PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
LEVITATING YOUR PC FROM TOPEKA, KS
WinXP comes with a remote control "feature," in two versions - remote desktop and remote assistance. Remote desktop needs WinXP Pro - oops another $100. Remote assistance can be used with WinXP Home. These techniques are specific to WinXP however I believe, so if you have Windows anything but XP you are out of luck. Of course with the way Microsoft is taking over the world, I assume in a few years this will be fairly universal. I discuss the "remote assistance" below. And then the "remote desktop" later. Until then.....
The other, more open technique is to use programs such as PCanywhere, which is used a lot by people who wish to get into their PCs remotely. PCanywhere is installed on both the client and the server machine, and port 5631 must be open in any router between the client and the server. PCanywhere is a very full featured program, but very expensive and complicated, and very much bloatware in my mind. There is a much simpler "variant" of this kind of remote control software, which is free and much easier to use, and is a MUCH smaller piece of software, called "VNC." When you install VNC, you should make sure you enable the JAVA component. This only means that you can run the VNC client in a browser window.
There is another remote control program which has gotten very good reviews. This is "GoToMyPC" - www.gotomypc.com. However they charge for it, and they also charge per month, so you have to be in this pretty seriously. They do let you download and evaluate it.
NEW Fall 2006 - Hamachi is slick!
There is a free version of this service which is called "hamachi." Go to www.hamachi.cc and download the client. These two programs work by using a third party server. All you clients which you desire to be on a single "virtual" private network must log into the third party server. The server is able to figure out the UDP port being used by the clients, and is able to transition from a connection thru itself, to one using only the two endpoints - a "peer to peer" in most cases. The client will normally keep a TCP connection open to the third party server. Hamachi, especially, is very slick. Steve Gibson has reviewed this program in every way possible and vouches for its credibility and technology. See www.grc.com/sn/SN-018.htm .
VNC, RDP and PCAnywhere can be very dangerous if the programs run at startup and are always running as services. Crackers can scan your IP and see the open, well known port, and attempt hacks against it. You must make sure you have a good password on it, and hope that there is not a new exploit on it. I would not recommend leaving the service running at all times. But there is an easy way around this if we want to use it for troubleshooting. We only enable (start) VNC when needed, so it is not listening at all for remote connections unless we want it to. In addition, if it is sitting behind a router, a port has to be opened up through the router to the PC. The router has to be setup before hand, and this means the port is always open clear thru to the PC.
Hamachi and GoToMyPC are much less susceptible to cracking because they use crypto technologies.
Alert May 2006: Older versions of VNC have a terrible security hole. DO NOT leave port 5900 open on the Internet! There is a way to break into VNC WITHOUT a password! Get the latest VNC at www.realvnc.com.
A. To setup VNC for accessing remote PC behind a firewall, using Win98. It should apply to most any OS tho:
1. Install VNC server (full install OK) on the PC. On Win98, it automatically makes it a service at startup. On WinXP, you may have to check with the services utility [start msconfig].
2. When PC starts, it will ask to set password. I use the PC name as password, or you can use the IP address as an easy to remember password - these are for minimum security installations! Beware that this may not be a very good security for your situation. I use it for my internal network in a testing scenario, and only start the server when I am going to do some troubleshooting.
3. Use "sysinfo-> sysconfig (Win98) to disable VNC server at startup. Restart PC, verify that VNC is not running.
4. Create shortcut on desktop to start VNC server (for customer).
5. Go into Westell: add VNC services [it is already listed, and adds proper ports 5500, 5800 and 5900]. Select advanced configuration -> add static NAT , and specify the IP of PC, e.g. 192.168.1.1. The situation is similar for any NAT/router.
6. Put this static IP on PC to make it easier to use VNC. Otherwise you would have to modify the Westell setup every time you wanted to use this.
When customer is ready to have remote control:
1. Ask customer to get IP of Westell, i.e. the one assigned by the ISP. There should be a shortcut created to perform this.
2. Ask customer to start VNC server using desktop shortcut.
3. Ask customer for Windows PC name, and use this as password for VNC - you set this up in step 2.
4. At VNC Viewer:
start VNC viewer, enter IP address, and password.
B. To setup VNC on WinXP:
Pretty much the same as above. Ideally you want to make it a service that will not start at bootup, but manually to avoid any security problems. Here is a nice article on setting up VNC.
Unless you have an XP Pro, you will need to use "remote assistance." Remote assistance is actually a pretty nice little facility if you both have XP home, and you are both on the same LAN. If you are not on the same LAN, you will have to open up a port in your NAT/router [or your firewall] to enable this service. This is port 3389, which may just be listed as "remote assistance" in your NAT/router. You also must have the capability enabled on your PC by going into control panel -> system -> remote tab and selecting "let remote assistance invitations be sent from this PC."
1. Go to Help and Support on the Start Button
2. Select "invite someone to help you."
3. Send him an email (unless you have Messenger accounts).
4. He will receive the email, and must open the attachment and enter the password, if you sent one. You should do this if this is over the Internet!!!
5. You will receive a message asking for permission for your friend to view your screen. Click OK.
6. In order for your friend to take control of your PC, he has to hit the "take control" button at the top. You are asked if he should do this - click OK.
You get the picture. You may have to be on the phone with the other guy to start this, but once it starts, you can chat with the included chat capability. You can also follow along and actually watch the other guy manipulate your PC as he is controlling it.
Remote Assistance does work on XP Pro as well.......
D. XP Pro Remote Control
Remote Desktop on the XP Pro is found under Programs -> Accessories -> communications -> Remote Desktop. To enable a PC to be remotely "desktopped," go to Control Panel -> System -> Remote tab and select the bottom box. Remote control does not require the communication in order to setup the remote access, and there is finer control which can be instilled, such as who can do this to your PC.
Remote assistance requires the attention of the person whose PC is being remotely assisted. Remote Desktop does not require the assistance of the person needing help, except that his PC must be setup to accept it. A real pain however, is that the user's PC goes into, apparently, lock screen mode so that you cannot see the "technical support" center futz with your PC! I think I would prefer remote assistance if at all possible.
E. Dynamic DNS
In order to access remote PCs when you don't know their IP address, you can install a small client on the PC, such as that offered by www.no-ip.com . This client will "dial up" the no-ip.com site and tell it the current address of the PC. You must register with no-ip.com, use an email address, and a host name. Once you setup a hostname, such as "ggloop" you can access this hostname anywhere on the Internet as "ggloop.no-ip.info" The server at no-ip.com does the job of updating the DNS tables, presumably worldwide. You can then use VNC to connect to "ggloop.no-ip.info." You MUST open the port 5900 on the firewall on the client PC so that the VNC viewer can get (connect) to it, and that presents a risk. But just use a REALLY good and LONG password and you should be OK.
F. VNC in Linux Fedora
Here are two terrific Redhat articles on getting VNC to work in a Linux environment.
G. For the nerds only, but also the best way!! Tons of capabilities.
Use VNC through ssh. Use a linux machine (such as Fedora) behind your NAT/router, running sshd. Open a hole through your NAT/router for port 2222 outside to port 22 inside and designate your linux machine to receive it. On any machine in the Internet you can ssh to the inside linux machine, using port 2222 and the IP of your NAT/router (use no-ip.com or the like). In addition, enable "Port forwarding" and "gateways," and "X11" forwarding in the ssh_config and sshd_config files on each linux machine. You can then open a separate window on your remote linux machine (or a windows machine running an ssh client), and invoke VNC and designate "localhost" as the destination server. Ssh will FORWARD the VNC traffic to a remote machine sitting inside your LAN. You will be controlling your desktop in a very secure way. If you happen to have XP pro on the inside machine, you can run RDP. Just designate the RDP port 3389 instead of the VNC port 5900.
On the remote (linux) machine, "ssh -L5900:192.168.1.32:5900 remoteNAT/router_IPaddress" will connect to the linux machine behind your NAT/router, and will forward VNC traffic from THIS machine to the Internal machine at 192.168.1.32. You can also do this on a windows machine running an ssh client such as putty. You will have to configure the "tunnels" in the putty screen before you do the session.
Opening a second window, and invoking "vncviewer" and entering "localhost" as server will call up the machine at 192.168.1.32 to ask for the password. You are then running the desktop of the 192.168.1.32 machine. In the original ssh window you can also run an X server app.
H. A few hints on Hamachi
After you install Hamachi, you must pick a name for your client, such as "johnloopPC." Hamachi will create a logical adapter in your PC, and assign it a unique IP address in the 5.x.x.x network. If this is your first use of Hamchi, you must create a "network" and give it a name.- such as johnloopnetwork," This will be the network name that you can give out to allow other Hamachi clients to "join network." You must assign a password for this network. Make it a very long and secure one. When you install the Hamachi client on other PCS, they can "join" the "johnloopnetwork" by entering the password you created. You can elect to turn off the windows SMB protocols if you want.
Once you have a virtual network of hamachi clients all participating in the "johnloopnetwork" it is just like having all your PCS on a physical LAN. Except, they can be anywhere, even behind firewalls and NAT routers, and all communications are encrypted. This may be the slickest creation for some years!!
Hamachi was recently bought out by "LogmeIn," so watch out for some potential changes in service.
Copyright John D Loop Wednesday October 26, 2005