Providing (Windows) VNC support to clients that have strict corporate firewalls

Chuck Renner chuck "at" dataoncd.com
Wed, 16 Jan 2002 19:45:03 +0000


Ok.  I have tested this scenario.  The tunneling works fine, but the total
picture does not.

When you make the connection from WinVNC to VNCviewer using the tunnel
through SSH, the VNCviewer on the other end thinks it is an "internal
loopback connection", and disconnects you.  This happens regardless of which
IP address you use on the WinVNC machine.

Since VNCviewer states, "Internal loopback connections are not allowed", the
implication is that there is a setting that WILL allow them, either in the
source, or in the GUI settings.  Is this the case?

So the solution just got more complicated.

To avoid the VNCviewer thinking the connection is a loopback, you have to
run the SSH client on a completely separate machine on the same LAN, and
have to allow it to receive connections on its local port from other hosts,
like so:

WinVNC on ClientWS1 ---> SSH on ClientWS2 port 5500 --> Internet --> sshd on
MYFirewall port 443 --> VNCviewer on MyWS1 port 5500

This I have tested, and it works, but presents the following major two
problems:

	1.  This is too complicated for the client.
      2.  Opening the SSH connection from the client to the SSHD your Linux
firewall is effectively like creating a VPN connection from the client to
your network.  This opens a huge security hole in your network, and gives
someone on the client's network the ability to snoop around your network
when the connection is made.

I am concerned about tunneling VNC through SSH, because it gives the client
the ability to create more tunnels.  Is it really wise to secure the client
VNC connection, at the cost of exposing your own network to the client?

Feedback is greatly appreciated.
-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Michael Ossmann
Sent: Tuesday, January 15, 2002 12:59 PM
To: vnc-list "at" uk.research.att.com
Subject: Re: Providing (Windows) VNC support to clients that have strict
corporate firewalls


On Tue, Jan 15, 2002 at 10:10:18AM -0500, Chuck Renner wrote:
>
> WinVNC on ClientWS1 ---> SSH on ClientWS1 port 5500 --> Internet --> sshd
on
> MYFirewall port 443 --> VNCviewer on MyWS1 port 5500
>
> Have I got the idea right?  If so, I should be able to do this without
> recompiling VNC at all.

Yup.  Of course your situation is somewhat complicated by the fact that
you have no control over one of the firewalls, but the solution you
described should work fine.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------