Windows XP remote desktop thru' a proxy + firewall etc...

First off, let me say that I am not a networking professional; I am an IT generalist with a leaning towards databases/development - it just happens that I find myself supporting a great deal more, including a network that I don’t totally understand.

Right, so the situation is this:
An XP workstation
Another (Win98) machine on the same network, with broadband connection, shared across the network by means of a proxy server program called Jana server 2. A software firewall (Sygate) is also installed. - so this machine has two NICs - one facing the LAN (which has a local IP address to which the workstations point for internet access etc.), the other is connected to the broadband router and is assigned the static IP supplied by our ISP.

I have been asked to set up Remote Desktop on the XP (Pro) workstation, so that it can be accessed from a remote machine (which we’ll assume will also be running XP Pro).

What is the best way to go about doing this?, bearing in mind that:
I only vaguely understand the concept of VPN.
I’m cagey about making major changes to the general setup (such as ditching the whole lot and setting up a Linux server), in case the whole thing comes crashing down.
Cost is an issue; there isn’t much of a budget here, so if we can work with what we have, that would be preferrable.

You need to forward TCP port 3389 from the 98 machine’s external IP address to the XP machine’s internal IP address. I’m not familiar with the Jana software, but look for a Port Forwarding section in its setup. You’ll also need to find a way to permit this service in the Sygate firewall.

The firewall seems fairly easy to configure - I can set up advanced allow/block rules (that override the general ones) for specific ports.

Am I rendering my network vulnerable by opening this port?

Well, by design you’re making the XP machine vulnerable to being taken over remotely. Anyone with an RDP client will be able to connect to it and try to log in. You can minimize this vulnerability in a number of ways.

You can map a different, obscure outside port on the 98 machine. Any unused port will work as long as it forwards to 3389 on the XP machine. The person connecting will have to type in the IP:port (e.g. in their Remote Desktop Connection window instead of just the IP. This will prevent unsophisticated intrusions, but a port scan will still find it.

If the firewall software allows, you can filter IPs so that only computers in desired ranges can connect to that port. This is probably the best option.

In any event you should set really difficult passwords on any administrator accounts on the XP machine.

My proxy utility doesn’t support port forwarding, so it looks like I have a couple of options (check me on this, please):

Install a port forwarding utility on the proxy server machine.

Install a second NIC in the WinXP machine and patch this directly through to one of the three remaining spare ports on the broadband router and accept the incoming RDP connection here - I’ll have to install a separate firewall just for the XP machine though.

Looks about right to me.

The downside to connecting to the router would be that the XP machine would be outside the office(?) network, so you couldn’t share files and printers and such.

If this is for a small office network, and unless the Win98 machine is doing something special wrt. filtering or access restrictions or whatever, think about shoving the whole lot onto the router. The router already undoubtedly provides DHCP and firewalling in a far more reliable manner than that 98 machine is.

But that might be complicating things beyond your desire to muck with them. My routing and port forwarding needs are met by my Linux box (thought not my printing for some obtuse reason :mad: Grr. Um. Ahem…) so all I can say is you’ll likely find something useful with Google

If it was using a second NIC to connect to the router, it could still be part of the office network on the original NIC, counldn’t it?

AFAIK, the router doesn’t incorporate any kind of worthwhile firewalling (it was provided as part of the broadband package from BT) - the Win98 machine is something of a legacy from when the only available internet connection was via an ISDN dialup, so this machine acts as a proxy for the whole office, as well as a mail server (it actually works quite well).