My remote-management options, computers behind firewalls, ssh & VNC?

[Matt]

I want to establish a remote-desktop management connection (both ways)
using ssh and TightVNC between two computers, each behind a SOHO
firewall.

Here's my options as far as I understand it after poking around here a
bit:

1) Open up VNC ports on each firewall. Map said ports to respective
computers. Point TightVNC at each firewall's WAN IP. Not secure, but
easy (or at least easier then #2).

2) Open up port 22 on each firewall, map port 22 to the respective
computers, and run ssh connections to each. Then point TightVNC to
each respective ssh connection, and VNC does not know the difference.

3) Don't run any VNC at all, and use some other software like
RemoteDesktop/NetMeeting which supposed has security/encryption "built
in"? I still have to map some firewall ports to internal LAN computer
IP addrs, right? Which ports is unclear. This seems most complicated
despite the fact that I somehow don't need to worry about
security/encryption. Furthermore, I need to specifically have
WinXPPro, and one of my aforementioned computers is WinXP Home (and I
might be using Linux/Mac platforms for this stuff later, too).

Number 2 seems most attractive to me. My concern might be the
vulnerability of opening ports 22 on the firewalls? Is this in any
way a potential problem? Does anything else besides ssh listen on
port 22, and if not, does that still mean my port-mapping is "secure"?

Thanks for any help,
Matt

 

[Matt]

....and what I failed to ask explicitly is: Is all this correct? Do I
have a reasonably-comprehensive set of options and is the description
of each option accurate?

-Matt

I want to establish a remote-desktop management connection (both ways)
using ssh and TightVNC between two computers, each behind a SOHO
firewall.

Here's my options as far as I understand it after poking around here a
bit:

......

 

[Bill Sanderson]

I can't speak for ssh, or its vulnerabilities--as I recall, there was a
recent one publicised (??)

Yes, Remote Desktop is encrypted with RC4, 128 bit keystrength. You can
search on this in Help and Support and find more information.

However, as you mention, RD won't talk to Linux, nor to XP Home.

The port stuff is a no-brainer--you haven't done your homework. You know
the ports for the stuff you started out favoring, but the others are well
documented, and posted many times a day here. RDP uses port 3389, TCP.

Here's my alternative suggestion: Open the firewalls for a PPTP VPN
connection. Such a connection is supported by XP Home, XP Pro, and I expect
Linux as well. The port involved is port 1723, TCP, and, GRE (protocol 47).
Most small routers can manage to let this in, although sometimes it takes a
firmware upgrade with older models, and the terminology for the GRE portion
varies. Linksys has a checkbox for "pptp passthrough" which does this, and
then you just forward the 1723 in the usual way. Some newer boxes just open
GRE automagically when 1723 is opened.

Either XP home or XP Pro can terminate a PPTP tunnel, and, once connected,
you can use either Remote Desktop, VNC, or any other IP-based network
mechanism (or IPX even if you are desparate)--so this solution will allow
you to talk to the different boxes using whatever Remote admin feature you
like best.

 

[Jeffrey Randow (MVP)]

For a tutorial on the VNC/SSH side, take a look at
http://www.shebeen.com/vnc_ssh/.

You may want to also consider UltraVNC with the encryption plug-in
(http://ultravnc.sourceforge.net). This will give you SSH with extra
security.

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Matt]

Jeffrey-

Thanks for these references, they are great! I'll add this article to
the mix (link found on shebeen.com):

http://www.winnetmag.com/Web/Article/ArticleID/24839/Web_24839.html

-Matt

 

[Matt]

I'm posting this note for at least my future reference, seems to be
decent resource:

http://www.remotenetworktechnology.com/

-Matt

 

[Matt]

I guess Jeffrey already had this the .sig of his other post...oh well
(that's probably how I found it in the first place). I guess it
doesn't hurt terribly to be redundant. -Matt

 

[Jeffrey Randow (MVP)]

Eventually I'll get more time to update, but I am on the 14 hours a
day of work cycle right now...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone