Windows 10 Remote Desktop Over Vpn



Getting access to your work computer may be difficult in any of those scenarios unless you’ve set up Remote Desktop on a Windows 10 Pro or Windows 10 Enterprise PC. Remote Desktop allows you to connect to a Windows 10 device on Windows, Android, iOS and macOS from afar. It provides easy access to all your apps, files, and network resources. Via VPN: One of the easiest ways to access Windows Remote Desktop over the internet is by setting up a VPN connection. When you install a VPN in your computer, you can access your computer from outside and your computer will be like a part of the local server that is running Windows Remote Desktop. If you create a virtual private network (VPN), you won’t have to expose the Remote Desktop server directly to the Internet. Instead, when you’re away from home, you can connect to the VPN, and your computer will act like it’s part of the same local network as the computer at home, running the Remote Desktop server.

Go to Remote Desktop on the lower left; Click to enable Remote Desktop; Confirm enabling Remote Desktop; Once enabled, you will see a summary of settings. Note that the PC must remain on, awake, and online to be used. Check to be sure that Remote Desktop is allowed through Windows Firewall: On the remote computer, click Start and select Windows.

With our increasing reliance on outsourcing, companies are having to invite more outsiders (vendors, suppliers, business partners) onto their networks and systems than ever before. And though there are many reasons a vendor might need remote access, mostly this is to provide technical support. Because of this growing requirement, there have been many tools developed to enable this activity. Some have evolved from existing tools, others have been built precisely to allow vendors onto networks.

VPNs and remote desktop sharing are two of the more popular and common applications used for remote support. However, they are quite different from each other and serve different use cases in both theory and practice. They each have limitations in their usefulness for certain scenarios and harbor different security issues both in design and when not implemented correctly.

Let’s look at these two classes of tools and the differences between them to understand where each might fit and where they don’t.

VPNs

Where and when should a VPN be used?

VPNs, or virtual private networks, were born out of a need to provide a connection to remote workers that behaved much like a local area connection. This “network extender” was intended to be used over a public network, such as the internet, and uses encryption to keep the session safe and secure. The technology operates at the network level and typically provides a user with access to servers and machines that are only accessible within the corporate firewall. For the average remote corporate user, this is all they need. Their connection replicates what they would have if they were sitting at their desk at work but provides no additional functionality beyond access.

For internal support staff who need to provide support for other employees, this type of connection works fine since all the resources they need access to would be provided as part of their employee onboarding (email, group membership, shared drives, etc.).

The downfalls

However, for a third-party needing access to provide support, a VPN is merely the first step. Additional layers of access would need to be added in order for them to access the servers or hosts to be supported. For instance, if you will be supporting a server, you need credentials on that server and the proper rights-levels to do the work. This is, at minimum, a two-step process (you might need credentials on multiple hosts) which allows for human error and active maliciousness to cause issues or problems. On the converse side, they may be provided with too much access and that access may not be tracked adequately. Once the job is done and the contract’s terminated, credentials and VPN access must be removed in a timely manner. If not, this provides a window of vulnerability into those services and devices. And if a user’s credentials are stolen or coopted, the amount of damage that can be caused is greatly increased by a VPN’s broad network access.

VPNs also have very limited auditing and monitoring capabilities. Generally, the log files generated will show only minimal information such as connect time, IP address, and username. The actual activities done under that session are opaque, which can be a problem if a detailed audit is required for compliance or if forensic work is necessary after an incident.

Desktop sharing tools

When and where does it make sense to implement?

Desktop sharing evolved out of the shortcomings of VPNs for remote support. Additional capabilities were needed to be able to access any or all of an enterprise’s desktops without needing credentials on each machine. Most remote desktop sharing tools provide an encrypted tunnel much like VPNs, usually using SSL or similar methods, and then enable a “take-over” of an existing user’s role, which eliminates the need for separate credentials. This can be really handy if you need to use your local desktop with programs only resident there. Or if a support representative needs to show a user how to use an application or program on their machine. There are also often other features built into a desktop sharing platform for monitoring and recording a session, but this is usually optional.

The downfalls

However, while remote desktop sharing offers more functionality for the purpose of support than VPNs, it also has shortcomings of its own. It only provides access to the desktop and is not as useful for enterprise support, such as database or server support or those using a command line. While a VPN sometimes offers too much access, desktop sharing might not offer enough. Each session for each machine must generally be initiated, meaning providing 24/7 unattended support is difficult or impossible.

There are also security downsides to having full access to a machine on the network, including access to local files as well as network resources with the full permissions of that user. There may be sensitive files on the machine that could be viewed if the attendant isn’t watching closely. The host could also be used as a beachhead to do reconnaissance or even attack other computers on the network. This is a frequent tactic of hackers, where they get low-level access on a single network node, but expand out from there by finding other vulnerable machines or services visible on the network.

What tool is best for you?

So we have shown that VPNs and remote desktop sharing solutions offer different advantages and disadvantages for remote support and remote access functions. Depending on your applications and the type of support needed, you may want to use one or the other. If you need additional security or compliance features, you may want to augment or replace these technologies with even more purpose-built tools such as privileged access management (PAM) or vendor privileged access management (VPAM) to fully secure the remote support connection.

While VPN and remote desktop sharing tools work great for their intended purposes—they are not secure or efficient tools for third-party remote access. If third parties are accessing your network, whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches. Download our brochurethat highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.

-->

Applies to: Windows 10, Windows Server 2016

When you connect to your PC by using a Remote Desktop client, you're creating a peer-to-peer connection. This means you need direct access to the PC (sometimes called 'the host'). If you need to connect to your PC from outside of the network your PC is running on, you need to enable that access. You have a couple of options: use port forwarding or set up a VPN.

Enable port forwarding on your router

Port forwarding simply maps the port on your router's IP address (your public IP) to the port and IP address of the PC you want to access.

Windows 10 Remote Desktop Setup

Specific steps for enabling port forwarding depend on the router you're using, so you'll need to search online for your router's instructions. For a general discussion of the steps, check out wikiHow to Set Up Port Forwarding on a Router.

Before you map the port you'll need the following:

  • PC internal IP address: Look in Settings > Network & Internet > Status > View your network properties. Find the network configuration with an 'Operational' status and then get the IPv4 address.

  • Your public IP address (the router's IP). There are many ways to find this - you can search (in Bing or Google) for 'my IP' or view the Wi-Fi network properties (for Windows 10).

  • Port number being mapped. In most cases this is 3389 - that's the default port used by Remote Desktop connections.

  • Admin access to your router.

    Warning

    You're opening your PC up to the internet - make sure you have a strong password set for your PC.

Windows Remote Desktop Connection Vpn

After you map the port, you'll be able to connect to your host PC from outside the local network by connecting to the public IP address of your router (the second bullet above).

The router's IP address can change - your internet service provider (ISP) can assign you a new IP at any time. To avoid running into this issue, consider using Dynamic DNS - this lets you connect to the PC using an easy to remember domain name, instead of the IP address. Your router automatically updates the DDNS service with your new IP address, should it change.

With most routers you can define which source IP or source network can use port mapping. So, if you know you're only going to connect from work, you can add the IP address for your work network - that lets you avoid opening the port to the entire public internet. If the host you're using to connect uses dynamic IP address, set the source restriction to allow access from the whole range of that particular ISP.

Windows 10 Remote Desktop Over Vpn

Windows 10 Remote Desktop Without Vpn

You might also consider setting up a static IP address on your PC so the internal IP address doesn't change. If you do that, then the router's port forwarding will always point to the correct IP address.

Windows 10 Remote Desktop Over Vpn Software

Use a VPN

Windows 10 Remote Desktop Over Vpn Download

If you connect to your local area network by using a virtual private network (VPN), you don't have to open your PC to the public internet. Instead, when you connect to the VPN, your RD client acts like it's part of the same network and be able to access your PC. There are a number of VPN services available - you can find and use whichever works best for you.