Providing (Windows) VNC support to clients that have strict corporate firewalls

Chuck Renner chuck "at" dataoncd.com
Tue, 15 Jan 2002 15:13:31 +0000


OK.  I need to make sure I understand this.

Tell me if this is right.  To make a REVERSE (WinVNC connecting to VNCViwer
in listen mode) connection using VNC through SSH, the internet and a
corporate firewall, I have to do the following:

* Put a SSH program on the client Windows PC running WinVNC.

* Make the SSH program on the Windows PC forward port 5500 to port 443 on
the Linux firewall on my network.

* Bind a sshd to port 443 on my Linux firewall on my network.

* Forward the decrypted data from port 443 on the sshd to port 5500 on my
local Windows workstation running VNCviewer in listen mode.

* Using "Add New Client" on the Windows PC running WinVNC, add localhost as
a new client.  The request should hit the SSH program, which forwards it to
SSHD on port 443 of my firewall, which decrypts it, and forwards it to
VNCviewer, listening on port 5500 of my local workstation.

Something like:

WinVNC on ClientWS1 ---> SSH on ClientWS1 port 5500 --> Internet --> sshd on
MYFirewall port 443 --> VNCviewer on MyWS1 port 5500

Have I got the idea right?  If so, I should be able to do this without
recompiling VNC at all.

I just need some help with SSH in Windows and sshd on the Linux machine.  I
have no idea on how to do this forwarding/tunneling with SSH.  I have never
used SSH for anything but a shell window before (and SCP for file transfer).

- Chuck Renner

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Michael Ossmann
Sent: Monday, January 14, 2002 3:36 PM
To: vnc-list "at" uk.research.att.com
Subject: Re: Providing (Windows) VNC support to clients that have strict
corporate firewalls


On Mon, Jan 14, 2002 at 02:34:16PM -0500, Chuck Renner wrote:
>
> There needs to be a way to change ALL Ports used by VNC, not just the
ports
> it listens on.  Ports used for outgoing connections should be able to be
> changed both on the command-line, and through the GUI interface.  Since
this
> isn't built-in, I had to build a small hack instead.

Most people who are concerned with firewall traversal are also concerned
about the very insecure protocol used by VNC traveling over the
Internet.  If you tunnel VNC through SSH on port 443, it solves both
problems.

--
Mike Ossmann, Tarantella/UNIX Engineer/Instructor
Alternative Technology, Inc.  http://www.alttech.com/
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------