PHP Server Monitor – Add Ping Functionality

Adding Ping (ICMP) to PHP Server MonitorPHP Monitor ICMP

I love PHP Server Monitor, it is an amazing tool for my business to have a simple, reliable, practical way to ensure which services or devices are online. The only complaint I have with it is that it does not support ping monitors, only services (query Port 3389 for example).

Major thanks to Michele Mariotti and insuman on the PHP Server Monitor forums (Post Link) for writing up some code that allows ICMP functionality, as long as the service is Port 1.

Log in to your server via Putty, make a backup of the StatusUpdater function definitions, and replace the old code that will allow you to use ICMP.

 

# For me, PHP Server Monitor it installed under /var/www/html, your path may be different.
cd /var/www/html/src/psm/Util/Server/Updater

cp StatusUpdater.class.php StatusUpdater.class.php.bak

sudo nano StatusUpdater.class.php

 

#Find the function
Ctrl + W (search)

function updateService

<Enter>

 Old Code in StatusUpdater.class.php

protected function updateService($max_runs, $run = 1) {
    $errno = 0;
    // save response time
    $starttime = microtime(true);

    $fp = fsockopen ($this->server['ip'], $this->server['port'], $errno, $this->error, 10);

    $status = ($fp === false) ? false : true;
    $this->rtime = (microtime(true) - $starttime);

    if(is_resource($fp)) {
      fclose($fp);
    }

    // check if server is available and rerun if asked.
    if(!$status && $run < $max_runs) {
      return $this->updateService($max_runs, $run + 1);
    }

    return $status;
  }

 

Change to New Code in StatusUpdater.class.php

This is hardcoding TCP Port 1 in PHP Monitor, to use ICMP/Ping. The default timeout is 5 seconds, adjust the number 5  in the timeout variable ($timeout) to whatever time in seconds you want.

You can use Ctrl+K in nano to delete an entire line at once, rather than holding the Backspace or Delete keys.

###NEW CODE###
protected function updateService($max_runs, $run = 1) {

        if (($this->server['port']) == 1) {
            /* timeout min: 5 sec */
            $timeout = ($this->server['timeout'] < 5 ? 5 : $this->server['timeout']);
            /* save response time */
            $starttime = microtime(true);
            /* ICMP ping packet with a pre-calculated checksum */
            $package = "\x08\x00\x7d\x4b\x00\x00\x00\x00PingHost";

            $socket = socket_create(AF_INET, SOCK_RAW, 1);
            socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $timeout, 'usec' => 0));
            socket_connect($socket, $this->server['ip'], null);
            $ts = microtime(true);
            socket_send($socket, $package, strLen($package), 0);

            if (socket_read($socket, 255)) {
                $status = true;
            } else {
                /* store error reason */
                $this->error = socket_last_error() .' '. socket_strerror(socket_last_error());
                $status = false; 
            }
            $this->rtime = (microtime(true) - $starttime);
            socket_close($socket);
        } else
        //rest of code
        { 
            $errno = 0;
            // save response time
            $starttime = microtime(true);

            $fp = fsockopen ($this->server['ip'], $this->server['port'], $errno, $this->error, 10);

            $status = ($fp === false) ? false : true;
            $this->rtime = (microtime(true) - $starttime);

            if(is_resource($fp)) {
                fclose($fp);
            }
        }

Ping Monitor Example

PHP Monitor ICMP Server Example

OwnCloud Server 9.0 – Ubuntu 12.04 Installation

OwnCloud Server 9.0 on Ubuntu 12.04 with PHP 5.6

A quick setup guide to setting up a private OwnCloud Server on Ubuntu Server.

From building a fresh machine, to setting static IP, installing dependencies, and taking everything online.

 

Ubuntu 12.04 and PHP 5.6

Current Ubuntu is 14.04, but our AppAssure software threw a fit trying to back up a 14.04 that is apt-get updated to the newest. The lovely error: “Buffer I/O error on device sdb0, logical block #”

Some patch must have broken whatever the backup is using. So I had to install on Ubuntu 12.04, except it by default only installs PHP 5.3…. OwnCloud needs 5.4+

 

OS Setup

Install the OS, check the OpenSSH feature, use Putty to connect over SSH so you can copy/paste.

#Configure a Static IP

#Use nano to edit > Ctrl+X to close
nano /etc/network/interfaces


#Change iface eth0 inet dhcp to:
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 192.168.1.4 8.8.8.8

 

Upgrade 12.04 with the newest patches, security fixes, etc. Then add a repository that normally is not in 12.04, to allow the install of php5.6

#Update the OS
apt-get update
apt-get upgrade

#Allow PHP 5.6 to be installed on an older OS
apt-get install python-software-properties
add-apt-repository ppa:ondrej/php5-5.6
apt-get update
apt-get install apache2
apt-get install php5 php5-mysql
apt-get install php5-gd php5-json php5-curl php5-intl php5-mcrypt php5-imagick
apt-get install mysql-server

#Lock down your SQL, remove the anonymous and remote access.
mysql_secure_installation

#Go configure MySQL for OwnCloud
mysql -u root -p
#Enter the DB password prompted when installing.
#Make a table and make priveleges.
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE ownclouddb;
GRANT ALL ON ownclouddb.* TO 'user'@'localhost';
FLUSH PRIVILEGES;
exit

Install OwnCloud

#Download the installer, unzip/untar it
cd /var

wget https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2

tar -xvf owncloud-9.0.0.tar.bz2 -C /var/www/html/

 Configure Apache2

#Point Apache to your website directory
cd /etc/apache2/sites-available
#Make a backup
cp 000-default.conf 000-default.conf.bak
nano 000-default.conf
#Change ServerName to your FQDN (files.website.com)
#Change DocumentRoot to your path (/var/www/html/owncloud)
service apache2 restart

#Edit OwnCloud to accept your website URL (FQDN)
cd /var/www/html/owncloud/config
nano config.php
#Change your array to look like:
  array (
    0 => 'files.website.com',
    1 => '192.168.1.10',
  ),
#Change the CLI URL
'overwrite.cli.url' => 'http://files.website.com',

 Configure Data Directory

mkdir /owncloud
mkdir /owncloud/data
chown -R www-data:www-data /owncloud/data/

Go login to your website, http://192.168.1.10, pop the the applicable information, and change the data path to something outside of the www subdirectory (I use /owncloud/data/)

You *may* have a permission error preventing you from changing the maximum file upload size, File Handling > “Missing permissions to edit from here.”
Just edit the hidden .htaccess file permissions

chmod 776 /var/www/html/owncloud/.htaccess
chmod 776 /owncloud/data.htaccess
#Edit Apache2.conf
nano /etc/apache2/apache2.conf
#Change "AllowOverride None" to "AllowOverRide All"
#Import for the /var/www directory.

I recommend updating your OwnCloud installation, located in the Username > Admin > Updater section. There are some bugs such as Internet Explorer 11/Edge getting the error “Could not create folder “<FOLDERNAME>”” that can be fixed with an update.

Good luck, enjoy OwnCloud, beats the heck out of Dropbox 🙂

HyperV Migration – 0x80090303 – Failed to Authenticate

HyperV Live Migration SPNs – 442 Failed to Authenticate (0x80090303)

Good golly, I just want to move, export, or replicate a VM from one HyperV Server to another. Why is it so frustrating? Commonly received is the rror 0x80090303, meaning that a HyperV host is not allowed to make a live migration connection to another HyperV host — It must become delegated.

 

The reasons for why this has to be so much work (at least, per worthless Microsoft Technet articles), are beyond the scope of this article. The fix can be quick and easy. From my personal experience, I’ve only gotten CredSSP to work once after a lot of pain and agony. Kerberos through constrained delegation can work, but only if the SPNs are set correctly. Make sure both servers are joined to the same domain, and the VM to be migrated has it’s Processor expanded Compatibility Settings configured for “Migrate to a physical computer with a different process version” checked.

 

Delegation can be done through Active Directory Users and Computers, but then you have to get the servers to pull their new SPN settings through either a reboot or “gpupdate /force”, which even then only occasionally works.

 

The quick and easy fix

Take the code below, find & replace the SERVERA, SERVERB, and domain.local fields, and punch it into each server. ServerA commands entered into an administrative command prompt on Server A, and ServerB commands for Server B. By reloading the vmms service you force pull the new settings.

If you cannot find the Active Directory Attribute Editor button for “Trust this computer”, don’t worry about it, the SPNs are really what matter.

Punch in the commands, close and re-open HyperV manager on both, and give your move/export/replication another whirl.

=-=-=-=-=-=-= Hyper-V Live Migrations =-=-=-=-=-=-=
Active Directory > Right-Click Machine > Properties > Delegation > Trust this computer for delegation to any service (Kerberos Only)

For SERVERA
setspn -S "Hyper-V Replica Service/SERVERA" SERVERA
setspn -S "Hyper-V Replica Service/SERVERA.domain.local" SERVERA
setspn -S "Microsoft Virtual Console Service/SERVERA" SERVERA
setspn -S "Microsoft Virtual Console Service/SERVERA.domain.local" SERVERA
setspn -S "Microsoft Virtual System Migration Service/SERVERA" SERVERA
setspn -S "Microsoft Virtual System Migration Service/SERVERA.domain.local" SERVERA
net stop vmms && net start vmms
----
For SERVER B
setspn -S "Hyper-V Replica Service/SERVERB" SERVERB
setspn -S "Hyper-V Replica Service/SERVERB.domain.local" SERVERB
Setspn -S "Microsoft Virtual Console Service/SERVERB" SERVERB
setspn -S "Microsoft Virtual Console Service/SERVERB.domain.local" SERVERB
setspn -S "Microsoft Virtual System Migration Service/SERVERB" SERVERB
setspn -S "Microsoft Virtual System Migration Service/SERVERB.domain.local" SERVERB

net stop vmms && net start vmms

 

 

SystemRescueCD Dual Boot with Windows

SystemRescueCD Dual Boot

SystemRescueCD is an incredibly usefulful tool for data recovery.

I run a Windows laptop and continually use Easy2Boot for my ISO booting USB stick. It works well with most ISOs, including SystemRescueCD. However my laptop only has two USB plugs.

USB Port Limits

USB 1 – Mounted external HDD

USB 2 – USB Boot Stick

USB … – Target USBHDD to copy data to. No third plug.

 

Old, Ineffective Solutions

Well drat! This means I need to boot SystemRescueCD off hard-disk, rather than a USB port. After much scrounging on the SystemRescueCD forums, I found some very old, outdated, complicated articles to get dual-boot working.

Old Link 1 – https://www.system-rescue-cd.org/Sysresccd-manual-en_Easy_install_SystemRescueCd_on_harddisk

Old Link 2 – https://www.system-rescue-cd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_harddisk

Old Link 3 – http://www.system-rescue-cd.org/forums/viewtopic.php?t=1700

They involve making a directory, extracting files from the ISO, and editing the BCD bootloader to ham out a rickity boot process. In short —  a nightmare!

 

IT Dual-Boot Bag of Tricks

I got pretty lucky in figuring out a MUCH easier solution.

Configure EasyBCD to boot the ISO, and extract “sysrcd.dat”, the actual chunk of the ISO that matters, to C:\.

 

Step 1 – Install EasyBCD, just snag the free version if it is for personal use.

Step 2 – Download the SystemRescueCD ISO. If the download is going to take a long time (1 hour), try another mirror (1-3 minutes).

Step 3 – Copy your ISO to root C:\

Step 4 – Add a boot entry in EasyBCD for portable media, and point it to the ISO, C:\systemrescuecd-x86.iso

**Note** If you were to boot at this point, you would successfully boot to the SystemRescueCD menus, but wouldn’t be able to fully load the Live OS. It would continually search \dev\sda, \dev\sdb, \dev\sdc, etc for the sysrcd.dat, which it is looking for in a mounted CD drive.

Step 5 – Extra the file “sysrcd.dat” from the root of the ISO into root C:\

 

Upon rebooting you should have another option and be good to go! Woohoo!

Sonicwall SSLVPN Setup Guide

Sonicwall SSLVPN Quick-Start Guide

Alright, exciting! You most likely have a user who travels, but needs to access documents or resources inside the office. This is a quick start guide to get SSLVPN setup on the Sonicwall and users connected in.

 

Enabling VPN

Login to your Sonicwall > SSL VPN module (left) > Server Settings > Confirm WAN light is green. If not, click WAN to flip it on. Confirm your SSLVPN port, by default it is TCP 4433.

Creating VPN Users

Sonicwall > Users module > Local Groups > Users

Add User > Name/Password field.

Needs to be a member of the groups:

  • Everyone
  • Trusted Users
  • SSLVPN Services

VPN Access

  • Pick your subnet. If it’s a simple network, you can do “Firewalled Subnet”. If you have isolated zones/subnets, actually pick the subnet(s) the user needs. Generally your X0 (LAN) will be called “LAN Primary Subnet”

Connecting to the VPN with NetExtender

Enter the DNS (or worst case, direct IP) of your Sonicwall, and browse to https://domain.name.com:4433

If you’re pulling a SSL Version Mismatch (Chrome), you need to upgrade your Sonicwall firmware, or use Internet Explorer, which has no concept of security 😉

 

Previously you had to use GlobalVPN, which is very oldschool and lacked a lot of features built into SSLVPN. Login, download the Windows NetExtender Client.

The quick and dirty installer is NXSetupU.exe. It’s not uncommon for these to be super outdated and have a million bugs, in which case to snag a new version, you need to login to https://mysonicwall.com

I highly, highly, recommend getting the newest version of the SSL NetExtender. Sonicwall actually does a decent job of bug fixes with this program.

The Sonicwall Download Center is kind of vague, I wish it would just say “NetExtender Windows”, but it’s the download just labeled “NetExtender”. Anyways, download and run the .MSI,

Sonicwall SSLVPN NetExtender Client

Sonicwall SSLVPN NetExtender Download

When logging in, note that capitalization does matter for a Sonicwall user. It’s effectively because Sonicwalls run a *nix OS, where everything is case-sensitive.

You’ll need to include the port in your Server path, no https://, an example: vpn.domain.com:4433

Domain is by default, LocalDomain.

Sonicwall SSLVPN NetExtender Client

 

Hopefully that is a decent quickstart, post a comment if you have questions!

Office 2016 – Remote Desktop Shared Licensing

Deploying Office 2016 with Shared or Open-Volume Licensing

Doing this the first time was an absolutely confusing mess back when Office 2013 came out. It’s still just as confusing, except now there is more documentation — like this blog aims to help you.

The process is actually identical for 2013 and 2016, you need to download/build your own installer that is different from a normal Office installer — one with Shared Licensing so it can run on a Remote Desktop Server / Terminal Server.

 

Building the Office 2016 Remote Desktop Server Installer

Office 365 ProPlus / Volume Licensing 2013 – http://go.microsoft.com/fwlink/p/?linkid=282642

Office 365 ProPlus / Volume Licensing 2016 – http://go.microsoft.com/fwlink/p/?linkid=626065

Run the officedeploymenttool_XXXX-XXXX.exe, extract it to a folder like C:\Installers\Office365\2016

Edit the configuration.xml file to match something like the following:

<Configuration>
     <Add SourcePath="C:\Installers\Office365" OfficeClientEdition="32" >
          <Product ID="O365ProPlusRetail">
               <Language ID="en-us" />
          </Product>
     </Add>
     <Updates Enabled="TRUE" />
     <Display Level="Full" AcceptEULA="TRUE" />
     <Logging Path="%temp%" />
     <Property Name="SharedComputerLicensing" Value="1" />
</Configuration>

The big one is that “SharedComputerLicensing” field, which makes licensing act under PER USER PROFILE / PER MICROSOFT ACCOUNT, rather than a single key for the whole server.

Open a command prompt in the directory containing the setup.exe and your configuration.xml file.

 

The command to build your installer really is this simple:

C:\Installers\Office365\2016>setup.exe /download configuration.xml

I recommend going over to the Resource Monitor, where you can track the download speed of your files. You’ll end up with a folder like C:\Installers\Office365\Office, which contains all the .CAB files. A directory above where you ran the installer. You could specify a path, local or UNC share, but in my experience it never works consistently.

 

Installation and Activation

But dagnabit, there is no installer… Gotta run it through command prompt:

Once there is no more network/disk activity coming from setup.exe — it has finished downloading all 1.1GB of files:

#Command Prompt (As Administrator)
#Pop the RDS Server into terminal-install mode:
change user /install

#Once download is done:
C:\Installers\Office365\2016>setup.exe /configure configuration.xml

#Once complete
#Pop the RDS Server into user-run mode:
change user /execute

I highly recommend rebooting, for some reason the program icons in the start menu like to not pin/unpin or maintain their old name (Word 2013, Excel 2013, etc) until a reboot.

office 2016 progress

Office 2016 successfully installed — heck yeah!

office 2016 start menu

Windows Server Backup

Occasionally a client does not want to pay for backup software, like StorageCraft, AppAssure, Veeam, whatever gets their 50 employees back up quickly is not worth $1k to management.

In that case, the cheapest possible solution we use is built-in Windows Server Backup. God-forbid, you have to use something like Symantec Backup Exec, which is really only designed for Tape-Drives — not USB HDDs (again, think cheap).

Windows Server Backup by default, when you build your schedule will only use 1 USBHDD. There is no GUI option to add other USBHDDs to a pool of drives.

 

Adding USBHDDs to a Windows Server Backup Pool

You’ll set up your first USBHDD through the GUI via the scheduler tool. Pick a backup time frame and you’re done. To add new USBHDDs to the pool is a fairly simple process.

  1. Connect the new USBHDD (even if it’s already formatted or linked to another backup server).
  2. ::Local Command Prompt (Run as Administrator)
    ::Pull the Disk GUIDs
    wbadmin get disks
    
    :: The GUID includes a long string inside of brackets { }.
    
    ::Copy-Paste the Disk GUID into the following blank, replacing what is in the brackets
    WBADMIN ENABLE BACKUP -addtarget:{12345678-0000-0000-0000-000000000000}
    
    ::Y - Yes, Y-Yes, wait, eject the drive, and switch it out. Drive automatically adds itself into the scheduling pool.
  3. Add the drives one by one and get a USBHDD pool created and you’re done. If any of the USBHDDs is connected, the next scheduled backup will use that disk.

Quickbooks Error H505 – Multi-User Hosting

Quickbooks Error H505

Oh no! My user is trying to open a Quickbooks workbook stored on a shared drive and gets this awful message: Quickbooks Error code H505, “this company file is on another computer, and QuickBooks needs some help connecting.” This is the generic client error for “cannot connect to host”. Directly tied in to the QuickboksDBXX service not running on the hosting server.

 

There are two parts to this fix, and possibly a third.

  1. Running the Quickbooks Component Repair Tool – Effectively fixes .NET and DLL registrations within Quickbooks. Run as Administrator.
    1. https://intuitcorp.quickbase.com/up/bhpb3kw5p/g/rbw/eg/va/QBComponentToolv3.exe
  2. Changing the QuickbooksDBXX service on the hosting server to Run As System, rather than .\QBDataServiceUser26
  3. Occasionally after the first two fixes, you still get an error, -6175,0, reinstall Quickbooks and reconfigure the service to run as System.
  4. Check the firewall on the host server, quick test is to temporarily disable Windows firewall and give it a shot. If it is the firewall, forward the ports:

quickbooks-h505-another-computer

The fix is actually quite simple, head over to the Quickbooks Download Page and download the matching version of your Quickbooks. If you don’t know the info, open the app on a workstation and hit F2 (screencap example)

Quickbooks-Product-Information-2

Quickbooks Product Download Link

https://community.intuit.com/articles/1200542-download-quickbooks-products

Run the installer on the machine hosting the Quickbooks Workbook files, Custom and Network Options > I will be storing our company file here so it can be shared over our network.

However, the Intuit coders make terrible software, and though the QuickbooksDB26 (2016) service is created, you know, the one allowing users to connect to the sQuickbooks-service-not-runningerver with multi-user access…. it doesn’t start… It is set to manual, and attempting to start it provides the worthless message: “The QuickbooksDB26 service started and then stopped”. However, it should be always running in order for users to use QBWs for the matching version. So get this, you *may* have to reboot your server for the services to register correctly, possibly during production hours if it’s urgent from management, so their terrible service can register itself in a way that it functions.

Believe it or not, Quickbooks 2014 and 2015 will actually automatically restart the server, no prompt, no option to hold off, just *poof*, off goes your server. At least 2016 doesn’t do anything (though it doesn’t even let you know its necessary).

 

Don’t forget to go to services.msc > Properties > Startup Type: Automatically. Awesome… At the end of the day, it either works and you are a hero, or it took too long and someone is grumpy, either way, you got the job done!

Quickbooks is trying to access the company file but the database server is not responding – 6175,0

Quickbooks-6175-database-server-not-responding

Oh it gets better. Despite installing the Quickbooks service, rebooting the server, new error! – -6175,0. Basically means the QuickbooksDB26 service is not running, and you can’t start it either.

When trying to start the service, you’ll see: “The QuickbooksDB26 service on local computer started and then stopped”. Despite there being no helpful logs in the event viewer, the problem in my case was a logon issue.

QuickbooksDB26-logon

Run (Windows+R) > Services.msc > Right-Click QuickbooksDB26 > Properties > Log On Tab >

Change “This Account” from .\QBDataServiceUser26 (Local User), to “Local System Account”.

Right-click > Start….

 

 

Wow, finally, my users can work.

 

PHP Server Monitoring Board – Ubuntu 14.04 – AppAssure Installation Missing Dependencies

PHP Monitoring Board w/ AppAssure Backups

We have a pretty slick monitoring board running 24/7 as part of a NOC in our office, the elegant and simple PHP Server Monitor. It’s rock solid, monitors about 250 servers and 100 internet connections, within 1 minute we know if something is down. Really useful because anything down goes into the upper left corner of the screen, when you’ve got 350 devices they would be teeny-tiny unreadable boxes on the TV. It has a update-timer (offline for 38 minutes), and a ping monitor (0.05s) since the last check. Since I set the crontab script to query all devices once per minute, we get minutely updates. A laptop set in Chrome kiosk mode also refreshes the page every 10 seconds for display on the TV

NOC on in-office TV

php-server-monitor-tv-2

Nothing like making a phone call to a client before they even know they are down.

I realized that this VM isn’t backed up, yikes! Off to install the latest AppAssure agent (as of 5.X Linux 14.X is supported), only to find an awful error: “Missing dependencies “linux-libc-dev”. Well ‘lo and behold I had to run something as simple as “apt-get update”, then: the commands worked:

::Make AppAssure agent executable, install
cd /
cd /home/username
wget "http://link.from.appassure.licenseportal.com/Downloads"
chmod +x
./appassure-installer_ubuntu_amd64_5.4.3.106.sh
y (port 8006 + reboot when done)

 

::Per Minute Syncing on PHP Server Monitor
username@PHPMONITOR:~$ sudo -i
[sudo] password for username:
root@PHPMONITOR:~# crontab -e

::Code for minutely updates
*/1 * * * * /usr/bin/php /var/www/html/cron/status.cron.php

 

php-server-mon-appassure-chmod-x

Protect the machine under AppAssure using your hostname/IP, port (8006 by default), username, and password, set a schedule, enjoy super-awesome backups.

RDP Listening Port – Sonicwall NAT Translation or Registry Change

Customize RDP Listening Port

Quite a few customers want to RDP to their local workstation from home. Opening RDP to the public internet can be a massive security risk, but in practice, it’s very useful and “secure enough” as long as you stay of TCP 3389 which botnets tend to brute force once they find it open. (There’s no security like obfuscation right….),

 

There are two ways to pull off a RDP connection on a different port. NAT Translation, and Registry Edit.

NAT translation leaves the target computer listening on Remote Desktop via the stock TCP 3389, but uses the router to translate say, TCP 4000 (Public) –> TCP 3389 (Internal).

Registry edit involves changing the port that Remote Desktop Services listens on, and uses a straight Port Forward (TCP 4005 –> TCP 4005).

You can even mix and match if you really wanted, but K.I.S.S. (Keep it simple stupid) if you can.

 

 

NAT Translation

I prefer NAT translation whenever possible, simpler to modify, keeps workstations stock. Your device will need a static IP or DHCP reservation, like any port-forward would.

Pictures attached below of NAT Translation for a Sonicwall.

Custom Service > RDP-4000 (TCP 4000)

Public Server Wizard -> X.X.X.X (Public) -> 192.168.0.X (Private)

Network > NAT Policies > Add

::::Sonicwall NAT Policy Port-Translation / Redirect
::::Original Source:Any
::::Translated Source:Original
::::Original Destination:Server Public (or Primary WAN IP if you are using the stock network interface of X1)
::::Translated Destination:Server Private
::::Original Service:RDP-4000
::::Translated Service:Terminal Services TCP (3389)
:: - If you choose just "Terminal Services" rather than "Terminal Services TCP", it will fail with error "Unknown Service Class", because that is a group, rather than a single service/port.

Sonicwall-NAT-Translate2

Confirm if the machine is listening on that port for RDP connections.

::Confirm that the port is being listened on.
netstat -ano | find "3389"

rdp-listening2

Port-Query-4002

Registry Edit

Run (Windows+R) > regedit.exe >

::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

Change to your desired port (4001 rather than default 3389)

Or through (Administrative!) Command Line (CLI) and auto-restart the Remote Desktop Services, so you don’t have to reboot to take your change live. No prompts either with the /y quiet switch.

:: Commandline to change the RDP Listening Port
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 4001 /f
:: No Reboot Required - Restart Remote Desktop Services to listen with the new port
net stop TermService /y && net start TermService /y

:: Add a firewall rule to make it possible to connect in
netsh advfirewall firewall add rule name="Open RDP 4001" dir=in action=allow protocol=TCP localport=4001

Confirm it’s listening on the new port, awwwww yeah!

netstat-2

 

Hope that helps, leave a post if you want, always glad to hear from new friends 🙂