Cannot connect to WInXP box with UltraVNC

Peter Coulter peter "at" coulter.ndo.co.uk
Sun Mar 7 15:00:01 2004


Scott,

Thanks for the reply.

I can see where you are coming from and I will give it a try (and report
back).

Yes, GoToMyVNC shows the attempts reach my VNC server on my home network
(behind the Netgear router and NIS 2003 Personal Firewall), and something
bad happens after that. But I get the password screen back on the initiating
PC (on the office network) so traffic gets out from my NIS SW firewall, and
my Netgear router to the originating PC (in the office) to post the password
screen (so something's working!). The password is entered and it is after
that that things go awry. The question is where and why.

I have to take issue with the statement "Aren't the software firewalls just
doing their job?". The answer there is only a qualified Yes. 
Yes the SW firewall is blocking things, but I have configured it to allow
some traffic, and in this case UltraVNC traffic, to pass. So, in my view,
the SW firewall is not doing its job to the fullest extent it should. 

As I see it this could be failing for one of four reasons.

1. The NIS SW firewall is not configured correctly.
NIS is set in Program Control to allow WinVNC.exe full access (in both
directions). 
Under Advanced / General Rules a rule is specifically set for VNC to allow
TCP/UDP traffic to pass on the ports 5500, 5800 and 5900 in both directions.

So unless UltraVNC is using some other port(s) I am unaware of then as far
as I am concerned NIS is configured correctly (in terms of ports). Input
from anyone on that would be appreciated. 
Currently I also restrict this rule to allow traffic only from the office
sub-net and its proxy server IP addresses, and this could potentially be the
issue if for some reason the incoming (to my home network) IP address is not
in these ranges. But I am pretty sure of these addresses, however I will
tinker with that too.

2. UltraVNS and NIS 2003 are incompatible
I have seen some reports about this and wonder if anyone can confirm.

3. It could be the HW firewall (Netgear router) is the problem. But on the
other hand I have also configured the Netgear to allow all traffic on the
ports identified above to pass in both directions. And the results from
GoToMyVNC seem to show it is operating as expected/required.

4. There is finally the corporate firewall - and obviously I have no control
over that. 
I think one of the key points in my original posting is that the office PC
behind the corporate firewall(s) gives no response to GoToMyVNC. But in this
case I would have thought that using the JM, via IE internet browser, would
have worked; but it didn't and I am puzzled about that. 

In conclusion: 
I am loath to disable the NIS SW firewall. My primary use for the SW
firewall is to block unwanted outgoing traffic from my LAN. The HW firewall
stops unwanted incoming traffic and the SW catches unwanted outbound stuff.
This arrangement has saved my network a couple of times after the kids
unintentionally, or unwittingly (Kazaa I spit upon you!), have downloaded
stuff that has promptly starting making unwanted outgoing connections.

In fact I will not accept - as a long term solution - disabling the SW
firewall just for the wants of a single application; that is much too high a
risk solution. It (NIS) works for other applications; I have no trouble, for
example, running GotoMyPC by appropriate configuration of the HW and SW
firewall.

So I am still hoping for a solution that allows me to use both HW and SW
firewalls with UltraVNC. 

BTW: what are "AuthHosts settings in your VNC Servers"?

Regards,

--------------------------------------------
Peter Coulter
--------------------------------------------


> -----Original Message-----
> From: Scott C. Best [mailto:sbest "at" best.com]
> Sent: Saturday, March 06, 2004 7:55 PM
> To: vnc-list "at" realvnc.com
> Cc: peter "at" coulter.ndo.co.uk
> Subject: Re: Cannot connect to WInXP box with UltraVNC
> 
> 
> Peter:
> 	Heya. Akshally, I think GoToMyVNC is telling the truth:
> if your VNC Viewer can connect to the VNC Authentication prompt, then 
> the connect attempt is reaching your VNC Server. It's just that 
> something bad happens after that. :)
> 
> 	You say below that 'both software firewalls have set the local
> sub-net to "trusted and let all through"'. And that works, but you 
> can't connect from somewhere off your LAN. So...aren't the software 
> firewalls just doing their job?
> 
> 	I know you don't want to, but please try connecting to
> the VNC Server with the softwaree firewalls fully disabled. If you 
> don't have any AuthHosts settings in your VNC Servers, then I don't 
> think it could be anything else but them.
> 
> good luck,
> Scott
> 
> > I've crawled all over the documentation, and through a lot of the 
> > mailing list (although admittedly not all), and cannot find
> what might
> > be the problem and thus no solution. Apologies in advance if the 
> > solution is posted somewhere and I have missed it. Any suggestions 
> > what I might be doing wrong would be helpful.
> >
> > Situation:
> >
> > WinXP and Win98SE boxes behind a Netgear router. UltraVNC
> (server and
> > viewer) installed on both. I am using a Dynamic DNS service IP to 
> > resolve my Dynamic IP address. The Netgear is set to
> port-forward 5900
> > & 5800 to WinXP and 5901 & 5801 to 98SE
> >
> > The WinXP box has Norton Internet Security (NIS, inc. Personal
> > Firewall) installed. This is set to let ports 5900 and 5800
> through. I
> > do not use WindowsXP built-in "Internet Connection
> Firewall" and it is
> > switched off. On the 98SE box the Freedom Personal Firewall is on. 
> > Obviously both software firewalls have set the local sub-net to 
> > "trusted" and let all through.
> >
> > Inside the Netgear router (i.e. on my LAN) all is well. Ultra-VNC 
> > works fine both ways from both boxes.
> >
> > Outside the Netgear is another issue.
> > >From my office PC (which also has UltraVNC (server and viewer)) 
> > >installed
> > when I try to use UltraVNC I have no success.
> > Ping does not detect the WinXP box because the router is set to not 
> > respond to ping, but I can log onto my router remotely by both IP 
> > address and dyndns-service-name and from there see the
> devices on the
> > LAN just fine so connectivity is fine.
> >
> > The NIS logs show that the UltraVNC access attempt is
> hitting the NIS
> > firewall - so the router is port-forwarding to the WinXP box 
> > correctly. When I try to access the WinXP box from the
> office PC using
> > VNCViewer it fails returning the messages "Failed to
> connect server!".
> > This the same whether I use <dyndns-service-name:0> or 
> > <dyndns-service-name::5900> to try to access VNC on the WinXP box. 
> > When I try to access WinXP box from the office PC using IE
> I get the
> > VNC Authentication screen displayed, and the header bar is
> displaying
> > the host name of my WinXP box; so it would seem that the attempt is 
> > reaching VNC on the WinXP box. But the response is always the same 
> > "Network error: unable to connect to server: <dyndns-service-name>".
> <snip>