Re: RealVNC
- From: "Buddy" <buddy@xxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Aug 2007 11:32:52 -0700
Well, yeah. LogMeIn uses an end to end SSL session - and you don't have to
tweak firewalls. It's not succeptable to man-in-the-middle attacks that VPNs
are. And the basic remote control version is free. Pretty slick.
I recently upgraded a client to SBS 2003 Premium with ISA. Before this they
were running an un-managed setup with a Win2K server in TS app mode with
weak passwords and no domain. This server was so full of trojans, spyware,
etc, they were rebooting it several times a day. They were using Outlook 2K
with .pst and loosing email left and right. They have a vertical app and
the vendor was using pcAnywhere to support it. The pcAnywhere secutity
settings were dumbed way down and the system was basically wide open.
After the upgrade, the vendor complained because I would not let pcAnywhere
on the new network. The customer wasn't very happy at first and the vendor
was reluctant to use RWW. I held my ground and finally introduced the vendor
to LogMeIn. That solution worked out and the vendor changed to LogMeIn for
all of it's remote support.
I realize that things don't always go like that. Software support vendors
don't care about network security, they just want access to their app. Guys
like me care about network security, so we're in this battle with the
vendor. By holding my ground and explaining this to my customer (and
reminding them that they just spent a bunch of money for a new - stable
network) it was an easy sell.
In some cases, I have had to resort to site to site VPNs which is the only
way I would allow pcAnywhere to operate inside my network. But in general,
I've been lucky to have delt with vendors that were willing to work with me
on network security issues.
Buddy G ~
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:uKs3pfC6HHA.5424@xxxxxxxxxxxxxxxxxxxxxxx
a reasonably fair comment, technically a process using both username and
password is more secure than a password only.
Dunno about your experience with support organisations but mine is that
they use whatever mechanism is approved or supplied by their
administration, not mine.
"Buddy" <buddy@xxxxxxxxxxxxxxxxx> wrote in message
news:uzGYxVC6HHA.5360@xxxxxxxxxxxxxxxxxxxxxxx
LogMeIn works great through an unmodified ISA 2004 firewall and it is far
superior to RealVNC as fas as security is concerned.
Buddy G ~
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:uN9jBKC6HHA.5164@xxxxxxxxxxxxxxxxxxxxxxx
it may well do _IF_ the support organisation allow their staff to use
logmein, the support organisation _may_ however not allow such, really,
at this point we don't know, it's a decent suggestion.
"Teneo" <not@xxxxxxxx> wrote in message
news:eupOT1A6HHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
Lots of ports opening going on and some complexities..
Would logmein, free version solve the issue ? I use VNC behind server
firewall for LAN but when have remote or home user I use logmein.com
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:%23s5GZfr5HHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
Yes, I wasn't sure you'd mentioned ISA in the list, as indicated in
the list I delete most items as they come in, keeping main
contributions only, makes the folder I store the list in easier to
manage.
I am trying to avoid duplication of effort, of course your thread
continues in the list should anyone have anything to contribute and if
we cannot solve the question here but are able to shed more light on
the problem, from either forum, it should be copied to the other.
Regardless however, ISA monitoring is the key at this point.
"Iakov" <Iakov@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:78551DE8-71EA-4092-A888-9730B099E1C9@xxxxxxxxxxxxxxxx
I posted the identical content to both fora, which mentioned ISA 04.
As far
as staying with one forum or other, different audiences visit
different
fora. Microsoft SBS support staff as well as some authors I have
read
patronize this forum, but not the other, whereas established SBS
business
men patronize the other forum, but not here.
"SuperGumby [SBS MVP]" wrote:
Hi Iakov, I've asked in our other forum if you were using ISA, now
see my
answer is here :-)
as a newsgroupy m'self I'll suggest keep the discussion here, we'll
update
the other list if we solve it.
Luka has the right of it. Look at ISA monitoring as you attempt to
start a
session. You may want to create a custom filter for the monitoring,
just
tracking traffic on 5500/5800/5900. I'm not sure if just TCP or both
TCP and
UDP.
IF it's only one workstation you are interested in a quick and dirty
fix
would be not to 'open' but to 'server publish' the ports to the IP
of the
workstation.
"Iakov" <Iakov@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:533193F5-482E-4159-AFC2-968AEBBE6337@xxxxxxxxxxxxxxxx
I realized I misread you after my reply, but your additional
clarification
helps a lot. I have opened 5800 and 5900 for inbound TCP on the
server
and
will test with the vendor at a later date.
Let's see what I can find in ISA log...
"Luka Manojlovic" wrote:
No, it's not like that. If we are talking about RealVNC it goes
this way
(although settings can be changed):
Default listening port for RealVNC server that runs on the
machine on
which
we want to connect using RealVNC clinet is 5900.
Then there is default Java listening port on port 5800 on the
client
machine
that we want to connect to.
And then "other"party - not the client can run RealVNC Viewer in
so
called
listening mode - that is used when client that we want to help
and has
RealVNC server installed is behind the firewall. This RealVNC
viewer in
listinening mode is "listening" on port 5500.
I suggest that you check your ISA logs to see what is happening
when you
start this software. Check ISA log for connection attempts ISA is
blocking.
Luka
"Iakov" <Iakov@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FE41D937-CA97-45B9-87DF-5ECF856CA412@xxxxxxxxxxxxxxxx
I thought the RealVNC regular client listened on port 5900 and
RealVNC
web-based Java client listened on 5800 and so I opened 5900 and
5800
for
both
inbound and outbound on the Services page of CEICW. When those
failed
the
vendor said he was using port 5500. I opened that too for
inbound and
outbound, and so at one point I had three ports opened
simultaneously,
but
the result was the same as I indicated in my post whether I
tried to
connect
from the SBS console or from a user's desktop.
I suggest that your vendor uses RealVNC Viewer in listeningI don't have any say in what they use. They use their current
mode and
your
client in the network installs RealVNC server.
setup
for
tens of clients all day, and so I doubt one client's problems
is going
to
change their procedure. This is exactly what happens:
I visit their website and click a link, Remote Support
A dialog box pops up to Run / Save / Cancel a 176KB
support.exe file
After that's installed, a web page lists all the extensions of
their
help
desk
I select, say, 100, for the person I spoke to
VNC pops "Trying to connect to remote assistant"
At that point my session is supposed to appear on their
screen, and
off
we
go, but that doesn't happen. Although their computer waits
for mine
to
contact and give them control of my desktop, my client
eventually
changes
to
"WinVNC is Listening" after about five minutes. And so I guess
they
are
in
server mode initially, and when we fail to connect, my client
changes
to
server mode? Whatever the case, I had 5500, 5800, 5900 all
opened at
one
point, but still no luck.
"Luka Manojlovic" wrote:
That is not correct.
VNC server that runs on the "machine you want to connect to"
listens
on
port
5900.
Listener "VNC Viewer in listening mode" listens on port 5500.
The
connection
is established by clicking on the VNC server on the other
machine and
"Add
new client".
I suggest that your vendor uses RealVNC Viewer in listening
mode and
your
client in the network installs RealVNC server. After that just
right-click
on the icon in tray and do "Add new client" insert the IP of
your
vendor
and
vendor will se the client's desktop without extra ISA rules.
This way was "invented" to bypass firewall setup.
Luka
"Iakov" <Iakov@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7305B0F-0063-49AA-8643-B42723D5D733@xxxxxxxxxxxxxxxx
A vendor wants to remotely train an employee via VNC. Two
ports
(VNC-in
and
VNC-out on port 5500) have been opened via the Services
screen of
CEICW,
but
they still can't access the employee's desktop.
The employee installs a small VNC client via the vendor's
website.
The
client places an icon in the Notification Area (system tray)
and
pops
"Trying
to connect to remote assistant." The vendor's VNC is
supposed to
gain
access
to the employee's desktop, but that doesn't happen.
Instead, the
employee's client's popup changes from "Trying to connect to
remote
assistant" to "WinVNC Listening," and then the client
terminates
after
about 5 minutes.
Has anybody used RealVNC successfully behind SBS 03 Premium
with ISA
04?
The Internet feeds straight into the external NIC and the
employee
connects
to the internal NIC via a switch. Thank you.
.
- References:
- Re: RealVNC
- From: Luka Manojlovic
- Re: RealVNC
- From: Iakov
- Re: RealVNC
- From: Luka Manojlovic
- Re: RealVNC
- From: Iakov
- Re: RealVNC
- From: SuperGumby [SBS MVP]
- Re: RealVNC
- From: Iakov
- Re: RealVNC
- From: SuperGumby [SBS MVP]
- Re: RealVNC
- From: Teneo
- Re: RealVNC
- From: SuperGumby [SBS MVP]
- Re: RealVNC
- From: Buddy
- Re: RealVNC
- From: SuperGumby [SBS MVP]
- Re: RealVNC
- Prev by Date: RAID Problem after restore
- Next by Date: Re: Added Broadcom NIC Drivers to RIS - How do I re-create the PNF Files??? Help!
- Previous by thread: Re: RealVNC
- Next by thread: Re: Sharepoint Server - Allow External Guest to Access a Folder
- Index(es):
Relevant Pages
|
