IP Addresses and Sub-net masksAn IP address and/or a sub-net mask looks like 4 numbers (0-255) separated by dots - eg 22.214.171.124 and each number is stored in a single 8-bit byte and so an IP address is really just 4 characters of information. A subnet mask of 255.255.255.0 can also be written as /24 and so 192.168.1.6/255.255.255.0 can also be written as 192.168.1.6/24 as the 24 means 24 1's in a row followed by 8 zeros. The number 255 is equivalent to 8 1's in a row. For small networks a sub-net mask of 255.255.255.0 is most appropriate with this allowing up to 254 separate IP addresses on that network (eg 192.168.1.1 through to 192.168.1.254) as .0 and .255 have special purposes. An IP address is like a phone number for a computer so every computer on a network must have a unique IP address. A computer connected to the internet may have two IP addresses one for the local network and a different IP address when seen from the internet. The IP addresses used on local networks (if correctly allocated) cannot be used on the internet.
Remote access using VPN and/or RDP
When setting up Remote Desktop access to remote sites there are several ways to do it.
When using the remote desktop program on a local network only you can ask to connect to the machine either by it's machine name via it's IP address However, when accessing a computer at a different location you often can't connect via a machine name - you must usually connect via an IP address.
To be able to connect a computer to a remote computer using Windows Remote Desktop only then you have to connect through to the remote server's Internet IP (WAN) address.
If it is going to create access between two branch offices then the best way to do it is to set up a hardware VPN between the routers at each office (assuming that the routers support this function and that they are the same brand of router or at least compatible with each other).
If it is going to be access from a notebook computer which may be plugged into various different networks or if the notebook connects via a dial-up internet account then a router-to-router VPN is not possible and so you have to resort to Windows software VPN.
Windows XP and Windows servers can both be VPN servers and clients so you can set up a VPN between two XP computers, two Windows 2003 servers or between an XP computer and a server.
The IP address subnets must be different in each office. The subnet is defined as the first three numbers of an IP address and all computers on a local network need to be on the same subnet and have the same first three numbers but a different last number.
When you have a hardware VPN connected between two sites then you can access ANY computer on the remote network without having to change anything in the router in the same way that you can access any computer on a local network. In addition the VPN is bi-directional and so you can access computers at both ends of the VPN FROM both ends of the VPN.
Examples of the IP addresses at three different offices with VPN requirement.
- ADSL-ROUTER1 with LAN-IP of (192.168.3.1) and WAN-IP of (126.96.36.199)
- DATA-SERVER (192.168.3.5)
- TERMINAL-SERVER (192.168.3.7)
- XP-COMPUTER4 (192.168.3.27)
- ADSL-ROUTER2 with LAN-IP of (192.168.8.10) and WAN-IP of (188.8.131.52)
- XP-COMPUTER1 (192.168.8.4)
- XP-COMPUTER2 (192.168.8.15)
- ADSL-ROUTER3 with LAN-IP of (192.168.200.1) and WAN-IP of (184.108.40.206)
- XP-COMPUTER3 (192.168.200.41)
Connecting if you have a hardware (router-to-router) VPN in place
To connect to the terminal server in office#1 from XP-Computer4 you can ask to connect to either TERMINAL-SERVER or (192.168.3.7)
Let's assume that there are hardware VPNs functioning between the office#2 and Office#1 and between office#3 and office#1
To connect to the terminal server from any computer in any of the offices you can ask to connect to (192.168.3.7) and it should work.
The windows HOSTS file is a simple text file that you can edit using the normal Windows NOTEPAD program. It can contain lists of machine names and their IP addresses. So if you have entries in the C:\Windows\System32\Drivers\Etc\HOSTS file on all of the remote computers (in office#2 and office#3) for the terminal server (ie 192.168.3.7 TERMINAL-SERVER) then you can also connect by asking to connect to TERMINAL-SERVER. If you don't have the entries in the HOSTS file then asking by name is not possible as the NETBIOS name broadcasts are blocked by the routers.
You don't need to have any ports open on the routers in order to do this type of connection as effectively all of the computers are on the same LAN even though they are on different sub-nets and the routers will route ALL relevant traffic across the internet.
Connecting if you use a Software (ClientComputer-to-Server) VPN
If you don't have router-router hardware VPNs set up then you can run remote desktop via a software VPN. To do this you need to allow VPN traffic through the router. Windows PPTP VPNs use TCP/IP Port 1723 to communicate and so to allow a remote user to connect to the DATA-SERVER in office#1 you would have to open port 1723 in the router and direct the TCP/IP traffic for this port to (192.168.3.5)
You also need to have the VPN server facility turned ON in the server for it to accept the incoming VPN requests. Now if you set up a VPN client on say XP-Computer1 then you point the VPN to the WAN address of the router in office#1 (220.127.116.11) then the router will forward the VPN traffic (addressed to port 1723) through to the server and if you have the correct username and password for a user account that has been allowed access on the server then you can establish a VPN.
Once you have a VPN to the office#1 network then you can use terminal services to the terminal server by accessing address (192.168.3.7) from the remote offices.
Connecting without ANY VPN
You can also run remote desktop directly without a VPN. This is less secure but can be done. To do this you need to open port 3389 on the router for office#1 and direct the TCP/IP traffic for this port to (192.168.3.7) (the terminal server). Note that the usernames and passwords used to log on will be sent across the internet in clear text (not encrypted) and so hackers could intercept these and gain access to your network. Once the session is established then all further traffic IS encrypted - the security problem only occurs when logging on initially.
You can then use terminal services to the terminal server by accessing address 18.104.22.168 from the remote offices.
Notes re opening ports in your router's Firewall
When you open ports 1723 or 3389 you can point them to any PC in the local network - not just a server as even windows-xp can act as a VPN server to receive VPN requests from other computers and XP-PRO computers can accept a terminal services remote desktop session as well. You can only forward a port to ONE computer on the network though, so to connect to a different computer you have to reconfigure the router.
If you use terminal services RDP to connect to a Windows-XP-PRO computer then the user sitting at that computer will be logged off and they will just see the logon screen while you are using terminal services. If they attempt to log back in again then they will log you off terminal services as only one user can access a Windows-XP computer at a time - the local user or the remote user but not both.
Windows servers can accept up to two terminal services sessions (administrative sessions) at a time as well as one local user sitting in front of the computer and so you have, in effect, a 3 user computer system. Once you put a windows server into terminal server mode then you can have as many remote terminal services sessions connected as you have terminal services client access licenses
Remote WAN IP address OR use DNS lookup and variable IP addresses
Normally when you want to access a remote network you use the WAN IP address of the remote router (22.214.171.124) but if you had Microsoft Exchange running on a server on that network in order to locally handle your internet email then you will have a DNS pointer to your server. That DNS pointer will normally be mail.yourcompanyname.com.au or possibly mx.yourcompanyname.com.au or even smtp.yourcompanyname.com.au or maybe even pop3.yourcompanyname.com.au while your web site address would be www.yourcompanyname.com.au and your email address might be firstname.lastname@example.org. Instead of asking to connect to your WAN IP address (126.96.36.199) you could ask to connect to mail.yourcompanyname.com.au instead.
If you don't have a fixed IP WAN address for your network (eg dial-up accounts and the cheaper ADSL accounts normally don't have a permanent fixed IP address and so the IP address of your network will change every time you reconnect to the internet (after a power failure or other failure or after you hang-up on a dial-up account). This makes creating a VPN or using remote desktop a problem because you MUST be able to determine the WAN IP address of the remote network. To do this you can ask someone at the remote end to go to the web site www.whatismyip.com in internet explorer and the IP address will be displayed but what if there is no one there? You can use a dynamic DNS service such as offered by www.no-ip.com or www.dyndns.com. You must create a free account with them and install their IP address updating client onto one of the computers on the network that you wish to access. it doesn't have to be on the server but the computer must be turned on for the client to do it's work. At dyndns you can setup an account name for yourcompanyname and use the address yourcompanyname.dyndns.biz to point to your network. Each time your WAN IP address changes the dyndns client software will send a message to dyndns.com to tell them the new IP address. If you then try to connect to yourcompanyname.dyndns.biz then the dyndns service will return your current WAN IP address to the VPN or RDP client software and you can then connect without having to know the correct IP address.
To test the DNS entries try...
- Click on START
- Click on RUN
- enter the word
CMDand click on the OK button
- In the black DOS screen type in
If the DNS service is running you should see a message saying Pinging mail.yourcompanyname.com.au (188.8.131.52) and you should see four responses back from your server. A ping is just a short message to another computer asking if it is listening.
If it says that it can't find host mail.yourcompanyname.com.au then either the DNS service is not working or you've made a spelling error.
It may also tell you what the IP address is but say that it got no replies in which case the remote computer may be turned off or disconnected.
Create a Software VPN
To create a software VPN from on Windows-XP-PRO computer to another (let's ignore servers for the time being) then on the machine that you want to be the VPN server
- Right click on MY COMPUTER
- click on the REMOTE tab
- tick the ALLOW USERS TO CONNECT REMOTELY TO THIS COMPUTER in the section under REMOTE DESKTOP.
- Click on OK
On the VPN client computer
- right click on MY NETWORK PLACES and choose PROPERTIES
- Then click on NEW CONNECTION WIZARD
- then the CONNECT TO THE NETWORK AT MY WORKPLACE
- then VIRTUAL PRIVATE NETWORK CONNECTION
- then enter your COMPANY NAME
- then if you use dial-up internet you need to choose to automatically dial your ISP otherwise if you have ADSL (or another form of broadband internet access) then choose DO NOT DIAL THE INITIAL CONNECTION
- Then enter the IP address of the remote network (ie the WAN address 184.108.40.206) Sometimes, instead of entering an IP address, you can also enter the address of the computer using a mail server address such as mail.mycompany.com.au or mx.mycompany.com.au or via a dynamic or static DNS entry such as mycompany.dyndns.biz. These are just aliases for the REAL IP address and if you want to know what IP address these names refer to then just go to the COMMAND PROMPT and type in PING mycompany.dyndns.biz and if this is a valid address it will tell you the current IP address.
- select ANYONE'S USE
- choose to ADD A SHORTCUT TO MY DESKTOP.
- Then close the network settings window and double click on the new icon on your desktop to open the connection screen
- Click on PROPERTIES
- Then click on OPTIONS
- Then make sure that INCLUDE WINDWOS LOGON DOMAIN is ticked
- Click on the OK button
- Enter the User Name, Password and Domain Name (sometimes you can leave the Domain Name blank) and click on CONNECT
Using the Remote Desktop Client
On the computer that you want to use to connect to the remote server
- Click on START
- Then PROGRAMS or ALL PROGRAMS
- Then ACCESSORIES
- Then COMMUNICATIONS
- Then REMOTE DESKTOP CONNECTION
- Enter the IP address of the computer to connect to (If you have a VPN or it's on the same network as your computer then you enter it's local IP address (eg 192.168.3.7) while if you don't have a VPN then enter the WAN IP address (eg 220.127.116.11) of the router which has it's 3389 port forwarded to the local IP address of the server computer (eg 192.168.3.7).
- Click on OPTIONS
- Enter the COMPUTERNAME, USERNAME, PASSWORD and DOMAINNAME
- If you want to save the password so that you don't have to type it every time you connect the tick the box SAVE MY PASSWORD
- Click on the LOCAL RESOURCES tab and tick the DISK DRIVES box (this enables you to access your local hard disk from the remote computer terminal services session in order to copy files if you need to)
- Click back on the GENERAL tab
- If you want to save these options you can click on SAVE AS and save the information in FILENAME.RDP file You can then double click on this file in future and it will connect automatically for you.
- Click on the CONNECT button to connect to the remote computer. You may have to re-enter the password again to log on if you see the logon screen on the remote computer.
Once you've connected you will see the remote computer's screen as if you were sitting in front of it. If you point your mouse to the middle of the top of your screen you should see a title bar pop up with the normal minimise, restore and close buttons. If you click on the CLOSE button (the cross) then you will be disconnected from your terminal services session but it will continue to run as if you WERE connected. if you then connect back again later on you will see the screen as if you had never disconnected.
When you have finished with a terminal services session click on the START button and then LOG OFF. Do NOT click on the SHUTDOWN button as this will shut the WHOLE terminal server itself down.
Preventing the SHUTDOWN option from showing on the Terminal Server
To stop users from accidentally shutting the terminal server down...
- Click on START and then RUN
- Enter the program name REGEDIT
- click on the OK button
- In the left hand pane of REGEDIT double click on HKEY_LOCAL_MACHINE
- Double click on SOFTWARE
- Double click on MICROSOFT
- Double click on WINDOWS
- Double click on CURRENTVERSION
- Double click on POLICIES
- Double click on EXPLORER
- In the right hand pane right click
- then choose NEW and then DWORD VALUE
- Enter the name NOCLOSE (one word) and click on OK
- Double click on the new NOCLOSE entry
- Enter the value of 1 and click on OK
- Close REGEDIT
Once you reboot the computer there will no longer be a SHUTDOWN option on the START menu.
To shut it down if you are sitting at the computer just hold down the CTRL and the ALT keys and press the DELETE key. Then click on the SHUTDOWN option.
To shut it down if you are NOT sitting at the computer click START then RUN and then enter
TSSHUTDN /REBOOT> or