How to configure firewall to allow Windows Remote Assistance through?

[David Partridge]

I'm clearly being stupid, but I don't get the "Black List/White List" thing in the Firewall configuration screen.

What I want to do is to allow Windows Remote Assistance connections through the firewall which I think involves allowing port 3389 through.

How should I configure this please?

Thanks
David

 

[ColinTaylor]

I think you're looking at the wrong thing. If you're looking at the Network Services Filter that is for blocking outgoing connections.

You need to configure WAN > Virtual Server / Port Forwarding

 

[David Partridge]

I think you're looking at the wrong thing. If you're looking at the Network Services Filter that is for blocking outgoing connections.

You need to configure WAN > Virtual Server / Port Forwarding

I don't think so as that one seems to apply to allowing traffic to a single computer on the local LAN.

Here it's a computer on the LAN has started Windows Remote Assistance and is listening for the reply that isn't getting through.

Dave

 

[elorimer]

I have no problem using a computer in my local network to start a RDP session (port 3389) with a computer on another network, so it must be something simple. I don't have any network services filter on.

 

[ColinTaylor]

I don't think so as that one seems to apply to allowing traffic to a single computer on the local LAN.

Yes, that's what it does. Unless we're talking at crossed purposes that's what you're asking for. A PC on your LAN is listening on port 3389. For somebody on the internet to be able to connect to that PC you would have to setup a port forwarding rule.

Here's a more specific (but manual) way of doing the same thing but restricting the source IP address: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

[David Partridge]

Yes, that's what it does. Unless we're talking at crossed purposes that's what you're asking for. A PC on your LAN is listening on port 3389. For somebody on the internet to be able to connect to that PC you would have to setup a port forwarding rule.

Here's a more specific (but manual) way of doing the same thing but restricting the source IP address: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

Yes, but that's for a single specific PC - I want any of the PCs on the local LAN to be able to use MSRA. I think this just involves letting port 3389 through the wall for *all* local IPs

David

 

[David Partridge]

I have no problem using a computer in my local network to start a RDP session (port 3389) with a computer on another network, so it must be something simple. I don't have any network services filter on.

Other way round I think. As far as I undertand it, MSRA opens a listening port on 3389 to allow the remote assistant (expert) to connect to his/her PC.

 

[Ronald Schwerer]

The next time I get a phone call from someone claiming to be Microsoft Tech support...saying that my computer has a virus and they need to access it remotely...I'll ask them.

 

[ColinTaylor]

Yes, but that's for a single specific PC - I want any of the PCs on the local LAN to be able to use MSRA. I think this just involves letting port 3389 through the wall for *all* local IPs

No, that's not possible (*). Think about it. Someone on the internet tries to connect to your router on port 3389. Without a port forwarding rule the router has no way of knowing where to forward that connection. So you need to create a port forwarding rule. But you can only forward one port to one internal IP address, forwarding a single connection to multiple LAN devices is impossible.

(*) To solve this problem there are two common approaches. The first is for the application on the client PC to use UPnP to create a temporary port forwarding rule. The application will remove this rule once it's finished using it. The second approach is to use port triggering. With this the router waits until it sees outgoing traffic on a certain port, when it does it creates a forwarding rule to the device that sent it.

 

[David Partridge]

No, that's not possible (*). Think about it. Someone on the internet tries to connect to your router on port 3389. Without a port forwarding rule the router has no way of knowing where to forward that connection. So you need to create a port forwarding rule. But you can only forward one port to one internal IP address, forwarding a single connection to multiple LAN devices is impossible.

(*) To solve this problem there are two common approaches. The first is for the application on the client PC to use UPnP to create a temporary port forwarding rule. The application will remove this rule once it's finished using it. The second approach is to use port triggering. With this the router waits until it sees outgoing traffic on a certain port, when it does it creates a forwarding rule to the device that sent it.

OK so who knows how MSRA works in enough detail to let this happen? I surely don't

Dave

 

[ColinTaylor]

OK so who knows how MSRA works in enough detail to let this happen? I surely don't

I've just had a look at this and Good News! For once Microsoft appear to have have done something right.

When you setup the remote assistance request it sets up a port forwarding rule (using a random port number) automatically using UPnP. Port 3389 isn't used. The internal and external IP addresses and port numbers are put in the Invitation.msrcincident file. When you terminate the remote assistance session the port forwarding rule is removed automatically.

So in theory, assuming you have UPnP enabled on your router, you don't need to do anything else.

(I haven't been able to test this)

EDIT: Despite what it says here (typo's not withstanding ) on my Windows 7 Pro machine port 3389 is never used. Although it is used for RDP if that is enabled.