HOWTO Tunnel Remote Desktop through SSH

**** UPDATE (12/30/07) ****

While my batch file still works, I’ve found a program (for free) that will now do the same thing. I’ve been using Bitvise Tunnelier for the past year to basically do exactly what I am doing below. It is all easily used and administered through a simple interface. 

***********************

I created this HOWTO out of the need to have an alternative method of connecting into a Corporate network. Mostly in case the VPN devices where down or if I was at somebody else's house and did not want to install VPN software on their PC. This could be used for a variety of applications, but only tunnelling Remote Desktop is discussed here. This document could be expanded in the future. If you have any questions, comments, or would like to change or add anything to this document, you can email me at {sawall -[at]- gmail -[dot]- com}.

Set up Remote Desktop

The first thing that needs to be done is to set up Remote Desktop on PC where the connection will be terminated. For this example, the SSH server will only allowed outbound terminal server connections on TCP port 7724. This is different than the default terminal server, TCP port 3389. In order to do this, the registry must be modified with the following setting and then rebooted.
  • Start Registry Editor (Regedt32.exe)
  • Locate the following key in the registry:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ TerminalServer\WinStations\RDP-Tcp\PortNumber
  • On the Edit menu, click Modify, click Decimal, type the new port number, and then click OK.
  • Quit the Registry Editor.
After rebooting the PC, in order to connect to Remote Desktop, the computer name must be entered in the following format:computername:portnumber or ipaddress:portnumber.

Set up the Remote Desktop Client

There are a few nuances with getting the Remote Desktop Client to work through an SSH tunnel. The key diffence is that because the SSH client will be configured to listen for terminal server connections to tunnel, you must set up the Remote Desktop Client to connect to the localhost. In order to do this, follow the steps below:
  • Create a new folder on the root partition (c:\) and name it something like RDP or Remote Desktop.
  • Search your computer for the following two files:
    • mstsc.exe (Remote Desktop Client)
    • mstscax.dll (Remote Desktop Library file)
  • Copy these two files to the newly created folder
  • Highlight the newly copied file, mstsc.exe and click Properties
  • Click the Compatibility tab
  • Once on the Compatiblity tab, check the Run this program in compatibility mode for: box and select Windows 98 / Windows ME.
  • Click OK.

Getting Ready to Connect

In order to connect to the SSH server, an SSH client is needed.PuTTY is recommended as a very reliable client. Information about PuTTY can be found at Simon Tatham's website. PuTTY is a self contained executable. There is no setup or otehr files necessary. The only modification it will make on your computer is adding a KEY to the registry. To make it easier, I've created a batch file so that you will not need to configure PuTTY. It can be downloaded here. The batch file should not be modified, except for the following variables:
  • TIME - Enter the number of seconds the batch file should wait between connecting to the SSH server and then starting up the Remote Desktop Client. Be sure to leave enough time for you to enter your entire PASSCODE. The default is 15 seconds.
  • PUTTY - Enter the name of the PuTTY executable. The default is putty.exe.
  • PUTTYDIR - Enter the name of the directory where the PuTTY executable resides. The default is c:\.
  • RDP - Enter the name of the Remote Desktop Client executable. The default is mstsc.exe.
  • RDPDIR - Enter the name of the directory where the Remote Desktop Client executable resides. The default is c:\rdp\.
  • USERNAME - Enter your employee username associated with your RSA SecurID Token. The default is JoeUser, this needs to be changed.
  • SSHLPORT - Enter a port number that the SSH Client should listen on for Remote Desktop requests. The default is 3390.
  • DESTINATIONPC - Enter the ip address of the PC where the Remote Desktop Client will terminate its connection. The default is 10.x.x.x. This needs to be changed.
  • DESTINATIONPORT - Enter the port number that the remote PC is listening for Remote Desktop connections. The default is 7724. This is the only port allowed through the firewall. Be sure that your Remote Desktop terminal service is set up to listen on this port as described above.
  • SSHSERVER - The IP address of the terminating end of the SSH Tunnel. The default is SSHSERVER.IP.ADDRESS.HERE. This needs to be changed.
  • SSHPORT - The Port you have set up your SSH server to listen on. The default is 5525.
  • WAIT - The variable to determine if the PC already has wait.exe installed from a resource kit or is instead using wait.exe from the Simteldownload site. Only options are LOCAL and SIMTEL. The default is SIMTEL.
  • WAITDIR - Enter the name of the directory where wait.exe resides. Only used if SIMTEL is chosen for the WAIT variable. The default is c:\rdp\wait\.
  • WAITEXE - Enter the name of the wait.exe executable. The default is wait.exe.
NOTE: Do not enclose any of the variables in quote marks, this will break the batch file. Also, the directory paths must end with a trailing backslash (\).

Connecting

After changing the configuration parameters in the SSHRD.bat, run the batch file by double-clicking it. The batch file will open a command prompt and immediately open a connection to the SSH server. The command promt will show a count-down showing how many seconds you have left to log into the SSH server before the Remote Desktop client will be started. If you do not connect to the SSH server in time, the Remote Desktop Client connection will fail. Note: This batch file may fail on some systems if the wait.exe command is not present. On Windows NT, you can simply install it form the Resource Kit. I have this working on Windows XP Pro machine and I am having problems on another. For the device having problems, I have chosen to download wait.exe from Simtel. I have modified the batch file accordingly to allow for this.

Firewall Settings

The ideal placement of the SSH server is on a secured DMZ. This will allow for total control over what access allowed both to and from the SSH server. 

  1. User initiates connections to SSH server over TCP port 5525.
  2. SSH server requests username and PASSCODE.
  3. User enters username and PASSCODE.
  4. SSH server sends username and PASSCODE to ACE/Server over default ports.
  5. ACE/Server allows or denies connection based on appropriate authentication.
  6. If autheticated, user starts remote desktop and connects to localhost:3390. The listening SSH client accepts the connection and tunnels the request through the SSH tunnel.
  7. The SSH server forwards the request out to the destination PC over TCP port 7724.
  8. The destination PC accepts the connection and Remote Desktop starts, the return connection goes back to the SSH server.
  9. The SSH server forwards the terminal session back through the SSH tunnel to the originating client.

Misc.

Download the Remote Desktop Client for non-Windows XP workstations. Information pertaining to setting up Remote Desktop was gathered from the following Microsoft Knowledge Base Articles:
  • 304304 - Configuring the Remote Desktop Client to Connect to a Specific Port
  • 306759 - How to Change the Listening Port for Remote Desktop
Infomation on how to get Remote Desktop to connect to localhost was gathered from this Bitvise articleLast updated 8/23/03.