Fog Creek Software
Discussion Board




Remote control software and firewalls again

I need to sort out some remote control software (Windows) thats firewall friendly. I've looked at various bits of software and can't find one that will let you use a NAT firewall on both ends (except gotomypc, but the sub rules it out)

I can host a reflector box locally i.e both ends talk to a box on the internet. Has anyone seen anything like this?
VPNs don't solve this as the key management gets to be messy (some of the remotes already have a VPN in place) and I don't want both ends to have to have a static IP.

I don't want to have open up extra ports on our firewall and I certainly don't want to do it at the remote ends either, so something that uses https as a transport sounds ideal.

I suspect that somewhere in the maze of pages about VNC this does exist (or a webpage with details on how to set it up) but I could only find one which used port forwarding on one end of the VPN http://www.expertvnc.com (Warning: sound on advert)

At present we're doing this using PC Anywhere and modems and while it works I'm getting pressure to offer the same sort of facility over the net.

Peter Ibbotson
Wednesday, November 05, 2003

If you can set up the MS software VPN stuff at each site, you can still use PCAnywhere. Once you connect to the VPN, PCAnywhere can scan for hosts on the remote LAN and provide you with a list of machines to connect to.

One of my clients is using this kind of setup.

Tim Sullivan
Wednesday, November 05, 2003

Tim, the problem with that is the key management plus we'd be exposing our internal network to theirs.

Peter Ibbotson
Wednesday, November 05, 2003

I'm using RAdmin ( http://www.famatech.com ) to support my network remotely. I have one box that acts as a host/gateway to other computers inside the network. RAdmin can actually connect directly with any of the computers inside my network, but the host/gateway setup lets me control the security. It plays nice with my NAT firewall appliance.

I'm not sure why you can't use PCAnywhere on the Net. I've done that in the past. I gave up on it, because it was such a bloated application and was getting harder and harder to install.

Slartibartfast
Wednesday, November 05, 2003

The problem here is the firewalling. Radmin doesn't get it right either, I'd have to setup port forwarding in which case the VNC variants can cope, (I'm not sure the customers would)

Basically what I'm looking for probably ends up looking like this (I've added ADSL routers in for completeness):

Client PC
    |
FireWall
    |
ADSL
    |
The big bad internet
    |
ADSL
    |
reflector box
    |
FireWall
    |
Support person

To break past the firewall (which in most cases only allow outgoing connections) I've inserted a reflector box (ala the token stuff) so both the client and the support guy make outgoing connections only. Our problem is that we've something like 600 odd clients and 4 or 5 support folks so the simplistic open up your firewall approach (at the support end) doesn't really work because then our client has to know which IP address to talk to depending on which support guy they are speaking to. VPN could work but since I think that opens up our network a little too much I'm very uncomfortable with it and key management would get to be tricky.

In effect this is what gotomypc do. They open a connection from your pc to them and when you connect they match the two up. I suppose what I think I'm looking for is the software they're running.

Peter Ibbotson
Wednesday, November 05, 2003

Put a box OUTSIDE your firewall, only open up the VNC ports (And all ports from within your firewall).

Terminal Services into that box, maximize the screen.

Now, run a VNC listener on port 80 on that machine and make the client connect to you, using the vnc server.  Then there window will pop up on your screen (provided they don't use a proxy server and block outgoing port 80 connections).

vnc
Wednesday, November 05, 2003

*  Recent Topics

*  Fog Creek Home