Guide: RDP Access to Atlantic.Net Windows Server

Important Note: Before proceeding, ensure your Windows Server on Atlantic.Net is configured with a static public IP address and has RDP (Remote Desktop Protocol) enabled. Also, security best practices like using strong passwords and enabling Network Level Authentication (NLA) for RDP should be considered.

Method 1: RDP over 3389 (Direct, Public Internet)

This is the most straightforward but least secure method, suitable for temporary use or on trusted networks. All Atlantic.Net Windows Servers running the desktop experience have RDP configured out of the box.

• • Windows Server 2022 Datacenter (Desktop Experience)
  • Windows Server 2019 Datacenter (Desktop Experience)
  • Windows Server 2016 Datacenter (Desktop Experience)
  • Windows Server 2012 R2 Datacenter (Desktop Experience)

Step 1 – Obtain Server IP

Log into your Atlantic.Net control panel and find your Windows Server’s public IP address. You will also find this on the automated email sent from Atlantic.Net and on the provisioning screen immediately after deploying a Windows Server.

Step 2 – Open RDP Client

On your local Windows machine, press Win + R, type “mstsc”, and press Enter.

If you are using Linux, we recommend using Remmina.

Step 3 – Enter IP Details

In the RDP client, enter your server’s public IP and click “Connect”.

Step 4 – Authenticate

Provide the username and password for a user account with RDP permissions on the server. Atlantic.Net provides this information in the deployment email you get when you first deploy your Windows Server.

Method 2: WinRM (Windows Remote Management)

WinRM offers a PowerShell-based way to manage your server remotely, similar to SSH. To configure this, you will need to RDP to the server first or manage it via the Atlantic.Net VNC console.

Step 1 – Enable WinRM

On the Windows Server, open an elevated PowerShell Windows and type:

winrm quickconfig

This enables WinRM with default settings.

Tip: To open an elevated Powershell window, right-click on the Powershell icon.

Once enabled, you will get the following output:

Step 2 – Create New Inbound & Outbound Firewall Rule

Ensure your Atlantic.net firewall settings allow inbound traffic on port 5985 (HTTP) or 5986 (HTTPS) for WinRM.

Inbound Rule

New-NetFirewallRule -DisplayName "WinRM-HTTP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985

Outbound Rule

New-NetFirewallRule -DisplayName "WinRM-HTTPS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986

You will get the following output:

New-NetFirewallRule -DisplayName "WinRM-HTTP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985

Name : {b985530a-910d-4243-b483-e23b81013076}
DisplayName : WinRM-HTTP
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :

PS C:\Users\Administrator> New-NetFirewallRule -DisplayName "WinRM-HTTPS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986
Name : {91d8d840-0d61-407b-bf1e-5186841bf683}
DisplayName : WinRM-HTTPS
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :

Step 3 – Create PSSession

From a local Windows desktop or laptop machine, open PowerShell as Administrator and type the following to connect to your remote server:

$cred = Get-Credential # Enter server credentials
$session = New-PSSession -ComputerName <server_IP> -Credential $cred

You will be prompted for your credentials.

Step 4 – Execute Remote Commands on your Remote Server

You can now manage your remote server from the current shell session.

To test it, try running:

Invoke-Command -Session $session -ScriptBlock { Get-Process }

Method 3: SSH Tunnel (Most Secure)

This method encrypts RDP traffic within an SSH tunnel, making it ideal for untrusted networks. You’ll need SSH access to an intermediary server—typically a jump box (e.g., a Linux server) that can reach your Windows Server. Alternatively, if you have a Linux laptop or Raspberry Pi, you can tunnel directly from there.

Option 1 – Create SSH Tunnel Direct from a Linux Server

If you don’t have OpenSSH installed on your Windows Server, follow these steps:

Step 1 – Install OpenSSH on the Remote Windows Server

By default, SSH is not enabled on Windows Server. To enable it Open PowerShell as an administrator and Run the following command to install OpenSSH:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Step 2 – Start and Enable SSHD service

Start the SSHD service and configure it to start automatically:

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

Step 3 – Allow SSH traffic through the Windows firewall

Run this command in PowerShell as an administrator:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Once SSH is set up on your Windows server, follow these steps on your Ubuntu machine to create the tunnel:

Step 4 – Use Terminal to Establish the SSH Tunnel

Open a terminal session on your local Linux Machine.

Use the following command to create the tunnel:

ssh -L 5985:localhost:5985 administrator@my-ip-address

You should get the following output:

ssh -L 5985:localhost:5985 administrator@my-ip-address
The authenticity of host 'my-ip-address (my-ip-address)' can't be established.
ED25519 key fingerprint is SHA256:VM41PWh85b91ZVTgIot0mqn3hCUV0vgJ4Lsut6OCLtc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'my-ip-address' (ED25519) to the list of known hosts.
administrator@my-ip-address's password:

Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.

administrator@CLOUD-H35V3SGG8 C:\Users\Administrator>hostname
CLOUD-H35V3SGG8

You can now manage the remote server directly from your local terminal.

Option 2 – Create an SSH Tunnel from a Windows Machine via SSH Jumpbox

Step 1 – Install an SSH Client and Configure

Use a client like PuTTY or OpenSSH.

SSH -> Tunnels:

Source Port: 33389

Destination: your_server_IP:3389

Click “Add”

Step 2 – Set Port Forwarding

In your SSH client’s settings, configure a local port (e.g., 33389) to forward to your Windows Server’s IP and port 3389.

Step 3 – Establish SSH Connection

Connect to your intermediary server via SSH.

Step 4 – RDP to Localhost

Open your RDP client and connect to localhost:33389. Traffic will be securely tunneled to your Windows Server.

Troubleshooting

Firewall: Double-check firewall rules on both the Windows Server and any intermediary server (SSH tunnel).

Network: Ensure network connectivity between your local machine, intermediary server (if using), and the Windows Server.

Authentication: Verify you are using the correct credentials.