I maintain a Windows server. It is web-facing, and lives in a DMZ on the other side of the world from me. I have to install new programs every now and then. Windows being Windows, it’s easiest to do this with a desktop session. Remote Desktop Connection is the key tool for doing this. Since the version of Remote Desktop Protocol (RDP) I’m connecting to isn’t secure over the public Internet I use an ssh tunnel to connect. This is easy to set-up in Putty.
An ssh tunnel works by accepting packets on one side of the ssh connection, and putting them back in to the TCP/IP stack on the other side of the tunnel — as if the packets originated from the “far” computer. This can be done in either direction. In the screenshot above I’ve configured a tunnel accepting packets on my local machine. They will be re-injected on the remote machines stack addressed to “localhost:3389″. In other words a program connecting to my computer’s port 3390 will actually connect to the remote computer’s port 3389. Port 3389 is Remote Desktop Protocol, so if I point RDC at localhost:3390, I’ll connect to the remote computer’s RDP server.
I recently started using Windows 7 and this set up broke. It seems in Windows 7, Remote Desktop Connection prevents connections to localhost. Trying to work around the limit using 127.0.0.1 or your public IP address or computer name does not work either. RDC still recognises that you are, apparently, connecting to the computer you are already connected to. This is an awkward limitation when using an ssh tunnel or some other connection forwarding.
Luckily there is a workaround.
Apparently Windows XP before service pack 2 had this same limitation. People worked around it by pointing RDC at 127.0.0.2. It’s not used that often, but the whole range of addresses starting with 127 are all routed back to the local machine. In other words you always have a /8 network running on your own machine. To make this work, I had to check the “Local ports accept connections from other hosts” option for putty. Without the option putty will only listen for connections to address 127.0.0.1. With the option it accepts connections on any address. Now I can point RDC at 127.0.0.2:3390 and get connected to the remote desktop, securely.
It seems a strange limitation for RDC to refuse to connect to localhost. I can understand the initial idea; having this limit would prevent remoting to a computer you are already remoted to. That’s an easy enough mistake to make if you are managing several servers, and it’s a nice save. The strange bit is that someone repealed the limit in XP SP2, but now it is back again. How does that happen? Was SP2 on a branch, and they forgot to merge it back? Was the limit in the original spec, and the spec didn’t get updated when the limitation was removed? Did they just decide the limit feature was back in? As someone stung by the reintroduction of the feature, it feels like an accidental regression.
Thank you so much.
On Windows 7 Ultimate this is true, you must have these settings you’ve mentioned (that’s OS on my desktop computer), but it actually works with localhost:3389 on my laptop (HP DV7) with Windows 7 Home Premium, both 64-bit. No idea why is like that. But even so, you really helped me and I thank you very much.
Thank you.
Your post helped me to use RD with the mess of windows versions and behaviors (7 ultimate x64 in this case).
It appears you can also do this in putty by making your *source* port be 127.0.0.2:3390, which will get putty to listen on the alternate port. That worked for me without requiring me to allow everyone on the local subnet to access my tunnel.
i found out, that if you use port 3391 instead of 3390…it will work without any changes in putty!
just a port issue!
Thanks for sharing! Nice to see I wasn’t the only one having this problem and happy you took the time to post the solution. Great job!
Thank you! Very helpful indeed.
Confirming, you do not need to enable “Local ports accept connections from other hosts”. Just change the IP as above to 127.0.0.2 and continue to use as normal.
Very happy, thanks for this!
It is not a port issue and doesn’t have anything to do with how putty accepts the connections on your client machine. Quite simply, the server doesn’t like it if you connect on 127.0.0.1. The connection establishment succeeds, but the software refuses to communicate (without dropping the connection). (You can telnet to localhost 3389 on a Windows 7 machine and you get a connection.) If you use 127.0.0.2, the connection not only succeeds but the RDP session is established.
@Dude: The server didn’t change at all when I upgraded from Windows XP to Windows 7. I took that to mean the problem was client side. I only had to use a different port because the RDC service was running locally, and so Putty couldn’t have bound to :3389.
@Eric: Glad to hear that local ports do not need to accept from other hosts.
Fortunately, I haven’t had to RDC for several years.