Providing (Windows) VNC support to clients that have strict corporate firewalls

Michael Ossmann michael.ossmann "at"
Tue, 15 Jan 2002 18:00:51 +0000

On Tue, Jan 15, 2002 at 10:10:18AM -0500, Chuck Renner wrote:
> WinVNC on ClientWS1 ---> SSH on ClientWS1 port 5500 --> Internet --> sshd on
> MYFirewall port 443 --> VNCviewer on MyWS1 port 5500
> Have I got the idea right?  If so, I should be able to do this without
> recompiling VNC at all.

Yup.  Of course your situation is somewhat complicated by the fact that
you have no control over one of the firewalls, but the solution you
described should work fine.

> I just need some help with SSH in Windows and sshd on the Linux machine.  I
> have no idea on how to do this forwarding/tunneling with SSH.  I have never
> used SSH for anything but a shell window before (and SCP for file transfer).

I don't know the Windows SSH tools very well, but, if you find one that
behaves like OpenSSH on Unix (I think there actually is an OpenSSH for
Windows too), then you would initiate the connection from the Windows
box with something like:

ssh -nq -i key -l vnc -p 443 -L 5500:MyWS1:5500 MYFirewall sleep 30

Where "key" is a private key file which allows sshd to authenticate the
ssh client without the user typing a password, "vnc" is a user account
with no privildges on your firewall setup just for this purpose (and
with the public side of "key" installed), "MyWS1" is the local IP
address of your VNC client, and "MYFirewall" is the public IP or FQDN of
your firewall with sshd running.  You can also give ssh the -C option to
turn on compression, which is a huge bonus if you are using anything
slower than tight encoding or zlib encoding on the VNC connection.  Your
sshd default configuration will probably be fine except that you need to
tell it to listen on port 443.  The "sleep 30" just opens up a 30 second
window for the VNC connection to get started.

Mike Ossmann, Tarantella/UNIX Engineer/Instructor
Alternative Technology, Inc.
To unsubscribe, mail majordomo "at" with the line:
'unsubscribe vnc-list' in the message BODY
See also: