Providing (Windows) VNC support to clients that have strict...

Scott C. Best sbest "at" best.com
Thu, 17 Jan 2002 21:29:59 +0000


Chuck:
	Heya. You've probably already discovered this, but there's
a registry setting you need to make to your VNC server machine to
allow loopback:

	http://www.uk.research.att.com/vnc/winvnc.html

	Down at the bottom, AllowLoopback. Or, even more aggressive,
try LoopbackOnly (which appears to be specific to working well with
SSH tunneling). Hope one of them is what you're looking for!

-Scott


> Ok.  I have tested this scenario.  The tunneling works fine, but the total
> picture does not.
>
> When you make the connection from WinVNC to VNCviewer using the tunnel
> through SSH, the VNCviewer on the other end thinks it is an "internal
> loopback connection", and disconnects you.  This happens regardless of which
> IP address you use on the WinVNC machine.
>
> Since VNCviewer states, "Internal loopback connections are not allowed", the
> implication is that there is a setting that WILL allow them, either in the
> source, or in the GUI settings.  Is this the case?
>
> So the solution just got more complicated.
>
> To avoid the VNCviewer thinking the connection is a loopback, you have to
> run the SSH client on a completely separate machine on the same LAN, and
> have to allow it to receive connections on its local port from other hosts,
> like so:
>
> WinVNC on ClientWS1 ---> SSH on ClientWS2 port 5500 --> Internet --> sshd on
> MYFirewall port 443 --> VNCviewer on MyWS1 port 5500
>
> This I have tested, and it works, but presents the following major two
> problems:
>
> 	1.  This is too complicated for the client.
>       2.  Opening the SSH connection from the client to the SSHD your Linux
> firewall is effectively like creating a VPN connection from the client to
> your network.  This opens a huge security hole in your network, and gives
> someone on the client's network the ability to snoop around your network
> when the connection is made.
>
> I am concerned about tunneling VNC through SSH, because it gives the client
> the ability to create more tunnels.  Is it really wise to secure the client
> VNC connection, at the cost of exposing your own network to the client?
>
> Feedback is greatly appreciated.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------