RDP won't work on any port but 3389

Question

We have a server 2008 r2 virtual machine that's acting as a public facing RDP terminal (I know I know, that's a whole different fight). I'm trying to set RDP to use any port but 3389, but I get the "this computer is unavailable" message whenever I change the port. What I'm doing is:

1) Changing the port used by RDP in the registry (HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp > PortNumber field)

2) Changing the symantec firewall rule that allows traffic on port 3389 to port (for example) 4000. (Windows firewall is disabled, and I've made sure the service isn't running in services.msc)

3) Try to open an RDP session from another computer on the LAN to x.x.x.x:4000

When I use netstat -a it says TCP is listening on port 4000, but RDP connections fail with the "the computer is offline error". When I do the exact steps as above with 3389 it works, anyone know what's up?

score 0 · Answer 1 · answered Aug 23 '22 at 12:25

First, ensure you have entered the value in Decimal format, NOT in hexadecimal format.

Second, you will have to restart the Remote Desktop Service service after changing the RDP port in the registry.

You can easily change the RDP port through PowerShell. Open PowerShell and run the following command.

$portvalue = 4000
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue

score 0 · Answer 2 · answered Sep 24 '22 at 02:46

I would recommend to try to do using PowerShell (you can change the 50102 to the desired port number)

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 50102
New-NetFirewallRule -DisplayName "Custom RDP Port (TCP-In)" -Direction Inbound -LocalPort 50102 -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "Custom RDP Port (UDP-In)" -Direction Inbound -LocalPort 50102 -Protocol UDP -Action Allow

The two commands adjust the Windows Defender firewall to allow your new custom RDP port (not sure if these work on w2k8)

score 0 · Answer 3 · answered Jan 19 '24 at 00:13

(Windows firewall is disabled, and I've made sure the service isn't running in services.msc)

No, no, NO, NO.

The proper way to disable Windows Firewall is to configure it to be "Off" on all network profiles, but you should never actually stop and disable the Windows Firewall service, which is an integral part of the Windows networking stack.

Stopping the actual service is not supported and can lead to any sort of networking issues, regardless of whatever traffic you wanted to allow or deny.

See also here: How can I back up my recommendation to NOT disable the Windows Firewall service?

score 0 · Answer 4 · edited Aug 09 '18 at 16:31

0

Export the registry from the working one and import into the broken one

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

edited Aug 09 '18 at 16:31

Patrick Mevzek

10,581
7
35
45

answered Aug 09 '18 at 15:00

user482509

1

RDP won't work on any port but 3389

4 Answers4