The context is a company network needing to connect to virtual machines in the cloud via RDP but never receiving any RDP connections itself. So the company network only has RDP clients but no RDP servers, and the VMs on the cloud are the opposite: they only have RDP servers running on port 3389.
In this case, should the company firewall allow only for outbound / outgoing RDP connections to port 3389 of external IPs and block all inbound / ingoing connections to port 3389 of local network IPs ? Or (contrarily to my understanding) should the firewall also allow incoming connections on port 3389 of local network IPs for the RDP client to work ?
It would be great to have an explanation justifying the answer. I believe this is basical networking relating to ephemeral ports but clarity on that would be quite useful.
82 Answers
After a few comment exchanges, your question basically boils down to this:
Do I need to open my RDP port 3389 on the client side for RDP to a cloud server to work, or is that a security risk?
No, you never need to open a client side port at all.
By the usage of the term open a port, I refer to creating a port mapping on the router and specifically allow the port access in the firewall to accept incoming requests.
By default in windows, when a client connects to another machine using the RDP protocol, it will connect TO the other machine through TCP/IP, then switch to a different UDP port for the actual connection. Because of this mechanism, only on the server side, do you need to open ports. Only if a client has very strict and overdone firewall settings, may it be that something needs to be allowed for the outgoing connection to work, but never does a client need to alter router settings to allow incoming traffic over TCP port 3389.
2How many roles have been installed in your RDS deployment or is it simply used to remote from A to B?
For the latter one, per the article of "Change the listening port for Remote Desktop on your computer", it confirmed the port (3389 by default) was changed on the computer that you remote to, which could be considered as server side.
For the former one, here is a blog mentioned the ports requirement of all the RDS roles for a remote connection:
RDS 2012: Which ports are used during deployment?
1
