(from the online version – Windows XP Professional Resource Kit)
Remote Desktop provides access from a remote location to a computer running the Microsoft® Windows® XP Professional operating system, giving you the flexibility to work on your Windows XP Professional–based computer from anywhere, anytime. Remote Desktop in Windows XP Professional is an extension of the Microsoft® Windows® 2000 operating system Terminal Services functionality formerly available only in the Microsoft® Windows® 2000 Server family of operating systems.
Enable Remote Desktop on the host PC and add/enable Remote Desktop users
Install Remote Desktop client software
Enable Windows XP SP3 Network Level Authentication client support
Windows XP SP2 x86 Network Level Authentication client support
Test over the local LAN
Port forwarding through a firewall
Addressing/Calling from a remote location
Remote Desktop logging information
Disable the remote PC desktop wallpaper for faster response times
How-To Access Multiple Remote Desktop PCs behind a firewall or router
Enable Remote Desktop on the host PC and add/enable Remote Desktop users
See this article from Microsoft.
Install Remote Desktop Client software
Remote Desktop client software for PCs running Windows 2000, Windows NT, Windows Me, Windows 98 SE, Windows 98 or Windows 95 can be installed from either the Windows XP Professional or XP Home CDs or downloaded from Microsoft. Mac and UNIX clients are also available for download. Windows XP Professional and XP Home have the Remote Desktop client software built-in to the operating system.
Network Level Authentication on a Windows XP SP3 Remote Desktop Client computer
By default, Network Level Authentication is disabled in Windows XP Service Pack 3. To enable Network Level Authentication, you have to turn on the Credential Security Service Provider (CredSSP). For more information about how to turn on CredSSP read this Microsoft Knowledge Base article. After rebooting the XP SP3 client computer see the online Vista help pages for details on how to check if a client computer supports Network Level Authentication.
Network Level Authentication for Windows XP SP2 x86 Remote Desktop Client computers
Microsoft has released a standalone Remote Desktop 6.1 client for Windows XP SP2 x86 computers. For more information read this Microsoft Knowledge Base article. After rebooting the XP SP3 client computer see the online Vista help pages for details on how to check if a client computer supports Network Level Authentication.
You can verify correct operation of Remote Desktop by connecting from another PC on the local LAN. Use the local private LAN IP address of the PC you want to connect to or the name of the PC. To find the local LAN IP of the PC you want to connect to go to Start | Run and type cmd in the command line window. Type ipconfig at the command line and note the reported IP address.
Note – The use of a static private LAN IP address is recommended for the desktop PC acting as the Remote Desktop host.
To access a Windows XP Professional PC using Remote Desktop see the Windows XP Professional Resource Kit Establishing a Remote Desktop Session section or the Windows XP Start a Remote Desktop Session How-To article.
Port forwarding for Remote Desktop
Access to a Windows XP Professional desktop PC running Remote Desktop that is behind a firewall, NAT or router is fairly easy to configure if the user can forward TCP ports to the target PC’s private LAN IP addresses. Port forwarding of TCP Port 3389 through any firewall/NAT/router is required if the user needs to access a Windows XP Professional Remote Desktop from a remote location. The Windows XP SP2 Windows Firewall can be configured to allow Remote Desktop by simply checking a checkbox in the Exceptions tab.
The following example is from a Buffalo WBR-G54 4-Port Broadband router. The screen shot is current with the Buffalo v2.20 firmware release.
Port forwarding instructions for other routers may be found on the router manufacturers support web pages, in the router Users Guides or on the PortForward.com web site.
Call Schemes from a remote location
Calling the Remote Desktop host PC from a remote location is accomplished using the public IP address, as assigned by the ISP, or fully qualified domain name of the PC or router/NAT/firewall.
To find the public IP open Internet Explorer on the PC at the remote location and go to sites like http://checkip.dyndns.org/ or http://www.whatismyip.com/ and note the reported IP address. If the firewall/NAT/router is configured correctly, the call will be successfully passed to the appropriate PC.
If the ISP assigns a dynamic IP then another solution is to setup an account with one of the dynamic naming services that map a fully qualified domain name to the IP. In my case I use a FREE service from No-IP.com. The No-IP.com software runs on my XP Pro box and on a time schedule basis contacts the No-IP.com servers. The No-IP.com servers then know what your IP is and maps that to a fully qualified domain name. That information is then propagated over the public internet. You then call the Remote Desktop host PC using the fully qualified domain name.
Dynamic DNS Services (Some free, some not)
Logging Remote Desktop connection information
The following examples illustrate log file entries on an XP Pro desktop named Ashtabula for a Remote Desktop connection from another PC named Norman, local LAN IP address 192.168.11.12, on my local home LAN.
Windows XP Security Event Viewer Log
An Audit Policy may be configured using the Group Policy editor to track logon success and failures. From the Start | Run command window type gpedit.msc. Navigate to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit logon events. Highlight and right-click and select properties. Configure as desired.
Note that logging in without a password is logged as a failure. This results in the security log filling up very fast if you log failures and have a user without a password. The result is you can not login normally. Also note, not having a password is a potential and probable security risk.
The event log can be viewed by going to Start | Control Panel | Performance and Maintenance | Administrative Tools and click on Event Viewer.
The Event Log (Security) noting a successful logon and logoff by a remote user. The user can highlight a log entry and right-click to view the event Properties for detailed information.
Windows XP Port Reporter Tool Log
The free Microsoft Port Reporter tool provides for additional logging…Specifically see the PR-PORTSLOG file…
Windows XP SP2 Windows Firewall Log
See the Troubleshooting the Windows Firewall Settings in Windows XP Service Pack 2 Knowledge Base article for help configuring and interpreting the firewall log file.
Troubleshooting Windows XP Professional Remote Desktop
Verify that Terminal Services is running on the XP Pro desktop
The user can verify if the Terminal Services is running on the desktop PC by executing the services.msc command from the Windows XP Start | Run command window. The server status should be Started.
Verify the PC is listening on TCP Port 3389
From the Windows XP desktop Start | Run command window execute the cmd command. At the command line prompt type the command netstat -a and verify the PC is listening on TCP Port 3389.
The Microsoft PortQry tool
PortQry is a command-line utility that you can also use to help troubleshoot Remote Desktop connectivity issues. This utility reports the port status of target TCP and User Datagram Protocol (UDP) ports on a local computer or on a remote computer. See Knowledge Base Article 832919 or the January 2005 Cable Guy article for details.
The following screen shots illustrate the use of the PortQryUI (User Interface) tool to help diagnose problems with Remote Desktop connectivity. The examples are from PortQry sessions on a local Remote Desktop host, Ashtabula, on my local LAN and a Remote Desktop client PC, Norman.
The following is an example of the host by name test results when Remote Desktop is NOT enabled on the Remote Desktop host PC or the query is blocked by a firewall. The command was executed on the Remote Desktop client PC, Norman.
The following is an example of the host by name test results when Remote Desktop is enabled on the Remote Desktop host PC or the query is not blocked by a firewall. The command was executed on the Remote Desktop client PC, Norman.
The Open Port Check tool
The CanYouSeeMe.org site Open Port Check tool can quickly tell you if port forwarding through local firewall/NAT/router devices is proper configured and working correctly. You can use this site to help troubleshoot Remote Desktop connectivity issues. Note that you should run this test from the Remote Desktop host PC.
The remote connectivity telnet test
The telnet test detailed in Microsoft Knowledge Base Article Q187628 can be used to troubleshoot problems connecting to a PC with Remote Desktop from a remote site.
Users can speed up the rendering of the remote PC desktop display, particularly over slow data links, by disabling the display of the remote PC desktop wallpaper on the client PC’s. This can be configured on the Remote Desktop host PC using the Group Policy Editor. Also see the Using Group Policy with Remote Desktop section of the Resource Kit. Run gpedit.msc and navigate to the Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Terminal Services policies. Double click on the Enforce Removal of Remote Desktop Wallpaper policy and select Enable. Click OK to save the new configuration. Click on File | Exit to exit the Group Policy Editor.
For various reasons users may want to change the default Remote Desktop Listening Port from the default TCP Port 3389 to something else. The following details the procedure used to both change the port and how to address the Remote Desktop PC using the new listening port.
IMPORTANT: This procedure contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article numbers to view the Microsoft Knowledge Base articles:
256986 – Description of the Microsoft Windows Registry
322756 – HOW TO: Back Up, Edit, and Restore the Registry in Windows XP.
To change the Remote Desktop Listening Port reference the Microsoft Knowledge Base Article Q306759. Note the host XP Pro machine that the listening port was changed on MUST BE REBOOTED in order for the registry change to take effect. Read Microsoft Knowledge Base Article Q304304 for instructions on how to configure the Remote Desktop Client to call using an alternate port.