Port forwarding terminal services (RDP) over SSH.

• Previous message: David Svanberg: "Re: pseudo-tty doesn't get allocated"
• Next in thread: Darren Tucker: "Re: Port forwarding terminal services (RDP) over SSH."
• Reply: Darren Tucker: "Re: Port forwarding terminal services (RDP) over SSH."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Oct 2004 21:58:40 -0700

All.

After some intense research trying to figure out how to do this, I figured I
would post the results of my efforts for the benefits of all. Comments
welcome!

:: PROBLEM ::
Get Microsoft terminal services to port forward over an SSH session from a
Windows XP client machine.

:: SOLUTION ::
The terminal services client included in WinXP is programmed *not* to allow
connections to 127.0.0.1, the assumed IP address you are sending your
packets to when you are port forwarding. However, you can configure custom
host and lmhost files in %systemroot%\Windows\system32\drivers\etc to
specify another IP such as 127.0.0.2 which is still considered a loopback
interface according to RFC 3330 found at
http://www.faqs.org/rfcs/rfc3330.html.

Your entry in the hosts file entries might be:

127.0.0.2 rdp.someserver.com
127.0.0.3 rdp2.someserver.com

This worked fine for me, however, until I upgraded to XP Service Pack 2. I
discovered that Microsoft took the liberty of only defining 127.0.0.1 as the
loopback address rather than the entire 127.0.0.0/8 subnet per the RFC spec.
:-/ Fortunately, they also released a post-SP2 patch that converts your IP
stack to once again recognize the whole 127.0.0.0/8 subnet as loopback
addresses again.

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;884020

Once the patch was applied, I could once again connect to my .2 and .3
addresses.

Hope this helps.

Jacob Lane, MCP

• Previous message: David Svanberg: "Re: pseudo-tty doesn't get allocated"
• Next in thread: Darren Tucker: "Re: Port forwarding terminal services (RDP) over SSH."
• Reply: Darren Tucker: "Re: Port forwarding terminal services (RDP) over SSH."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SP2 Firewall: Loopback not in MySubnet ... concluded that it doesn't apply to what I'm observing. ... doubt that Sentinel LM connects to a loopback other than ... "My network (subnet) only" - does NOT allow me to connect ... Norway Administration scripting examples and an ONLINE ... (microsoft.public.windowsxp.security_admin) Re: Loopback processing with DC and Terminal Server ... > of users who only use terminal services. ... > a policy for terminal services which locks down users in a terminal ... > services policy is enforced on the XP workstation and doesn't allow ... > Is there something better than loopback processing that will let me ... (microsoft.public.windows.group_policy) Re: SP2 Firewall: Loopback not in MySubnet ... > range to allow connections from. ... > everybody else on the subnet, ... > loopback address, and I must say that is rather strange ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.windowsxp.security_admin) Re: In Terminal Services, can I assign the IE home page thru a loopback policy? ... Your Terminal Services Security Website ... can I assign the IE home page thru a loopback ... (microsoft.public.windows.terminal_services) SP2 Firewall: Loopback not in MySubnet ... program and selected "my network (subnet) only" as the ... range to allow connections from. ... My conclusion is that "my network only" allows ... loopback address, and I must say that is rather strange ... (microsoft.public.windowsxp.security_admin)