Fog Creek Software
Discussion Board




Firewall-friendly remote control?

I went through the different discussions here and googled the web a bit, but I didn't see any mention of a product that will let you do this: To let a support person take control of their PC, the customer connects out to a host on the Net on which a reflector is running; Next, the support who is working on a host in the private network behind a firewall, connects to the reflector to get indirect access to the customer's host.

Ideally...

- the part that needs to be installed on the custome's host is a single DLL or OCX, so I can just shove it into our application, and provide a SUPPORT pushbutton

- acceptable performance even over a dial-up connection

- open-source or reasonable priced

Before I check how to set up port forwarding on the W2K host that is acting as Internet router so as to use VNC from internal hosts... anybody knows of something that would fit the bill? Thank you :-)

--------------

For those interested, here are the products that were mentionned in the different discussions:

http://www.radmin.com (a.k.a. http://www.famatech.com)
http://www.namzak.com
http://www.webex.com
https://www.gotomypc.com
http://www.desktopstreaming.com
http://www.livehelper.com
http://www.netopia.com (Timbuktu and eCare)
http://www.rapidassist.com
http://www.tightvnc.com
http://www.symantec.com/pcanywhere/
http://www.pcduo.com
http://www.egain.com (looks like much more than just remote control)
http://www.veridicus.com/tummy/programming/vncx/ (VNC client rewritten as an ActiveX control; No change since Nov 2001)
http://www.microsoft.com/windows/netmeeting/ (but... "Microsoft retires NetMeeting" http://tinyurl.com/x6c2)
http://www.lotus.com/products/lotussametime.nsf/wdocs/homepage
http://www.bo2k.com (based on the Back Orifice thingie)

Fred
Tuesday, February 17, 2004

We do this for free using VNC.  Run VNCViewer in listen mode and the client downloads the VNCServer from us and connects back to our machine over port 80.  Gets through NAT's and firewalls... (if port 80 is open.. if they have a proxy server it likely means port 80 isn't open and so it won't work no matter what you do).

Michael H. Pryor
Fog Creek Software
Tuesday, February 17, 2004

http://www.realvnc.com

JOS reader
Tuesday, February 17, 2004

Thx guys but...

Michael >> ... connects back to our machine over port 80

But since I assume you'd rather provide support from the comfort of your workstation instead of the computer acting as the Internet router (assume you're not using a hardwarde-based router :-))... how to do you redirect packets from that external host to your workstation?

JOS reader >> Thx about VNC, but the documentation (http://www.realvnc.com/faq.html#firewall) mentions building a tunnel with SSH. Way too complicated for us :-) Did no one write a reflector for VNC?

Fred
Tuesday, February 17, 2004

I believe you can do this with Remote Administrator.

We run it here on a few NT machines, and don't have a need for this feature, but from the help file for the Connect through host option:

"This lets you connected through an intermediate host when there is no direct TCP/IP connection with the computer you want to administer, but an intermediate computer (or host) does have a direct TCP/IP connection to both your target computer and to your computer. Radmin server must be runing on such an intermediate (host) computer for this to work."

You can get it at http://www.radmin.com

--Steve

Steve Barbour
Tuesday, February 17, 2004

We use terminal services or remote desktop to go to our external server which is the one the user connects to.  So we still do it all from the comfort of our own workstations.

Michael H. Pryor
Fog Creek Software
Tuesday, February 17, 2004

Thank you Steve, but unfortunately, it doesn't look like Radmin supports a reflector:

"Your computers are in an internal network behind a NAT based router. Only the router has a public IP address. You can access your internal network computers via the Internet.

To do this you need to configure 'Forwarding' on the router/firewall. Configure the router to forward connections from a port on the router to a specific IP address and port (Radmin server's default port is 4899) of the target computer in your internal network. You need to assign a port on the router for every computer you need to access. The router will then forward the connection to your computer in the internal network."
http://www.radmin.com/support/faq.php#2_9

In other words, it doesn't look like Radmin provides some add-on that is acting as a bridge for networks that use a public host (ie. any host that can be reached from the Net).

BTW, what about simply running NetCat on the gateway W2K, and tell it to forward any incoming connections to such and such port to some host on the LAN that is running VNCViewer in /listen mode? Anybody did this?

Fred
Tuesday, February 17, 2004

Actually, I had an oops post prepared, but I got distracted by work.

Sheesh, you'd think they were paying me.  Oh...wait a minute.

I can't find anything that does what you're looking for either, seems like an opportunity for someone.

--Steve

Steve Barbour
Tuesday, February 17, 2004

TightVNC from a local workstation works for me.  You just have to forward the required ports on your router to the workstation that you want to handle VNC sessions from.

Jan Derk
Tuesday, February 17, 2004

Steve >> I can't find anything that does what you're looking for either, seems like an opportunity for someone.

Thx for the input, though :-) Seems to me like a pretty common need, being able to drive a customer's host from a computer in the LAN. Weird...

Jan Derk >> TightVNC from a local workstation works for me.  You just have to forward the required ports on your router to the workstation that you want to handle VNC sessions from.

Indeed, but how to I set up the W2K host that is acting as the router to support port forwarding? NetCat?

BTW, I just ran a test with a friend who is connected by modem using the TightVNC server that is available on FogCreek's site: Performance with default settings is barely usable. Guess I'll have to look at alternatives like Radmin :-)

Thx everyone.

Fred
Tuesday, February 17, 2004

There is a product which does this, ExpertCity GoToAssist, formerly called "Desktop Streaming". One of our vendors uses this and it is a zero-install solution. The client downloads a small stand-alone program that connects to a reflector, then the vendor takes control. It works perfectly through a firewall and performance is good.

But I suspect it's very expensive: CDW shows what I believe to be the same product, for more than $4000/seat. (!) I believe you can also rent it for a more modest monthly fee. It is charged based on the number of simultaneous streams.

So, expensive, but possibly worth it if there's no real alternative.

Nate Silva
Tuesday, February 17, 2004

Thx Nate :-)

Before leaving the office, I found out how to set up W2K to perform port forwarding (create a new port somewhere deep in the properties of the WAN interface), and gave TighVNC a try from home, and it works OK even though the uplink at the office is 128Kbps.

I'll see if TightVNC performance can be improved for dial-up, and I'll install a firewall on the host that will be used to run the VNC viewer in listen mode, but I'm a bit concerned about leaving an open hole in the firewall at all times.

I also found yet another remote control app, NetSupport Manager, that seems pretty good.

Beer.
ADSL.
Bit Torrent.
Seinfeld.
This is life :-D

Fred
Tuesday, February 17, 2004

If performance is an issue, RealVNC performs much better and is more bandwidth friendly than TightVNC. With RealVNC you get 256 colors default (or it looks like it) with TightVNC you get a more processor intensive & higher res image.

Running TightVNC server from my 433mhz, 128mb ram win2k machine took up 80-90+% of CPU time, while RealVNC took up closer to 40%.

I also liked the refresh method/pattern of RealVNC better.

I think default, VNC runs on ports in the 9001 range (9001, 9002 for the 2nd connection, 9003, etc).

Lastly, would it be possible to run a VNC viewer & server as your reflector. I.e. viewer in listen mode & server. Then you can log on to that computer with VNC, while observing it's VNC session. It would double the lag in things like mouse movements, but if you want that extra layer of security, this box would be totally passive, and your firewall would remain up.

www.MarkTAW.com
Wednesday, February 18, 2004

>> If performance is an issue, RealVNC performs much better and is more bandwidth friendly than TightVNC

Great news :-) It seems like UltraVNC also offers good performance. I'll check both tomorrow.

Does anyone know if those cross-platform tools are as fast as those meant for Windows from the start?

The reason I ask, is that I seem to understand that there are basically two ways to send pictures in a remote control app: Either the bitmaps themselves (sending just the delta from the previous picture, so as to save bandwidth), or sending just the API's that were called. This would explain the terrific performance of Radmin for instance.

>> Lastly, would it be possible to run a VNC viewer & server as your reflector. I.e. viewer in listen mode & server. [...] if you want that extra layer of security, this box would be totally passive, and your firewall would remain up.

I'll give it a shot, and see if performance over dial-up is OK. Thx for the idea :-)

Fred
Wednesday, February 18, 2004

All of you have made alot of good comments and I have been researching the same thing . 
Here goes :

1) Take the 2 files that fog creek offers here unzip them
add  a registry patch (.reg that  configures the password
and settings for vnc ) You can export the settings you want.
2) Create a batch file that adds the registry entry  " regedit.exe /s regpatch.reg "
3) Make the batch run the winvnc.exe  and then run  winvnc.exe - connect  "dns or ip address to connect to"
4) Zip the package up and the use the program zip2secure to make the zip file a selfextracting .exe . Use the option to
run a program to after extraction and have it point to the batch file.
5)  Get a copy of vncreflector and set it up for reverse connections ( instuctions are vauge ) on the ip address setup in step 3. This acts like a combination of proxy and
vncreflector.
6) Add or modify a link to the selfextratiing exe hosted on your site created in steps 1 and 2 .

When the client clicks on the link and chooses open:

1) The exe will extract itself and modify the registry settings to add a password (doesn't matter reverse connections don't require a password ) and connect to
your site that has vncreflector .
2) Vnc  reflector will act like a listening vncviewer and wait for a valid connection from a vncviewer .
3) When you connect to the ip address/ DNS entry of the vncreflector with the vnc client it will bridge the connection to between the client and the server .

Note:
1)If you have problems with connecting through the firewall you can look into using stunnel on the client and the vncreflector to tunnel the connection through ssl port 443 (this also encrypts the traffic) most firewalls  allow SSL connections intitiated from inside the firewall.

2) I haven't setup stunnel yet. I have researched this and  and it doesn't appear to be very complicated . You could also add stunnel and commands in the batch in steps 1 and
2 to configure this also .

All of the software listed is freeware and opensource software . If you use it , Please donate to there cause because they have gone through alot of trouble to make our lives easier and more productive.

Frank Trowell
Tuesday, March 16, 2004

It looks to me like you're going to jump through the flaming hoops of fire, blindfolded, on roller skates, backward, all to avoid buying someone's proven & tested solution to remote viewing, assistance and/or control. Just try not to get your end-user toasted on the way through the fire.

I suppose we could all go out and build our own cars too, since the ready-made one cost so dang much...

Yes, I sell one of the products listed above, but I don't suppose it would be approriate to identify which one here. Good luck with your work-arounds. ;-)

Brent Cox
Monday, March 22, 2004

If you don't mind having someone on the other end give permission, I think the solution you are looking for is here. It's RapidAssist. If you want unattended access, it's coming. With RapidAssist, you only download a client called Jaunt. This happens automatically by clicking on a web-link. It connects out to another server, could even be yours. Both the Viewer and the Sharer connect out to the relay server (JauntServer), so it is very firewall friendly, it works over ports 1181, 443, and 80. RapidAssist is sold as a prescription to the service on a per Technician license. It works through most proxy configurations as well. There is no licensing for the person sharing their computer. Several technicians can share a single technician license as long as they don't log on at the same time. I'm a support technician for nTeras Corporation and I use RapidAssist all the time. I'm availble for asking technical questions about how it works, but I don't do the selling; so, I don't talk price. If you'd like a demo, you should call us up and talk to a representative. If you have technical questions, they can direct you to me or someone else who has all the answers.
I don't mean to solicite, but I was reading and it seemed that people were misunderstanding what our product does and how it works. If this message is inappropriate, please remove it from the message board.
PS. We don't charge extra for support. If you ever have trouble using RapidAssist, you can call us and a support technician will be glad to help. We do care!

Douglas Schultz
Monday, March 22, 2004

Livehelper.com offers a great remote control product that works with http packets and port 80.  If you can browse the net, you can use livehelper.com's remote control technology.  I have tried it and it works perfectly.  I highly recommend this product, you can try it out for free for 10 days I believe as well to make sure it fits your needs before you have to buy it.

Greg Davidson
Monday, March 29, 2004

I tested a product called inquiero.com that does exactly what you need.
A button on you web page and you are in control of your customer's PC.
Cost 70 euro per month per technician.

Vittorio Vezzola tzm.net
Tuesday, April 06, 2004

I use a combination of Putty and RealVNC for my clients.  I bundled them together and made a Nullsoft Scriptable Install System package that totals about 400k.  They install it on their machine.  The VNC Server is configured in "loopback only" mode and the Putty client does SSH2 (local) port forwarding (with compresssion) to connect to my co-lo server (a FreeBSD box).  I then SSH into the FreeBSD box (with remote port forwarding and compression) and take control of the machine.  It is completely firewall and NAT independent, as both machines just need to be able to initiate a connection to my FreeBSD machine to port 22.  I have dialup at home, and it is completely usable.  Let me know if you need the details!

Kristian Kielhofner
Wednesday, April 07, 2004

Remote Anything is a firewall firendly remote administration package.

http://www.twd-industries.com

Starling
Tuesday, April 13, 2004

We have been researching products some time. We took a look at www.inquiero.com and really liked it coz you didn't have to configure or open ports, nats, firewalls etc. If there was a way in, it seemed to find it.
Active X based, allowed Unattended access, really convenient.
We didn't go for it coz it was 75 or 100 euros per month, if money was no object...

Ingrid Fenalson
Tuesday, June 22, 2004

VNC reflector seems perfect for this.

Get it from

http://www.gnu.org/directory/network/servers/VNCReflector.html

Compile it with 'make'

(The only problem so far is it only seems to work on linux, I tried compiling on FreeBSD and it gives errors)

then create a file 'hostfile' with nothing but:

-------------------------------
*:5598
-------------------------------

in it (you can use a different port)

Then run vncreflector 'hostfile'

Customers can follow the instructions at http://www.fogcreek.com/rc.html

except using the host running vncreflector and port 5598 (or whatever you change it to)

you can connect to the same host using vncviewer (default port is 5999, also changeable.

both of you can be behind a normal router/firewall doing NAT, and it will still work.


By

George Bush
Thursday, July 01, 2004

*  Recent Topics

*  Fog Creek Home