being blocked by the carrier, corporate firewall or your HQ PC’s firewall.
A: Yes. Configure the first PC as described in this TechNote. For other PC’s either change the port(s) used by the
remote desktop software or use Port Translation to map different “public” port(s) to the necessary private
port(s). You will also need to define a Firewall Rule for the new port(s). To access the secondary PC, you must
append a colon and the port number to your remote desktop connection request, e.g. 166.139.37.167:3390
Q: What are my options if the cellular carrier is blocking the ports I need?
A: Check to see if they allow inbound traffic on any port. If so, change the remote desktop software to use this
port, or use Port Translation to map the public port to the necessary private port. You will also need to define a
Firewall Rule for the new port(s). If no ports are available, then you must implement a VPN connection to the
LAN-Cell. See the Proxicast Support web site for examples of configuring site-to-site and client-to-site VPNs.
Q: How is the configuration different if I’m using both the wired WAN and 3G Cellular WAN interfaces (e.g.
fail-over/backup)?
A: Follow the examples in this TechNote for the setting up access via the Cellular interface. Create the same
Firewall Rule(s) for the WAN-to-LAN packet direction. On the NAT Overview screen, use the Copy to WAN
button to copy the Port-Forwarding/Translation rules from the Cellular interface to the WAN interface.
A: No. A properly configured IPSec VPN tunnel will make the LAN-Cell’s LAN attached devices appear as if they
are part of the HQ network. You can access the remote desktop PC just as if it were on the same network.
A: The configuration is the same as shown in these examples if the WLAN (Wi-Fi) access point is bridged to the
LAN-Cell’s LAN subnet. If you’ve implemented a separate WLAN subnet, create the necessary Firewall Rules
in the Cell-to-WLAN direction.
A: The Firewall Rules are unnecessary in this case since the DMZ permits all inbound traffic by design. Set up
port-forwarding and use the remote PC’s DMZ IP address as the server for the necessary port(s).
Q: What if my remote desktop software uses ports TCP/20, TCP/21, TCP/22, TCP/23, UDP/53, TCP/80,
UDP/161, TCP/443, or UDP/500?
A: By default, these ports are used by the LAN-Cell’s management features. You can either change your remote
desktop software to use a different port, or change the LAN-Cell’s management utilities to use a different port.
See ADVANCED->REMOTE_MGMT to change or disable the ports that the LAN-Cell uses. Remember to
append the new port numbers to all future LAN-Cell device management requests.
###
Page 14