Providing (Windows) VNC support to clients that have strict...

Chuck Renner chuck "at" dataoncd.com
Fri, 18 Jan 2002 20:55:57 +0000


OK.  The registry setting AllowLoopback does not work when connecting WinVNC
to a VNCviewer.

Thanks.  Darn!

I might still have to have a custom compile.

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Scott C. Best
Sent: Thursday, January 17, 2002 4:26 PM
To: vnc-list "at" uk.research.att.com
Cc: chuck "at" dataoncd.com
Subject: Re: Providing (Windows) VNC support to clients that have
strict...


Chuck:
	Heya. You've probably already discovered this, but there's
a registry setting you need to make to your VNC server machine to
allow loopback:

	http://www.uk.research.att.com/vnc/winvnc.html

	Down at the bottom, AllowLoopback. Or, even more aggressive,
try LoopbackOnly (which appears to be specific to working well with
SSH tunneling). Hope one of them is what you're looking for!

-Scott


> Ok.  I have tested this scenario.  The tunneling works fine, but the total
> picture does not.
>
> When you make the connection from WinVNC to VNCviewer using the tunnel
> through SSH, the VNCviewer on the other end thinks it is an "internal
> loopback connection", and disconnects you.  This happens regardless of
which
> IP address you use on the WinVNC machine.
>
> Since VNCviewer states, "Internal loopback connections are not allowed",
the
> implication is that there is a setting that WILL allow them, either in the
> source, or in the GUI settings.  Is this the case?
>
> So the solution just got more complicated.
>
> To avoid the VNCviewer thinking the connection is a loopback, you have to
> run the SSH client on a completely separate machine on the same LAN, and
> have to allow it to receive connections on its local port from other
hosts,
> like so:
>
> WinVNC on ClientWS1 ---> SSH on ClientWS2 port 5500 --> Internet --> sshd
on
> MYFirewall port 443 --> VNCviewer on MyWS1 port 5500
>
> This I have tested, and it works, but presents the following major two
> problems:
>
> 	1.  This is too complicated for the client.
>       2.  Opening the SSH connection from the client to the SSHD your
Linux
> firewall is effectively like creating a VPN connection from the client to
> your network.  This opens a huge security hole in your network, and gives
> someone on the client's network the ability to snoop around your network
> when the connection is made.
>
> I am concerned about tunneling VNC through SSH, because it gives the
client
> the ability to create more tunnels.  Is it really wise to secure the
client
> VNC connection, at the cost of exposing your own network to the client?
>
> Feedback is greatly appreciated.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------