Single-Click Remote Desktop Forwarding

Since Tunnelier (Bitvise SSH Client) 3.28 and later, this section is now largely obsolete. A Remote Desktop session can be launched by simply clicking on a button when the SSH session is established, and Bitvise SSH Client will setup all the settings and launch the Remote Desktop client for you.

Consult the below instructions if for some reason the automatic single-click solution fails, or if you must configure Remote Desktop to be tunnelled manually.

Securing Remote Desktop With SSH

Remote Desktop, previously known as Terminal Services, is a feature in Microsoft Windows that allows a user to interact with a Windows machine's desktop remotely from another Windows computer. The server must use a version of Windows that includes support for Remote Desktop as a server. This is included in all Server versions of Windows; and it is also included in desktop editions such as Professional, Ultimate, Enterprise, and Business; but it is not supported in Home editions. The client computer can use any version of Windows equipped with the Remote Desktop Connection client (mstsc.exe).

Although Remote Desktop takes measures to protect against passive attacks, it does not appear to provide much protection against an active attack. Also, opening port 3389 on the server means another Windows service open to remote vulnerability probing. Both issues can be avoided by routing the Remote Desktop session through SSH port forwarding. On the server machine, an SSH server, such as Bitvise SSH Server, must be installed. On the client machine, an SSH client, such as Bitvise SSH Client, must be configured so that connections to a specific local port will be forwarded to port 3389 on the Remote Desktop server. One must then direct the Remote Desktop client to connect to the SSH client instead of directly to the server, and the connection will be forwarded over the SSH-secured link.

Note that one must always be diligent in verifying the SSH server's fingerprint when establishing the SSH connection for the first time, otherwise SSH won't be better at defending against active attacks either.

Listening Port on XP vs. Win2K and Earlier

On Windows 2000 and earlier, the Terminal Services client does not support connecting to a custom listening port. For this reason, with the older Terminal Services clients, 3389 must be used as the port on which the SSH client will be listening. If this is not possible because a Terminal Services server is running on the same machine, a newer Remote Desktop client can be downloaded from Microsoft which supports connections to non-default ports.

On Windows XP, a port other than 3389 can be entered in the 'Computer' field of the initial RDC dialog box - for example, 'localhost:3390'. This is useful if you need to setup the SSH client to listen on a port other than 3389, for instance if port 3389 is already occupied by the local Remote Desktop server.

Connecting to Localhost on XP prior to SP2

Prior to Windows XP Service Pack 2, the Remote Desktop client on Windows XP explicitly prevented the user from connecting to localhost. For users who have not yet upgraded to SP2, there is a way around this limitation. Have the SSH client listen on, and connect the Remote Desktop client to instead of localhost.

With the Windows XP SP2 version of the Remote Desktop client, it is possible to connect to localhost ( as long as the port being used is other than the default (3389). Note however that connections through do not work any more on Windows XP SP2. Because the address is necessary prior to Windows XP SP2, the same forwarding setup will not work on SP2 as well as pre-SP2 machines.

Step-by-step instructions

Follow these steps if you wish to get quickly up and started with Remote Desktop over SSH. It is advised that you try to understand what is being done by each one of the steps presented. The difference between understanding and not understanding is frequently the difference between a security measure which works and one that only appears to.

  1. Install Bitvise SSH Server on the server (the machine you wish to access with Remote Desktop).
  2. No changes to the default Bitvise SSH Server configuration are required to use Remote Desktop over SSH. You may wish to make changes to the default SSH server configuration later on, to restrict what SSH features are accessible to remote users. However, for the time being, keep your SSH server settings at default until your Remote Desktop over SSH is up and running.
  3. Apart from installing Bitvise SSH Server, the only thing you need to do on the server is ensure that there is a Windows account which you can use to log on locally. This will normally be a Windows account which already exists and which you plan to be using to log into with Remote Desktop.
  4. Start the Bitvise SSH Server from the Bitvise SSH Server Control Panel.
  5. Install Bitvise SSH Client on the machine from which you wish to access the server.
  6. Configure the following settings on the Login tab in Bitvise SSH Client. Click also the 'Help' link on the Login tab for help with any of these settings.
    1. Host: The IP address or DNS name of the server that you are accessing.
    2. Port: You will normally use the default value, 22. This must match the port that Bitvise SSH Server is listening on. If you have made no changes to the default SSH server configuration to change the port it is listening on, use 22.
    3. Username: The Windows account name with which to log into the server. This must be a valid Windows account name with local logon permissions on the side of the server.
    4. Password: The password with which to log into the server, belonging to the account name specified by Username.
    5. Store encrypted password in profile: You may optionally wish to enable this setting so that you will not be asked to reenter the password each time when logging in after the SSH client has been restarted.
  7. In the C2S Forwarding tab in Bitvise SSH Client, add a new entry and configure the following settings for this entry. Click also the 'Help' link on the C2S Forwarding tab for help with any of these settings.
    1. Status: This will be 'enabled' by default, leave it that way.
    2. Listen interface: The default value is If the client machine is running Windows XP prior to Service Pack 2, change this to If you are running Windows XP SP2, or if you are running Windows 2000 or earlier, leave this at the default value.
    3. List. Port: This is the local (client-side) port on which the SSH client will be listening for a connection from your Remote Desktop client. Set this to 3389 if running Windows 2000 or earlier. Otherwise, if using Windows XP, set this to 3390 or an arbitrary port number. The chosen port number needs to be reflected in your instructions to the Remote Desktop client (below). You can also execute 'netstat -an' from a command prompt and examine the output to ensure that your chosen port is not yet occupied. It is fine if there is not already a line like ' ... LISTENING'.
    4. Destination Host: specifying localhost will work, assuming the Remote Desktop server is listening on all interfaces, which is normally the case. If it is listening on a particular interface, you can determine the interface by executing 'netstat -an' on the server and examining the output for a line like 'xxxxxx:3389 ... LISTENING'. If xxxxxx is, the Remote Desktop server is listening on all interfaces and 'localhost' will work here. Otherwise, the xxxxxx is the IP address that you need to enter in this field. Using 'localhost' will normally work though.
    5. Dest. Port: 3389.
  8. Click the Login button in Bitvise SSH Client and observe the log area for any errors. If the session is established without errors, the SSH setup is running, now you just need to connect through it with the Remote Desktop client.
  9. Run the Remote Desktop client. In Windows XP, you can find it through Start : All Programs : Accessories : Communications : Remote Desktop Connection. Alternately you can run it from a Windows command prompt (execute 'mstsc') or through Start : Run : 'mstsc'.
  10. In the Computer field, enter if you configured the 'List. Port' setting in your C2S rule as 3389 (on Windows 2000 or earlier). On Windows XP prior to SP2, enter, where xxxx is the port number you chose for the 'List. Port' field in your C2S rule. On Windows XP SP2 or higher, enter, where xxxx is that same port number.
  11. Click Connect. The SSH session needs to be established with the C2S port forwarding rule active when you do this. If all is well, you should have a secure Remote Desktop connection to the server machine shortly.
  12. You can make sure that your Remote Desktop connection is going through SSH by checking the Bitvise SSH Client log area for a message saying 'Accepted client-to-server connection from ... to localhost:3389' corresponding to each connection attempt you make. Likewise, when your Remote Desktop session closes, the SSH client should output a log message stating 'Closing client-to-server forwarding channel from ... to localhost:3389'.


If you encounter problems establishing the SSH session, you will receive diagnostic information in the Bitvise SSH Client log area, as well as in the log entries recorded by the SSH server. Especially in the case of an authentication failure, the SSH server log entries will contain important diagnostic information.

Please see our contact and support page for more information and links to documents about how to go about resolving problems with Bitvise SSH Client and Server.