By default, remote desktop connections on windows use port 3389. If you find the need to change this port, the following should help. Make sure you have Allow remote connections to this computer checked under System Properties > Remote before you begin.
In my experience, you should avoid changing the mapped port for core Windows services if possible, as this can cause numerous configuration and management issues.
Other options include:
- Using port mapping (forwarding) on your router (e.g.
externalip:10000->serverip:3389), however not all routers offer this functionality. - Installing a third party remote desktop app, like Chrome Remote Desktop or LogMeIn, however these require specific software and/or subscriptions
- Deploying a server/PC as a RDP "gateway". You then access all further RDP hosts from this first point of contact.
- Using a RD gateway/RD Web access. This requires a server with the appropriate role installed, but can optionally be configured with two-factor authorisation like Duo.
To check what port your RDP is currently listening on, use the netstat command in an elevated command prompt.
netstat -aboThis will show information about current network connections and listening ports, as well as associated executables and processes. You'll see port 3389 bound to svchost.exe on TermService.
RDP running on port 3389 (default), as reported by netstat -abo.
To change the bound port you'll need to open an elevated command prompt and run regedit.
regeditNavigate to the PortNumber setting at HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
Right click on the REG\_DWORD named PortNumber and hit Modify. Change the base to Decimal and enter the new port (between 1025 and 65535). You can use NetStat to check if a particular port is already bound to a process.
Once you've changed the value, exit RegEdit and either reboot the computer, or simply restart the Remote Desktop Services service using the Services snap-in in Computer Management. You can confirm the port has been changed by running netstat again (in my case, to 10000).
RDP bound to port 10001 (but can be almost any port), reported via netstat -abo.
Finally, open up Windows Firewall and add a new inbound rule for the new port. You won't be able to change the existing rule as that's a core system rule, but copy across the values into a new rule and you'll be good to go.