Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Cases where SC will and will not connect...

Single Click discussions / bugs
Post Reply
TKD

Cases where SC will and will not connect...

Post by TKD »

SC has made noticeable improvements from the last time I was workin' with it (back in x.19.4 release) when it was just starting out. GREAT WORK UVNC TEAM!!

I have found SC connects in some cases where there's a home NAT router and in some cases (office environment) not at all.

MY QUESTION:
Can you tell me what cases/environments SC will not connect?

Observations:
I have found that sc seems to work ok (as far as i can tell) in regular NAT (home user) environments... but there have been a few corporate users that could not connect. One in particular is a site that uses a managed switch and basic NAT router - no proxy involved - and i was never able to connect (no personal firewall either). Shouldn't I have been able to connect to the user w/o any problems in the same way i would with a home user using a NAT router from their home?

Any help on this would be GREATLY APPRECIATED!

thanks!
nir_kornfeld
8
8
Posts: 13
Joined: 2005-03-30 20:00

RE: Cases where SC will and will not connect...

Post by nir_kornfeld »

MY QUESTION:
Can you tell me what cases/environments SC will not connect?
Well, you must understand that UltraVNC uses TCP/IP protocol to communicate from the the Host to the Client machines.
Basically there are two ways to connect:
Point-to-Point or using a Repeater Server.

The Point-To-Point
When you try to connect in this way, you can only have one NAT router in the way. The reason is the way the NAT handles the TCP/IP header. (If you want more infomation let me know...)
This will work on local networks, but when trying to connect from your local network to another machine on another local network - you will fail! (Two NATs on the route).

Repeater Server
If you want to overcome the NAT2NAT problem, you will have to use a third machine, running the repeater service on it which is not behind a NAT. In that configuration, each client connects to this machine and not to each other. The repeater service will make the connection and each route will have only 1 NAT on the way.

Firewall Problem
Another consideration is the Firewall. Because currently UltraVNC uses TCP/IP protocol and non-standard ports, you might have a problem with Firewalls that block outgoing connections on that ports.
Say you're using port 5500 to connect the host to the repeater and port 5900 to connect the viewer to the repeater. The firewalls on both sides must allow outgoing connections on these ports.
If you cannot get the Security Guys to open outgoing ports, you can still try to use port 80 (which is normally open). Ofcourse, that using this configuration does not allow you yo have a WEB server on the repeater machine, and will not solve all the problems: Some firewalls analyse the TCP/IP packets, and check that the packet with port 80 as destination port is actually a HTTP packet.
Unfortunatly, UltraVNC does not use real HTTP packets, so the firewall will drop the packet - disallowing the connetion.

For more information contact me.
ipsec
Former moderator
Former moderator
Posts: 565
Joined: 2004-09-20 18:56
Contact:

Post by ipsec »

The ones I have known to have issues are - anyone running SP2 on XP with it on and not configured properly, Hardware Firewall for corporate network and it is blocking the outgoing port. Personal Firewall on pc that runs SC. and thats about all I know of issues so far since I have used it.

not sure what the deal is with the problem behind a NAT router and no firewall... that fits the qualifications for using SC...? Maybe they have some sort of filtering program - like websense that doesnt allow ports if they arent explicitly allowed in their rule set? Or the NAT router has a firewall on it and is blocking the ports you are using..

You can always try a more common port like 80 or 443 if you want for testing.
TKD

common ports 80, 443 seem to work...

Post by TKD »

thanks, guys for the feedback. as for the configuration w/the managed switch and NAT router... ya, there was a built in firewall on the router. altho, i didn't confirm if it was blocking the port i was using for sc. i'm perty sure that's what the problem was. after i switched to 80, i got through w/o a problem.

thanks again for the feedback!
TKD

shared ports?

Post by TKD »

btw... when i used port 80 or 443, i noticed that i had some quirkiness and inconsistency of usage of my web browser. Is it a problem to share a port for remoting that the browser or any other app is using?
ipsec
Former moderator
Former moderator
Posts: 565
Joined: 2004-09-20 18:56
Contact:

Post by ipsec »

I havent seen issues with that.. but maybe your getting flooded with port 80 requests... since.. thats now forwarded?

I know script kiddies that probe their neighbors all the time and tell me their neighbors web server etc.
nir_kornfeld
8
8
Posts: 13
Joined: 2005-03-30 20:00

Re: Cases where SC will and will not connect - NAT problem

Post by nir_kornfeld »

For anyone who wants to understand more about NAT, and why it makes problems with some VNC configurations.

Intruduction
NAT (Network Address Table) is used to support connection of several machines through a single outbound internet connection (or any network connection).
The idea behind NAT is to use the source port part of the IP protocol, to point to a virtual port and not a real port, this virtual port is later used by the NAT when the transmittion returns.
The IP protocol header consists of source address, source port, destination address and destination port. Each application (that sends information and requires a respones) must use a port - that's how the operating system knows who will get the reply, which include the source port of the request as the destination port.
For example, two browsers that run on the same machine, and browse the internet will each choose a different source port the first one might use 5587 and the second 5588 and the destination port will be 80 (which is the http default). The source ports can not be the same, because when the reply will come from either web sites, it will have a destination port of 5587 for the first browser and 5588 for the second - that's how the operation system will know to which application to pass this response.

The NAT table
NAT has a table that consists of records for each app/machine pair on the internal network, the virtual source port assigned to them and the original source port the application choose.
For example: Browser A from Machine 1, Browser B from macine 1 and browser C from machine 2 - all wants to access some web sites.
The NAT assigns record to each application, something like:
  • 51012 = Browser A / Machine 1 / 51001
    51013 = Broswer B / Machine 1 / 51002
    51014 = Browser C / Machine 2 / 51001

It then changes the original source port to the virtual port, the source address to its address, and trasmits the packet.
When the packet returns to the NAT machine (the source address was changed to its address), the table is searched for the port, then the packet is changed back to its original address and port (this time it's the destination address and port), and passed to the internal network.
Pretty smart...

Intruduction to Point-To-Point
Point to point connection means that application A on Machine 1 sends and recieves information to application B on Machine 2.
To achive that each application selects a port on which it will listen, and a port on which it will send. Let's say app A will send on port 5901 and listen on port 5902 and app B will send on port 5902 and listen on port 5901. In that configuration each packet of data sent from app A (on port 5901) to app B will arrive at the destination (because app B listens on that port), and each packet send from B to A over port 5902 will arrive and accepted.
It is also possible for these applications to send and listen on the same port - let's say 5901.

The problem with P2P and two NATs
After we have understood the basics, we can discuss the problem:
Two applications, on two different networks, with a NAT machine on each network, wants to establish a Point-to-Point connection... Possible? No. Let's see why:
Application A on the first network chooses to listen and send on port 5901, so does application B on the second network.
Now, both networks are internal ones, and there is a NAT machine which connects them to the internet and thus, to each other.
When AppA tries to establish a connection, it has to know the address of AppB (like the UtlraVNC server address needed), let's assume for a moment, it knows the address of the NAT machine on the second network. It then sends a packet with the destination address of the NAT on 2nd network and destination port 5901.
The packet arrives on the NAT machine, which search for the port on the table... Not found, thus the packet is discarded.
The only way to get these packets back to the track is to manually configure the NAT on both networks to forward packets the arrive on a certain port (in our ex. port 5901) to a specific machine on the internal network, it can even be made using manual configuration on one network, leaving the second NAT to do it's job - and it will work - but this will not be 2 NATs anymore...

The Solution?
No solution leaving the configuration as 2 NATs, but the need to support remote customers from various support machines without any pre-configuration simulates that problem - it is similar to connecting to MSN messanger (or any other similar chats) from an internal network, and wanting to chat with somebody on some other internal network.
It can be achived with a 3rd machine. This machine can not be connected behind a NAT (It can be a NAT which is manuall configured), and will make the connection between two machines, each behind a NAT.

Well, that's it for now. If anyone have questions or comments do not hesitate.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

UltraVnc experiments

1° NAT2NAT
http://www.uvnc.com/index.php?section=21
http://doc.uvnc.com/addons/nat2nat.html
2°SC II
SCII can use a https or socks proxy on SERVER site.
You still need to open port 443 on your local network
[topic=2651][/topic]

SCII seems to run stable while NAT2NAT is experimental
Post Reply