list of preconditions on customer side!?

[snobs]

introduction: i am working for an IT company, and we are searching for an easy maintainable and reliable remote administration solution... something that's transparent and doesn't conflict with our customers IT security policy. our choice fell on the sc derivat 'sc+ssl+repeater' (also known as SCIII or the way i like to call it: SC3)!

our problem: SC3 consists of the repeater (we call it proxy), server (we call it customer part) and viewer (we call it technician part). and every part runs on a different machine. proxy and technician part are no problem at all since we can fix/change the environment (machines and firewall) they are running on. the real problem is that we can not play around with our customers. our environment can be changed but not the customers one. in short: we have to stick with the IT environment they have!

what we need: a check list or better said a 'precondition list' so we exactly know what preconditions have to be met on the customer side (the machine the server is running on). that way we can easily tell if a remote administration session is possible at all.


list of preconditions on customer side:

1. the https port (443) has to be open for outgoing and related connections.
   otherwise: connection fails.
2. no other program should have the https port in use.
   otherwise: program terminates immediately.
3. any other vnc server instance should be closed.

my personal questions/thoughts on the list:

• is the following statement true: 'if you can reach ssl-sites on the internet then port 443 is open!'?
• are there any other ports that one should take care of besides 443?
• is it a listening vnc server (let's say on port 5900) or a running vnc server session which is responsible for possible problems?

please help me! the list is far from completion, and i think it wouldn't only be helpful to me!
any comments, let it be negative or positive are truly welcome...


thanks in advance,
snobs


ps: i will edit this post as soon as someone give me more hints. so that this list will represent all the related comments in this thread...

[mod=494,1203205700]added sticky[/mod]

[redge]

point 1
could be some socket proxy/firewall authentication sheme unknown and not tested on repeater_ssl (windows)
alternativ with bigger list known acceptable proxy/firewall socket
use Linux repeater or configure it inside Linksys product with GPL code


point 3
>> a viewer in listening mode has to be closed. <<
listening on port 443 and 5500 need to be closed only if used with repeater hosted on same computer of vnc viewer
SC3 direct connection to vnc viewer
(vncviewer need to listen (peer to peer connection (without repeater))
vncviewer_ssl.exe -listen (listening default port 5500 and 443)
vncviewer.exe -listen (listen default port 5500)

point 4
true as my knowledge except error from myself

[mabj]

Comment to "point 1"

An application filtering firewall can block for example packages over port 80 if the firewall doesn’t find the package to be a http package.
Using SSL over port 443 though is encrypted so the firewall can not inspect the data in packages.
So if a firewall rule except packages over 443 all packages will pass through no matter what data it contains since it is encrypted.

/M

[snobs]

i thank you both - i changed the first post to reflect your comments!

@redge: sorry but i don't really understand what you mean under point 1 or to what question you refer... give it a go and try it again - please ;)

@mabj: so then there is also no way a firewall changes those packages since it fails in 'understanding' them?
i am thinking of the microsoft isa server, which makes problems if we can believe my and other posters experience.

[redge]

I was wrote about point 1 (erased from yourself snobs)
I toke about hardware/software incompatiblity of some proxy/firewall, and for bypass some limitation from windows, I would suggest to use Linux_repeater more robustness on *nix OS ( that I read but never tried it)

Hope this better explanation

[snobs]

hmmm, as far as my knowlegde goes, i think it shouldn't matter which combination of firewall you have... and still: if that matters - it doesn't matter for us since we have no problem at all with the tools on our side (repeater+viewer)...

our technicians need to know under which conditions a connection from the customers machine to our repeater/proxy is technically possible...
that's why i want to have a list of things/preconditions/requirements/prerequisites (whatever is the right word for it) that have to be met on the machine the server (the SingleClickServer.exe) is running on. i can then give it to our technicians so that they can ask the customers the right questions if they have problems getting a remote administration session to work...

a dialog like the following is what we want:
technician: 'ok mr. customer, can you reach https://... sites?'
customer: 'ehrm, yes i think so!'
technician: 'well, and does the icon disappear immediately after you doubleclick on my name?'
customer: 'uff... erm... no, i think it stays there telling me that it wants to create a connection...'
technician: 'well, thanks mr. customer, now i know that we can help you whenever you want to...'

and thanks again for your time and comments. i just hope that i get a few more comments - especially from the developers of that neeeeaaaat piece of software...

[Rudi De Vos]

SC3 have internal (loopback ports) and external ports.

SC3 actual exist of 3 programs

1) VNC
2) SSL
3) HTTPconnect

Programs use a socket for ipc. Loopback sockets should better be replaced by some other ipc communication, current firewalls even block
loopback connection.

If no iexplorer https proxy is defined -->443 (ext) is used 1) 2)
If iexplorer has https defined the port is the htps port from the iexpl. settings,
can be any port, but as the user has defined it it should be open.

loopback/ext ports should not be in use by other programs

No other vnc instance should be runnning. This can be easy changed by using other mutex and port

[snobs]

and what about the loopback ports? are they assigned randomly? is a specific range hardcoded (for example from 5900-5999)?

i 'hardcoded' port 443 in the helpdesk.txt, is that wrong? or does that force the using of port 443 even if the iexplorer https setting is different?

No other vnc instance should be runnning. This can be easy changed by using other mutex and port?

do you mean a running ultravnc instance or any vnc derivat using port 5900? or is it just a running and used instance (there is already a viewer connected)? i ask because in our office every computer has ultravnc preinstalled and as far as i know we never had a problem using the sc server on it - but i could be wrong since we just used it here to test it a couple of times, but never when a viewer was connected while using it.

[Rudi De Vos]

433 is used when you have set no https port via iexplorer, else that port is used.
Hardcoded port is overwritten by iexplorer settings

Mutex: code change needed
vnc does not allow mulitple servers on 1 PC, we just need to the that sc is another application.

internal ports are high ports like 765548, need to check it, don't know it from my mind

[mabj]

Snobs

Referring to:

@mabj: so then there is also no way a firewall changes those packages since it fails in 'understanding' them?
i am thinking of the microsoft isa server, which makes problems if we can believe my and other posters experience.


------------------------------
With a “Normal” firewall” it should be impossible for the firewall to read the data in a SSL package since this data is encrypted and the SSL endpoint should be at the target device, not at the Firewall.

But Microsoft ISA server is a little bit different. This is not just a firewall. It also can work as a proxy server and some sort of “Reversed proxy”.

Now I’m not a ISA Guru but depending of how it is set up, the endpoint of the SSL session could be on the target device and the encrypted packages will pass right through the ISA Server. ISA Server will just look at source and destination IP addresses and port numbers.
Or it could be set up so the endpoint for the SSL session will be at the ISA Server. If so the ISA Server will be able to look in the data of the packages and tries to determent where to send the package and creates a new SSL session to the target device.

There is plenty of good information at the Internet that describes how to set the ISA Server up. But I know that you can set the ISA server up in a way that would make SCIII to work. (I have successfully tried that myself.) That would NOT be in the same way that you publish a secure website in the ISA Server though.

[mabj]

Snobs.

I think you could disregard my previously message.

After reading the whole conversation a little more careful I understand that the firewall problem is not on the distributor side but on the SCIII side.

Are you sure that the customer aren’t using the Proxy server in the ISA server to access the Internet and that’s where the problem is? If so I have seen that SCIII have problem to connect through some proxy servers.

Rudi De Vos!!!!!!!
I think you might want to look at the initially Connect message sent from the SCIII when a proxy is involved. That package is rejected by some Proxies since they expect more information in the connect method!

Cheers
/M

[redge]

you should add to precondition

do not use 3D mice pointer.
actually work only with classic windows mice pointer.
a reboot required after the change.

[snobs]

well, give me some more time and i will improve the list. i also got new things to add...

@redge: what is a 3D mouse pointer?

[bevtech]

try to use only the classical pointer any other mouse pointer may cause issues with UVNC

[snobs]

oh ok, you meant the neater mice graphic with the 3d style... *smile*
well, but which part should have the default mouse icons? the customer (server part) or the technician (viewer part)? or even both?
and which problems occur if the problematic part uses non-default icons?