How to set the network interface for RDP in Windows Server 2012?

remote-desktop rdp windows-server-2012 remote-desktop-services

35,154

Solution 1

Remote Desktop Services actually have a pretty rich WMI object library you can take advantage of to query and manipulate the configuration. As of Vista/2008, it's located in the root\cimv2\TerminalServices namespace. Here's a good place to start on browsing what's available: Remote Desktop Services Configuration classes

In regards to your specific question, I'd just like to clarify that RDP can only be bound to a network adapter, not a specific IP. I know you said "network interface". I just wanted to clarify for others who might stumble onto this question. It's a somewhat common request on machines that only have one adapter and multiple IPs. If that's what you're looking for, there are other ServerFault questions with answers more detailed. But if I recall correctly, your best bet is to just limit the connections using the built-in firewall.

The specific class that has what you need is called Win32_TSNetworkAdapterSetting. There are 3 methods associated with the class that you can use:

In my experience, SetNetworkAdapterLanaID is more reliable than SelectNetworkAdapterIP because of the "All network adapters" option. It seems like if it's currently configured to "All network adapters" it won't change to the specific adapter with the IP you specify, it will just keep it on "All network adapters" which is technically still correct.

So you're left with using SetNetworkAdapterLanaID and which requires an integer ID value as an argument to the method. So here's how you find the ID to use. First get a reference to the instance of the class. My example here will use the default terminal name called "RDP-Tcp", but it's possible (though unlikely) your systems have additional or different terminal names.

You can check the current status of what network adapter is configured with the following PowerShell:

gwmi Win32_TSNetworkAdapterSetting -filter "TerminalName='RDP-Tcp'" -namespace "root/cimv2/TerminalServices" | Select NetworkAdapterLanaID,NetworkAdapterName

In order to call a method, it's nice to have the instance of the class assigned to a variable, so let's do that:

$ts = gwmi Win32_TSNetworkAdapterSetting -filter "TerminalName='RDP-Tcp'" -namespace "root/cimv2/TerminalServices"

A handy feature of this class is that a couple of the properties it returns are lists of the possible network adapters you can use.

$ts | select -expand DeviceIDList
$ts | select -expand NetworkAdapterList

This should return two lists. The first is a 0-based list of IDs and the second is the friendly name of the adapters associated with the first list. So on my test machine, it returned:

0
1

and

All network adapters configured with this protocol
Intel(R) PRO/1000 MT Network Connection

If you want to correlate the IDs in the DeviceID property to their names in the NetworkAdapterList, you can do so like this:

$adapters = $ts | select -expand NetworkAdapterList
$device_ids = $ts | select -expand DeviceIDList

$adapter_list = @()
foreach ($device_id in $device_ids) {
  $adapter_list += @{$device_id = $adapters[$device_id]}
}
$adapter_list # Mapping of device IDs to adapter names

By default, it's set to use ID 0 which is "All network adapters configured with this protocol". So if we wanted to change it to use the Intel NIC explicitly, we just have to call the method using our existing object and the associated ID.

$ts.SetNetworkAdapterLanaID(1)

You can then verify the change by re-querying the object:

gwmi Win32_TSNetworkAdapterSetting -filter "TerminalName='RDP-Tcp'" -namespace "root/cimv2/TerminalServices" | Select NetworkAdapterLanaID,NetworkAdapterName

Solution 2

run regedit

search key+match whole string only: Terminal Server

get lanatable. example:
    {564D81F9-15B4-42EC-9019-534A56DBEB81}
    {B5A5F6CC-5DFD-43F7-B5B0-20490A58A2EB}
note LanaId for each of them
set HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Winstations\RDP-tcp\LanAdapter 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\Winstations\RDP-tcp\LanAdapter
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp\LanAdapter
to LandaID you want accept remote desktop connection

35,154

Massimo

"Against stupidity, the Gods themselves fight in vain." https://www.linkedin.com/in/massimo-pascucci

Updated on September 18, 2022

Comments

Massimo over 1 year

I have a server with multiple network interfaces, and I need RDP to only listen for connections on one of them; the server is not a Remote Desktop server, RDP is only used for remote administration.

In Windows Server 2008 R2, I was able to configure this using the Remote Desktop Session Host console; in Windows Server 2012, that console isn't there anymore.

How can I configure this in WS2012?
- Zoredache about 11 years
  
  Not that you want to do it via the registry, but I suspect that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LanAdapter is still the right place.
- Massimo about 11 years
  
  And how could I set that?
- Zoredache about 11 years
  
  Not sure what to set the value to. I just know that is the value that changes on older versions of Windows when you adjust the setting. I figured you might be able to Google for that and find something.
- Admin about 10 years
  
  Did you find the solution? Posting it here might help others (like me) looking for the same thing.
Massimo about 11 years

There are no roles on this server, it's not a Terminal Server; RDP is only used for remote administration.
cuonglm about 11 years

Yeah, I know that. I just follow this article technet.microsoft.com/en-us/library/hh921475.aspx Hope this help.
Massimo about 11 years

This is completely unrelated to RDP...
raja over 8 years

+1 for "use the firewall" which is the simplest and safest method.
Ryan Bolger over 8 years

Firewall is simpler, but not sure I agree with safer. Both accomplish the same goal of not allowing RDP traffic to the target interface. But it seems a lot more likely that someone would accidentally disable the firewall than accidentally re-enable RDP listening on all interfaces. In my experience, disabling the firewall is one of the first things people try when troubleshooting problems that seem network related. Unless you meant safer as in...less likely to screw up the implementation?
B. Shea over 6 years

Is set to use 'all adapters' per your PS output. But only 1 adapter answers. Firewall OFF.
B. Shea over 6 years

huh..? Maybe expand your answer?
Ryan Bolger over 6 years

You might need to restart the service for the change to take effect. Otherwise, I'd open a ticket with Microsoft to ask why it's not working as expected.