Question with SC over the internet and Customer support

[suniltantry]

Hi,

I am trying to use SC to provide remote support to my clients. I am able to complie the SC online, create an exe file and the i am also able to connect to the client. The connection is initiated form the cleints end and it reaches my internet machine which is in the Dmz zone. I would like to have the same connetion to be forwarded to my private ip address within my lan so that it could come to multiple clients and that i could sit at my desk and provide support. Is this possible? If yes what are the settings i need to do on my router/firewall.

On the second senerio ,
Is it possible to capture the remote machines in the internet via proxy(ISA/Squid)?

What ports should be open form the proxy to interent?
is there any other application need to be installed on the proxy server?

Please help.

--Thanks & Regards,
Sunil.

[SuperTurtle]

>would like to have the same connetion to be forwarded to my private ip address within my lan so that it could come to multiple clients and that i could sit at my desk and provide support. Is this possible?

Yes…it is…

You have two choices here:

#1
Forget about using the DMZ feature of your router (and, it sounds like you saved that for your server anyway). Simply forward the ports used for vnc to your particular computer on your lan.

Of course, the drawback of this what about support a person from a different desktop, or even while on the road, or perhaps even behind a firewall/nat at a hotel with 25 other people on the same ip address? Or, what about when you go home?


#2
Ideal solution:

Keep you dmz machine.
Run the VNC “repeater” on your dmz machine. That way, you BOTH you and victim who needs help ALWAYS connect to the same machine (your dmz machine). You can do this connection behind your firewall at work, or from anywhere else also (eg: doing some support at home after supper). In all cases, you are connecting to the “repeater”, and that connects both of you together. The beauty of this system is it solves the problem of having to forward ports from your “dmz” machine to other computers on the office LAN. And, even better, is approach means that you can continue to offer support while you travel, or are at home.

The SC client, and your viewer (vnciewer.exe) will always be connecting to the SAME ip address, no matter where you are. The reason why SC is so great, is that the end user never needs to type in a IP address. Even better is that when you launch your viewer, you are ALWAYS connecting to that dmz machine address also (makes your part simple too -- you NEVER have to change the ip address your viewer connects to also!!).

Note that the repeater requites two open ports. One for the incoming victim (SC), and one for you the helper (vncviewer.exe). (so, the repeater needs two ports).

I use port 80 for my SC users, as that likely is the most open port on a system. For my self (vncviewer), I use port 443 (likely the next most open port on a computer/network). As the person provding help, 99% of the time, I am on my work system, and thus really don’t care much what port I use. However, I do often travel, and take my notebook with me…so, using port 443 is likely to be open on any network I am a “guest” on.

In fact, you don’t really need the repeater to run on a machine in the DMZ zone, but just any machine on the network can run the repeater for you. (I run mine on a family computer at home!!!). So, any computer will do, but you will have to forward port 80, and port 443 to that machine running the repeater.

In your case, the dmz machine is perfect candidate to run the repeater on (so, you actually don’t need to forward ports at all). This “repeater” can thus be used from any machine on the lan behind your firewall, and even while you travel on the road, or at home.

Even when “on site” at a customers location, I can launch a remote support session using my notebook on that network, even when behind a reasonably secure LAN setup. (not to mention wifi hotspots etc.).

Check out the repeater…..
http://sc.uvnc.com/index.php?section=27

SuperTurtle

[suniltantry]

Hi,

How do i create a sc with helpdesk.txt file with repeater option and force the connection to port 443. Also how do i run the vncviewer in listmode for 443.

What are the options/syntax that needs to be added to helpdesk.txt file?
what settings needs to be done for my repeater?
Which mode should the repeater run?
How do i forward port 80 and 443 to and from the repeater?

Please advice in detail.

--Thanks & Regards
Sunil.

[SuperTurtle]

>How do i create a sc with helpdesk.txt file with repeater option and force the connection to port 443

I thought we were going to use port 80 for the SC guy???

Remember, when using the repeater, the SC client, and the viewer cannot use the SAME prot..the repeater *connects* them together. Each must use a *differnt* port to connect to the repeater.

Anway, I thought I suggest we will use prot 80 for the SC guy…

The connection in helpdesk looks like:

[HOST]
Double Click on me to start Support
-ID 1234 -connect 192.168.1.1::80 –noregistry

So, the SC does not need any special settings to use the “repeater”…it simply connects to the IP address of the computer running the repeater

>what settings needs to be done for my repeater?

You are running the repeater in mode II. You don’t really have to change the settings, but you do have to choose the correct two ports. I shall continue to assume that we have the SC user (victim who needs help) to use port 80.

So, in the repeater, you simply set

Accept 443
Listen 80

The mode 1, and mode2 can be left both checked. (we are using mode II..but, both can be checked)

>How do i forward port 80 and 443 to and from the repeater?

Well, that would depend on your particular router…correct? Remember, you don’t have to forward ports “from” the repeater as you ask above. Both the SC client, and vncviewer.exe are *connecting to* the repeater. So, the repeater must be "open" to the internet.


As I said, if the server is in the DMZ zone, then I have to assume that you don’t need to do this. That computer is complete open to the internet..right? (for security reasons, you might not want to use the DMZ, feature of your router, but just open the two ports you plan to use (in our case port 80, and 443). How to do this is going to depend on your particular router.

Note for your vncviewer settings, you will type in:

VNC Server ID:1234

[x] Proxy/Repeater 192.168.1.10:443


Of course, you replace the 192.168.1.10 with your public IP address.

Super Turtle

[suniltantry]

Hi,

I set up my helpdesk.txt file as u told and then i also made the necessary changes on the repeater and i am now able to initiate a connection if the user(Client) is on the direct internet. Thank you for this support.

I now have one more question.

What if the user(Client) is behind a corporate proxy(Squid/ISA) and he wants to get support from me?

What are the changes i need to make in the helpdesk.txt file or is there any different approach for this.

--- Thanks a lot for this support. I really appreciate it.


--Thanks & Regards,
Sunil.

[SuperTurtle]

> behind a corporate proxy(Squid/ISA)

Give it a try. It might work as is. ??

SC + repeater has worked behind every fire-wall, and NAT router I have ever tried. So, it is rather nice that way. It really depends on how aggressive that corporate proxy is, and what they allow through.

I would try SC your current set up..and see if it works. If it don’t work, then you likely will have to try and setup some type of SSH tunnel. I not done this yet.

Super Turtle

[suniltantry]

Hi,

I tried my current setup and it does not work if the client is behind a proxy. The user(Client) runs the file and after that the conection does not even reach the repeater. The connection is some how blocked at the client end.

Can u tell me what the syntax "-sslproxy" do and what is its purpose?
What else could i do if i have to connect me to the client who is behind a proxy?

Also how do third party programs such as go to my pc or log me in be able to connect, no matter what firewall or proxy configuration is there. ( Have u tried to analyse this and replicate this in SC).Sorry for this out of topic question but this is just out of curiosity.

Thanks a lot for u r help Super Turtle.

--Thanks & Regards,
Sunil.

[SuperTurtle]

Ok…that is on port 80…right?

As mentioned, SC should work behind most firewalls, and NAT routers, and proxy servers. It worked behind just about all of the ones I tried.

>Can u tell me what the syntax "-sslproxy" do and what is its purpose?

I Have not used it yet. So, I know almost as much you in that case. I just figured this stuff out myself. (I try and help out here once and awhile, since I feel indebted to this wonderful free utility).

Anyway, that –sslproxy is presumably for setting up a SSH tunnel (which may help you). I would consider starting a new question.

>Also how do third party programs such as go to my pc or log me in be able to connect, no matter what firewall or proxy configuration is there.

It is because they are using the http web based protocol, and the “firewall” usually lets that though. These systems are also based on a “repeater” that connects both of them together (as I pointed out, when you connect OUT OF a system, it is MUCH more possible and easy --- this is also why SC + repeater works most of the time).

Remember, “many” firewalls simply block by port. This is why I suggested to use port 80 (you are using port 80 as I suggested for SC??..right???).

The only reason why SC + repeater will not work in this case is that some firewalls actually block by the “type” of data connection trying to be initiated. So, while port 80 is open to allow the browser to work, the firewall will STILL prevent traffic other then web based stuff (this must what is happening in your case). So, those commercial systems connect each machine together through http (the web browser protocol). It thus becomes VERY hard for a firewall to know that a web based connection is actually some kind of remote software. Some even go farther and “analyze” the traffic and block it.

This is why these web based systems just about always work.

Your solution is thus likely to setup a SSH tunnel, but that may not *necessary* allow you to work, depending on how the firewall at this workplace functions (by port, by port + protocol, by port + protocol + analyze traffic).

As I mentioned, I had VERY good success with SC + repeater, and not had a problem behind most firewalls, and even proxy servers.

If you not been using port 80, I would suggest you try again.


Super Turtle

[suniltantry]

Hi Superturtle,

I am using port 80 as u suggested and it works great for me from direct internet connections. It only does not work on a computer that is behind a corporate proxy.

Thanks a lot for u r help. I will keep trying to get it working.

--- Thanks & Regards,
Sunil.