RDP Listening Port – Sonicwall NAT Translation or Registry Change

Customize RDP Listening Port

Quite a few customers want to RDP to their local workstation from home. Opening RDP to the public internet can be a massive security risk, but in practice, it’s very useful and “secure enough” as long as you stay of TCP 3389 which botnets tend to brute force once they find it open. (There’s no security like obfuscation right….),


There are two ways to pull off a RDP connection on a different port. NAT Translation, and Registry Edit.

NAT translation leaves the target computer listening on Remote Desktop via the stock TCP 3389, but uses the router to translate say, TCP 4000 (Public) –> TCP 3389 (Internal).

Registry edit involves changing the port that Remote Desktop Services listens on, and uses a straight Port Forward (TCP 4005 –> TCP 4005).

You can even mix and match if you really wanted, but K.I.S.S. (Keep it simple stupid) if you can.



NAT Translation

I prefer NAT translation whenever possible, simpler to modify, keeps workstations stock. Your device will need a static IP or DHCP reservation, like any port-forward would.

Pictures attached below of NAT Translation for a Sonicwall.

Custom Service > RDP-4000 (TCP 4000)

Public Server Wizard -> X.X.X.X (Public) -> 192.168.0.X (Private)

Network > NAT Policies > Add

::::Sonicwall NAT Policy Port-Translation / Redirect
::::Original Source:Any
::::Translated Source:Original
::::Original Destination:Server Public (or Primary WAN IP if you are using the stock network interface of X1)
::::Translated Destination:Server Private
::::Original Service:RDP-4000
::::Translated Service:Terminal Services TCP (3389)
:: - If you choose just "Terminal Services" rather than "Terminal Services TCP", it will fail with error "Unknown Service Class", because that is a group, rather than a single service/port.


Confirm if the machine is listening on that port for RDP connections.

::Confirm that the port is being listened on.
netstat -ano | find "3389"



Registry Edit

Run (Windows+R) > regedit.exe >

::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

Change to your desired port (4001 rather than default 3389)

Or through (Administrative!) Command Line (CLI) and auto-restart the Remote Desktop Services, so you don’t have to reboot to take your change live. No prompts either with the /y quiet switch.

:: Commandline to change the RDP Listening Port
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 4001 /f
:: No Reboot Required - Restart Remote Desktop Services to listen with the new port
net stop TermService /y && net start TermService /y

:: Add a firewall rule to make it possible to connect in
netsh advfirewall firewall add rule name="Open RDP 4001" dir=in action=allow protocol=TCP localport=4001

Confirm it’s listening on the new port, awwwww yeah!



Hope that helps, leave a post if you want, always glad to hear from new friends 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *