Providing (Windows) VNC support to clients that have strict corporate firewalls

Chuck Renner chuck "at" dataoncd.com
Mon, 14 Jan 2002 19:39:24 +0000


I wish to document both a problem with WinVNC, and a solution (even though a
better solution needs to be made).

The problem:

There needs to be a way to change ALL Ports used by VNC, not just the ports
it listens on.  Ports used for outgoing connections should be able to be
changed both on the command-line, and through the GUI interface.  Since this
isn't built-in, I had to build a small hack instead.

1.  You are a VAR who has provided computers to a corporate client, and put
them on their network.  As such, you are restricted to their firewall rules.
2.  You need remote access to these computers to provide cost-effective
support to your client.
3.  The corporate firewall that your client is subject to is very strict,
and blocks all incoming traffic by using Network Address Translation (NAT),
but also all outgoing traffic on almost all ports, to prevent trojan horses.
4.  The only outgoing ports that seem to work are http (80), https (443) and
ftp (21).  HTTP requests and FTP requests are sent through an invisible
proxy.
5.  It would take an act of God to get any of these firewalls changed.
6.  Items 3 and 4 prevent you from using VNCviewer listening on your
network, because the client cannot make an outgoing connection on port 5500.
7.  Please note that https CANNOT be proxied, because SSL is secure.
However, some firewalls check content on the port to make sure it is
"appropriate" for the port.  If your client has one of these firewalls, you
are SOL.
8.  You have control of your own firewall, and port forwards, etc.
9.  You cannot make VNCviewer use a different incoming port.
10.  You cannot make VNC use a different outgoing port to attach to the VNC
viewer.

A brief, but crude, diagram:

Client Side:                                             Your Side:

PC#1 w/ VNC-->\
               \
PC#2 w/
VNC-->---->Firewall-->Gateway-->WAN-->Internet-->Firewall/Gateway-->PC w/
VNCViewer
               /
PC#3 w/ VNC-->/

The solution:

I had this problem.  I needed to force the "Add New Client" feature on
WinVNC to use a different port, so that the outgoing TCP traffic would be
allowed through the firewall.  I knew outgoing port 443 was unblocked and
unproxied, based on some testing that I performed.  WinVNC has no option in
config files, registry entries, or otherwise to change this port.

Thank god WinVNC is open source.  Hopefully, you have a copy of Microsoft
Visual C++ available to you.  Download the source code, and have fun:

There is no need to recompile VNCviewer.  Just set-up a port forward on the
firewall on your side to send incoming port 443 to incoming port 5500 on the
PC of your choice in your office running VNCviewer.

Only a very minor change is necessary in WinVNC.  Open the rfb.h header file
and search for the following line:
#define INCOMING_PORT_OFFSET 5500
Comment the line out by putting two forward slashes in front of it, and then
add the following line immeadiately after the original line:
#define INCOMING_PORT_OFFSET 443
The new code should look like this:
//#define INCOMING_PORT_OFFSET 5500
#define INCOMING_PORT_OFFSET 443

Save your changes, and close the rfb.h header file.

Open the WinVNC.dsw file by double-clicking on it.  Do a batch-build of
WinVNC, selecting only the configurations marked "NO_CORBA" (this makes your
compiled version as similar as possible to the public release).  If you get
no compile errors, than you will have a new WinVNC.exe in the "NO_CORBA"
subdirectory of the WinVNC source.

Install WinVNC on each of the client PCs that you need to support, and then
replace the WinVNC.exe with the custom version that you just built.  Make
sure WinVNC is installed as a service on each of these machines, and make
sure you have default and user passwords and settings set exactly the way
you want them.

Next, place a shorcut to WinVNC on each of the client desktops, and edit the
command line for the shortcut so it looks something like:
"C:\Program Files\ORL\VNC\WinVNC.exe" -connect yourdomain.com
where "yourdomain.com" is the domain name or IP address of your firewall
which has been set to forward incoming port 443 to port 5500 of the
workstation of your choice on your network (running VNCviewer in listen
mode).

Rename the shorcut on the client desktop to something like "Tech Support".
(Always make things for your client so that they have to use as little brain
power as possible).  If you have done everything correctly, the client
should be able to pass VNC control of their PC to you just by
double-clicking on the shortcut you provided.

If you do not have Visual C++ available to you, I will be happy to provide
you with the WinVNC.EXE that I built, without any support or warranties of
any kind.  I also will be happy to provide you with the modified source of
the rfb.h header file.  The original source for WinVNC is available from
www.uk.research.att.com.  As with the original source and program, my
modifications are made under the GNU GENERAL PUBLIC LICENSE, Version 2, June
1991.

In summary:

The problem can be solved by a very minor change in the WinVNC code, and by
clever use of port-forwarding.  This solution has its problems also.  For
instance, the changes made are crude.  You made need port 443 on your
network for incoming https connections.  This solution does not all for
that.  Specifically, ports used by WinVNC and VNCviewer should be able to be
changed by command line and/or registry and GUI options.  With connections
made from WinVNC to VNCviewer, this is not possible without heavier
modifications to the source code.

I WOULD VERY MUCH LIKE TO SEE ALL PORTS USED BY WINVNC AND VNCVIEWER TO BE
ABLE TO BE CHANGED AT RUNTIME, BOTH ON THE COMMAND LINE, AND THROUGH THE GUI
INTERFACE.  THESE CHANGES, IF MADE TO A RELEASE VERSION, WOULD ALLOW MUCH
MORE FIREWALL FLEXIBILITY TO END-USERS.

I release that this post is verbose, and may not help everyone, but I wanted
to make sure that anyone looking to change the incoming port offset would be
able to find this article in the mail archives for VNC.  I wrote this post
in a hurry, so I hope I am accurate and clear.

- Chuck Renner
Director of Technical Services
ICT/Data On CD
www.dataoncd.com
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------