HOWTO: Using WinVNC behind MS Proxy 2.0
Ingecom - SERRE Jean-Christophe
jcs "at" ingecom.com
Wed, 14 Jun 2000 21:42:30 +0000
Mark Vinten <mvinten "at" caluk.com> wrote:
>
[ 8< About my previous post
x86 MS Proxy 2.0 post-SP1 hotfix for VNC and similar services ?
]
>
> Then post a summary :)
OK, it's below -- also online @ http://vnc.ingecom.com/msp.txt
--
JCS - Jean-Christophe SERRE - INGECOM France - +33 (0)1.48.34.12.34
Titanic was ultimately sunk by the only true unsinkable thingy
on our planet -- a big ice cube. Titanic couldn't face
too cold water. (Alain Turgeon)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using WinVNC behind MS Proxy 2.0 memo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Assuming that proxy computer is
\\PROXY\
10.1.1.1 internal IP
123.1.1.1 external IP
~~~~~~~~~~ Way 1/2 : Using MS Proxy "features"
Note that setup below apply to MS Proxy with w/o the "packet filtering"
option enabled -- packet filtering is harder to setup and introduce too
many additional bugs for being really useable when the LAN has a lot of
services to publish.
--- Using internal VNC client to external VNC servers
You need to install the WSP client (WinSock Proxy) on client computer,
available from share \\PROXY\MSPCLNT\
Actually, WSP client will allow the station to behave almost as if it
was directly connected to the Internet, thus enabling the use of most
network *client* programs w/o further client setup [main exception being
ping and traceroute, which can simply not work through MSP].
You can then regularly connect to any internal/external VNC server.
--- Setting VNC server on the proxy
This is if you want to be able to VNControl the proxy itself. Note that
WinVNC will currently bind itself to all available IP on all interfaces,
which means that putting it on the proxy will make it reachable both
from the LAN and from the Internet -- this can currently not be changed
w/o tweaking the source and recompiling.
a) Using only 1 proxy external IP [123.1.1.1]
The more practical is then to install VNC and set its display number to
0 (each other internal host will have to use its own unique display
number > 0).
b) Using multiple proxy external IPs [123.1.1.1,123.1.1.2, etc.]
The more practical here is to set this WinVNC on display 1 -- this way,
all other internal WinVNC will be able to use standard display 0 on its
own external IP each, while only the proxy will use odd display number 1
on all external IPs.
(Of course, recompiling WinVNC would allow to have the proxy too be on
display number 0 on a single external IP.)
--- Setting VNC server on internal hosts reachable from the outside
You need to install the WSP client (WinSock Proxy) on server computer,
available from share \\PROXY\MSPCLNT\
Actually, WSP client will allow the station to behave almost as if it
was directly connected to the Internet, thus enabling the use of most
network *client* programs w/o further client setup [main exception being
ping and traceroute, which can simply not work through MSP].
For enabling network *server* programs you'll need to configure a
special INI file for each server's executable. Supposedly you have
C:\Program Files\ORL\vnc\WinVNC.exe
you'll have to create the file
C:\Program Files\ORL\vnc\wspcfg.ini
with a section named "WINVNC" (executable name w/o .exe extension)
a) Using only 1 proxy external IP [123.1.1.1]
Assuming your host is 10.1.1.XX, you setup your first internal WinVNC on
display number 1, and its wspcfg.ini will have a section:
..................................................
[WINVNC]
ServerBindTcpPorts=5901
Persistent=1
KillOldSession=1
..................................................
This will make the proxy listen on port 5901 of all external IP, and
transparently forward all incoming connections to this local WinVNC.
This allows the proxy to be (if VNC installed) reachable
From the outside: on 123.1.1.1
From the inside : on 10.1.1.1
while first internal host will be reachable:
From the outside: on 123.1.1.1:1
From the inside : on 10.1.1.XX:1
and second internal host will be reachable:
From the outside: on 123.1.1.1:2
From the inside : on 10.1.1.YY:2
etc.
If you want to enable the web-based applet, you'll use instead:
ServerBindTcpPorts=5901,5801
b) Using multiple proxy external IPs [123.1.1.1,123.1.1.2, etc.]
Assuming your host is 10.1.1.XX, you setup each internal WinVNC on
display number 0, and the first wspcfg.ini will have a section:
..................................................
[WINVNC]
ProxyBindIp=5900:123.1.1.1
ServerBindTcpPorts=5900
Persistent=1
KillOldSession=1
..................................................
This will make the proxy listen on port 5900 of external IP 123.1.1.1
only, and transparently forward all incoming connections to this local
WinVNC.
This allows the proxy to be (if VNC installed) reachable
From the outside: on 123.1.1.1:1
From the inside : on 10.1.1.1:1
while first internal host will be reachable:
From the outside: on 123.1.1.1
From the inside : on 10.1.1.XX
and second internal host will be reachable:
From the outside: on 123.1.1.2
From the inside : on 10.1.1.YY
etc.
If you want to enable the web-based applet, there is a trouble: the
ProxyBindIp setting has the bug of taking care only of its first
parameter. If you try to setup as per the docs:
ProxyBindIp=5900:123.1.1.1,5800:123.1.1.1
ServerBindTcpPorts=5900,5800
Then the proxy will correctly listen on 123.1.1.1:5900 on behalf of your
host, but will also listen on all external IP 0.0.0.0:5800!
Thus you can enable web-VNC on one internal host only, the others hosts
will need to use port 5900 only -- starting a second host trying to use
both ports will end up in a random trouble (WinVNC crash on startup, or
the second host take over the first one for port 5800, or both of them
end up having no port 5800 remoted on the proxy...)
This bug still apply to MS Proxy 2.0 SP1. A post-SP1 hotfix supposedly
fix it (and a lot of others bugs), but you can possibly get it only from
MS tech support. Related articles:
http://support.microsoft.com/support/kb/articles/Q232/5/88.ASP
http://support.microsoft.com/support/kb/articles/q236/0/01.asp
http://support.microsoft.com/support/kb/articles/Q250/5/10.ASP
NOTE: if you have that hotfix, please email it to me :-)
~~~~~~~~~~ Way 2/2 : Using a port redirector bypassing MS Proxy
Having to use the WSP client has many troubles:
-Some network client apps will sometimes behave erratically and will
have to be restarted by hand
-Installing it for VNC will give full Internet access to the computer
(so users may use mIrc or Napster...)
-You can install it only on Windoz boxes
-Various annoying bugs
The alternative is to run a TCP port redirector daemon on the proxy. A
good and free example is rinetd from
http://www.boutell.com/rinetd/
rinetd is a console app, but you can turn it into an NT service using
NTRK tools or similar 3rd-party softwares.
The examples below uses rinetd -- see its documentation.
--- Using internal client to external hosts (VNCviewer only)
You add forwarding rules for each external VNC server, such as:
10.1.1.1 5911 XX.XX.XX.XX 5900
10.1.1.1 5912 YY.YY.YY.YY 5900
Thus, connecting from an internal VNC client to "10.1.1.1:11" will
actually jump outside to host XX.XX.XX.XX (on its standard display
number 0).
--- Using internal client to external hosts (VNCviewer AND/OR web-VNC)
Adding the web-VNC access too will not work that easily, it will require
either to use several internal IP of the proxy:
10.1.1.2 5900 XX.XX.XX.XX 5900
10.1.1.2 5800 XX.XX.XX.XX 5800
10.1.1.3 5900 YY.YY.YY.YY 5900
10.1.1.3 5800 YY.YY.YY.YY 5800
Or you'll have to have a unique display number set up on each external
target host:
10.1.1.1 5911 XX.XX.XX.XX 5911 ; this host need display #11
10.1.1.1 5811 XX.XX.XX.XX 5811
10.1.1.1 5912 YY.YY.YY.YY 5912 ; this host need display #12
10.1.1.1 5812 YY.YY.YY.YY 5812
This is because using 10.1.1.1:5811 in the browser will NOT make the
applet try to connect to 10.1.1.1:5911, but just to 10.1.1.1:5900 -- the
applet comes from the remote server and is unaware of the port
forwarding, it just "knows" that the remote server listens on ports
5800/5900, thus will try to use port 5900. So if you use ports 5811/5911
on the forwarder, you'll need to have that remote VNC really listen on
those ports too for having both VNC and web-VNC.
--- Setting VNC server on the proxy
Identical to setup in way 1 with MS Proxy.
--- Setting VNC server on internal hosts reachable from the outside
Each host simply run WinVNC (with proper display numbers), the
additional setup is done on the proxy in rinetd.
a) Using only 1 proxy external IP [123.1.1.1]
You add forwarding rules for each internal VNC server, such as:
123.1.1.1 5901 10.1.1.XX 5901
123.1.1.1 5801 10.1.1.XX 5801
123.1.1.1 5902 10.1.1.YY 5902
123.1.1.1 5802 10.1.1.YY 5802
This allows the proxy to be (if VNC installed) reachable
From the outside: on 123.1.1.1
From the inside : on 10.1.1.1
while first internal host will be reachable:
From the outside: on 123.1.1.1:1
From the inside : on 10.1.1.XX:1
and second internal host will be reachable:
From the outside: on 123.1.1.1:2
From the inside : on 10.1.1.YY:2
etc.
b) Using multiple proxy external IPs [123.1.1.1,123.1.1.2, etc.]
You add forwarding rules for each internal VNC server, such as:
123.1.1.1 5900 10.1.1.XX 5900
123.1.1.1 5800 10.1.1.XX 5800
123.1.1.2 5900 10.1.1.YY 5900
123.1.1.2 5800 10.1.1.YY 5800
This allows the proxy to be (if VNC installed) reachable
From the outside: on 123.1.1.1:1
From the inside : on 10.1.1.1:1
while first internal host will be reachable:
From the outside: on 123.1.1.1
From the inside : on 10.1.1.XX
and second internal host will be reachable:
From the outside: on 123.1.1.2
From the inside : on 10.1.1.YY
etc.
~~~~~~~~~~ end
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------