configuring firewall for remote assistance

[kakii]

There are some MS instructions regarding firewall configuration
for the purpose of running win xp remote assistance.
MS states only the port 3389 shall be opened.
But more details on that filter rule are missing.

1. Does it apply to the novice's or the expert's PC ?
2. Is that for inbound or the outbound traffic ?
3. What protocol is this for, TCP or UDP ?
4. What application has to be associated with this packet filter rule ?

I'g going to run win xp remote assistance in following configuration:
- expert's PC: win xp pro sp2
- novice's PC: win xp pro sp2
- both PC's connected to internet via DSL modem
- on both PC's personal firewall running, no router hardware
- both PC's operate in single, no LANs present

How exact should the firewall filter rules to be set for both PC's
if the novice's generates invitation from Win Help and Support
application and sends it to expert in a file ?

How exact should the firewall filter rules to be set for both PC's
if the novice's generates invitation from Win Help and Support
application and then his choice is the win messenger to send the
invitation ?

How exact should the firewall filter rules to be set for both PC's
if the novice's does not use Windows Help and Support application at
all but starts the windows messenger to invite expert to assistance ?

 

[Mike T.]

Replies embedded:

There are some MS instructions regarding firewall configuration
for the purpose of running win xp remote assistance.
MS states only the port 3389 shall be opened.
But more details on that filter rule are missing.

Are you referring to Windows Firewall, another software firewall, or a
hardware firewall (e.g. in your router)?

1. Does it apply to the novice's or the expert's PC ?

It applies to the novice's PC. You'll also need to make sure that Windows is
set up to allow it on the novice's machine. You'll need to right-click the
"My Computer" icon, select "Properties". On the "Remote" tab, make sure the
box "Allow Remote Assistance invitations to be sent from this computer" is
checked.

2. Is that for inbound or the outbound traffic ?

I'm not 100% sure, but I believe inbound.

3. What protocol is this for, TCP or UDP ? TCP.

4. What application has to be associated with this packet filter rule ?

If you're referring to Windows Firewall, the program would be "Remote
Assistance". It's already on the list of programs in the Exceptions list, so
all you'd need to do is check the box and you're done, unless you want to
change the scope of the exception (for example, only allowing certain IP
addresses or within your own subnet). Keep in mind you'll need to log on
with an account that has Administrator rights to do this. On a standard XP
installation, the path to the executable is C:\Windows\system32\sessmgr.exe.

I'g going to run win xp remote assistance in following configuration:
- expert's PC: win xp pro sp2
- novice's PC: win xp pro sp2
- both PC's connected to internet via DSL modem
- on both PC's personal firewall running, no router hardware

Here's the important question: When you say "personal firewall", are you
referring to theWindows Firewall built into XP, or are you referring to a
third-party product?

- both PC's operate in single, no LANs present

How exact should the firewall filter rules to be set for both PC's
if the novice's generates invitation from Win Help and Support application
and sends it to expert in a file ?

How exact should the firewall filter rules to be set for both PC's
if the novice's generates invitation from Win Help and Support application
and then his choice is the win messenger to send the invitation ?

How exact should the firewall filter rules to be set for both PC's
if the novice's does not use Windows Help and Support application at
all but starts the windows messenger to invite expert to assistance ?

Any of these scenarios should work automatically with the configuration
stated above.


Mike

 

[kakii]

Thank you very much for your reply. Nowadays it happans really seldom
somebody is answering in the MS newsgroups the questions.

Replies embedded:



Are you referring to Windows Firewall, another software firewall, or a
hardware firewall (e.g. in your router)?

on both PC's runs the Kerio Personal Firewall - software, no routers
present on both sites, not proxy servers or similar, no LANs, etc.
Both PC's connected to internet only through ADSL-Modem, these are using
windows xp dial-up connections, and the Kerio PFW firewalls.

It applies to the novice's PC. You'll also need to make sure that Windows is
set up to allow it on the novice's machine. You'll need to right-click the
"My Computer" icon, select "Properties". On the "Remote" tab, make sure the
box "Allow Remote Assistance invitations to be sent from this computer" is
checked.

yes, I'm aware of this option. Checked all the time.

I'm not 100% sure, but I believe inbound.

Does the expert PC requires 3389 to be open for outbound/inbound traffic
too ?

If you're referring to Windows Firewall, the program would be "Remote
Assistance". It's already on the list of programs in the Exceptions list, so
all you'd need to do is check the box and you're done, unless you want to
change the scope of the exception (for example, only allowing certain IP
addresses or within your own subnet). Keep in mind you'll need to log on
with an account that has Administrator rights to do this. On a standard XP
installation, the path to the executable is C:\Windows\system32\sessmgr.exe.

Here's the important question: When you say "personal firewall", are you
referring to theWindows Firewall built into XP, or are you referring to a
third-party product?

see above please

 

[Mike T.]

Thank you very much for your reply. Nowadays it happans really seldom
somebody is answering in the MS newsgroups the questions.

on both PC's runs the Kerio Personal Firewall - software, no routers
present on both sites, not proxy servers or similar, no LANs, etc.
Both PC's connected to internet only through ADSL-Modem, these are using
windows xp dial-up connections, and the Kerio PFW firewalls.

I've never used Kerio, so I really couldn't tell you how to configure it. I
honestly think the easiest solution would be to check the Kerio forums. I
would just about guarantee that other people have had to deal with this
issue. Here's the address of a good forum:
http://www.dslreports.com/forum/kerio

Hope this helps.
Mike

 

[kakii]

I've never used Kerio, so I really couldn't tell you how to configure it. I
honestly think the easiest solution would be to check the Kerio forums. I
would just about guarantee that other people have had to deal with this
issue. Here's the address of a good forum:
http://www.dslreports.com/forum/kerio

Thanks. I don't think this is an topic of Kerio.
Each packet transfer has own characteristics: origin port, target port,
protocol, origin IP, target IP, server application listens to on the
specified port.
Microsoft should precise describe the required firewall filter.
It is not possible to find this information on MS portal. Terrible.
Only the spare statement the port 3389 has to be open.
It's not detailed-enough.