All Products
Search
Document Center

Elastic Compute Service:How to configure a firewall for remote connection to a Windows instance

Last Updated:Dec 17, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

This article describes how to configure a remote connection firewall for a Windows instance.

 

Detail

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

To improve the security of the remote connection instance, we recommend that you enable and configure the firewall. We provide you with the following two ways to configure the remote connection firewall.

 

Add port rules

Allow remote connection by allowing the local remote desktop port. The default port of the remote server is port 3389 of TCP.

Tips : in the firewall inbound rules, if the port set is inconsistent with the Port set by the remote server, the remote access to the server fails. In this case, you can use this method to add the actual port of the remote service to the inbound rules of the firewall.

  1. Log on to a Windows instance. For more information, seeconnect to a Windows instance from a local client.
  2. In the menu bar, click start.> Run.
  3. In the run window, enter wf.msc. Click OK.
  4. In the Winodws firewall with advanced security window that appears, click inbound rules and then click create rule.
  5. In the new inbound rule wizard window, select Port click next.
  6. In the dialog box that appears, selecttcp and then add a specific local port. Click next.

    Tips: use the actual remote port as the standard Port. Generally, the default port is 3389.

  7. In the dialog box that appears, select allow connection. Click next.
  8. In the pop-up window, use the default configuration. Click next.
  9. In the displayed window, enter the rule name. Click finish.
  10. View Windows Firewall properties to check whether the firewall is enabled.
  11. If the firewall is not enabled, select enable (recommended).

    Tip: We recommend that you enable all the firewalls under the tab of domain configuration file, dedicated configuration file, and public configuration file.

  12. After completing the preceding steps, access the instance remotely and add a new remote port number to the end of the remote address to connect to the instance. For example, 192.168.1.2:3389.

 

Add a predefined rule

You can add a predefined remote desktop rule for the inbound rule to allow remote desktop access.

Tips: This method is suitable for situations where the remote desktop port has not been changed and the TCP port 3389 is used by default.

  1. Log on to a Windows instance. For more information, seeconnect to a Windows instance from a local client.
  2. In the menu bar, click start.> Run.
  3. In the run window, enter wf.msc. Click OK.
  4. In the Winodws firewall with advanced security window that appears, click inbound rules and then click create rule.
  5. In the new inbound rule wizard window that appears, select predefined remote, clicknext. Next.
  6. In the displayed window, select the Remote Desktop (TCP-In) click next.
  7. In the displayed window, selectallow connectionand click finish.
  8. View Windows Firewall properties to check whether the firewall is enabled.
  9. If the firewall is not enabled, select enable (recommended), and click apply.

    Tip: We recommend that you enable all the firewalls under the tab of domain configuration file, dedicated configuration file, and public configuration file.

  10. After completing the preceding steps, access the instance remotely and add a new remote port number to the end of the remote address to connect to the instance. For example, 192.168.1.2:3389.

 

Application scope

  • ECS