Java Viewer & SSH port forwarding configuration

William Hooper whooper@freeshell.org
Mon Nov 11 01:17:01 2002


----- Original Message -----
From: "Michael F. Murphy" <michael_murphy@ALUMNI-MAIL.gsia.cmu.edu>
To: <vnc-list@realvnc.com>
Sent: Friday, November 08, 2002 7:07 PM
Subject: Java Viewer & SSH port forwarding configuration


> Need help setting up VNC to be browser accessible through a DMZ/Gateway
> machine by multiple users.
[snip]
> I'm trying to get web browsing on ports other than 5800 working but I keep
> getting "java.net.ConnectException: Connection refused" after being
> presented with
> the password dialog when I access http://gateway:5880/ (for example). A
> configuration issue?
> It does work if I set up to use ports 5900/5800.
>
I just did some testing and it seems that VNC still wants to go 100 ports
above the original HTTP port even if you are tunnelling.  In your example,
try making the WinVNC machine run on display :80 so that even without the
Tunnel the ports will be 5880 and 5980.

> What I've done:
> On "Gateway"(a Linux box with a well known public IP address running ssh
> server)
> each of the potential server users has an account/password and is an
allowed
> user in ssh configuration.
> SSH server allows port forwarding and gateway.
>
> Gateway has iptables with the following relevant rules:
> /sbin/iptables -A tcpin -p tcp --dport 5980 -j ACCEPT
> /sbin/iptables -A tcpin -p tcp --dport 5880 -j ACCEPT
>
> /sbin/iptables -A tcpin -p tcp --dport 5900 -j ACCEPT
> /sbin/iptables -A tcpin -p tcp --dport 5800 -j ACCEPT
>
> (I want to tighten this up to allow vnc ports only from ssh'd machines,
> or perhaps restriced by MAC, or .... But that is another day.)
>
If you are using SSH tunneling you don't need these ports open.

> I used the standard 5900/5800 pair for testing. Now
> I want to expand to set up 5980/5880 to allow multiple sessions.
>
> On PC "Server" ( the one sharing the screen, who may be behind a firewall
> and NATed)
> user uses PuTTY to connect to Gateway via SSH. puTTY on PC Server machine
> configured to
> uses SSH tunnelling/port forwarding:
> "Remote Source:5980 Destination:localhost:5900"
> "Remote Source:5880 Destination:localhost:5800"
>
Yeah, this is the part that seems to confuse VNC.  If you make it:
"Remote Source:5980 Destination:localhost:5980"
"Remote Source:5880 Destination:localhost:5880"
Everything seems to work.

> (This connects the local (default VNC) ports on the machine to different
> ports 5980/5880
> on the gateway).
>
> On the PC Servers VNC Viwer properties: display socket(0) and java
> (enabled).

This is where you want to change the Display to :80.

> (AllowLoopback = 1) in the registry.
>
> The Server machine user starts the puTTY SSH session, gets validated
> and SSH forwards the ports...
> Then s/he starts the VNC Server. (Prefer not running a service or other
> automagic until everyone is comfortable and it works).
>
> On some other machine "PC Viewer" (perhaps also behind firewall and NATed)
> user points VNCViwer program to "gateway:80", answers the password prompt,
> and away they go, no problem. However,
>
> Problem:
[snip]
> Is it still the case (i.e. sort of broken) for the current Real VNC
version
> or is there some configuration tweak that I missed ?????
>
>
> Thanks,
> Michael
>
> P.S. I will get around to using Stunnel on the gateway (or other
> SSLification , if someone thinks better)
> so that the entire link is encrypted from the PC server to the gateway
(SSH)
> and from the gateway to the browser(SSL via https) if I can get the port
> issue squared away.

I'm not sure I follow you here.  Just using SSL on the https port will not
encrypt the VNC traffic from the Java viewer to the gateway, just the
delivery of the applet.

--
William Hooper

All computers wait at the same speed