Remote assistance/desktop

[Wowbagger]

Environment:

Host machine, Windows XP Professional SP/2 in a LAN behind a NAT/firewall
device. No restrictions beyond an admin who may not know how to configure
port forwarding (or even what it is - I won't approach him until I know
exactly what I need to request).

Client machine, Windows XP Media Center edition SP/2, also behind a
NAT/firewall device over which I have full control.

What specifically do I need to control host from client? If I set up remote
assistance using messenger will I be able to connect on demand or would
somebody physically at the host have to initiate the session?

If I go with remote desktop, what NAT configuration changes do I need to
request from the admin?

If I can get this working there are others in the office who will probably
want to do the same - how would the NAT need to be configured to support
remote desktop on multiple machines? Is it just a question of assigning NAT
port xxx to forward to 3389 on the first desktop, NAT port yyy forwarding to
3389 on the second and so forth?

 

[Phil]

See answers below.........

Environment:

Host machine, Windows XP Professional SP/2 in a LAN behind a
NAT/firewall device. No restrictions beyond an admin who may not
know how to configure port forwarding (or even what it is - I won't
approach him until I know exactly what I need to request).

Client machine, Windows XP Media Center edition SP/2, also behind a
NAT/firewall device over which I have full control.

What specifically do I need to control host from client?

You'll need to download and install the remote desktop client from ms
website if media center doesn't have it. You also need to turn remote
desktop on in xp pro and allow it to accept connections. All accounts should
be password protected with a complex password as well.

If I set up remote assistance using messenger will I be able to connect on
demand
or would somebody physically at the host have to initiate the session?

Someone would have to be physically at the machine to accept the session.
Don't do it this way.

If I go with remote desktop, what NAT configuration changes do I need
to request from the admin?

You will need to setup port forwarding in the firewall. Usually in the
firewalls config page(192.168.0.1) there's a place to tell it to open port
3389(default remote desktop port) and then when anyone hits that port to
forward that connection to your IP address of your computer in the
lan(network). For greater security, if your firewall supports it, you can
set it up so that it only forwards connections if they come from a certain
ip address. Then you'd add your home ip address in the firewall and if you
try to connect it will forward you, but if anyone else tries it won't
forward them. And I would also change the default listen port of 3389 to any
other port that isn't being used and then set that port up in the firewall
instead of 3389. This is just because if your firewall doesn't support the
"only forward certain ip's" function and you keep port 3389 then anyone
could hit your ip with remote desktop client and it would forward them, then
all they'd need is your user name and password. If you change the default
port, someone would need your ip address, the correct port, your user name,
and your password in order to get it to forward and connect. See here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;306759

If I can get this working there are others in the office who will
probably want to do the same - how would the NAT need to be
configured to support remote desktop on multiple machines? Is it
just a question of assigning NAT port xxx to forward to 3389 on the
first desktop, NAT port yyy forwarding to 3389 on the second and so
forth?

You'd have to change the listen ports on different machines and set up port
forwarding using those specific ports to forward to specific computers(ip's)
in the office. So Joe Smith would have his port set at 6969 and he'd connect
to your wan ip at that port, the the firewall would forward the connection
to his machine. Ex: Joe connects to -- 68.134.212.34:6969, then the firewall
is set to forward any connect attempt on 6969 to Joe's ip network address
and Joe connects, he enters his user and pass and he's in.
Post back if you need help or more info. I use remote desktop everyday(using
it right now) and have it working between work and home with a
firewall/router in office and wireless firewall/router at home. I will also
add that a firewall/router that does nat and spi is better if you want to
use this sort of remote stuff daily. SPI brings a true firewall into the
mix. Nat alone will work but isn't as secure. Both my firewall/routers do
nat and spi.

 

[Wowbagger]

For greater security, if your firewall supports it, you can set it up so that it
only forwards connections if they come from a certain ip address. Then you'd
add your home ip address in the firewall and if you try to connect it will forward
you, but if anyone else tries it won't forward them.

When the packets are forwarded from the NAT device would my system see them
as coming "from" the NAT or would they be coming from my machine at home?
The less I ask of the office network admin the happier I'll be. The reason
I ask is because I am considering doing the filtering at my desk rather than
at the firewall. The more I can personally control, the better.
(Especially since the broadband at home is DHCP.)

 

[Phil]

When the packets are forwarded from the NAT device would my system
see them as coming "from" the NAT or would they be coming from my
machine at home? The less I ask of the office network admin the
happier I'll be. The reason I ask is because I am considering doing
the filtering at my desk rather than at the firewall. The more I can
personally control, the better. (Especially since the broadband at
home is DHCP.)

The connection comes from your machine at home to the router. The router
then forwards that connection to your computer. Once the connection is
established then the packets come from home, go thru the router in the open
port, then to your computer.
I'm not sure what you mean by filtering at your desk because in order for it
to work the correct ports in the firewall have to be opened and port
forwarding has to be setup. In a multiple computer lan with a
router/firewall there is no other way around it.
As for dhcp, don't worry about it. Both my work and home are dhcp. On
broadband you usually get the same ip over and over. Mine changes maybe once
a year if that. One thing I forgot to mention. If your lan at work gets it
ip's from the router set as the dhcp server, then it's best to set static
ip's in the router so that you get the same ip from the router everyday. If
your ip at work is dhcp from the router, then there's a possibility it might
change, and thus your port forwarding would not work because your ip
changed.

 

[Wowbagger]

I'm not sure what you mean by filtering at your desk because in order for it
to work the correct ports in the firewall have to be opened and port
forwarding has to be setup.

I'm talking about only accepting the connection from my home IP at my
desktop rather than at the firewall.

 

[Phil]

I'm talking about only accepting the connection from my home IP at my
desktop rather than at the firewall.

If you take your computer out of the network, bypass the firewall, and hook
the internet directly up to your computer, then yes you could connect at the
computer and port forwarding would not have to be used, but you'd have to
configure your personal firewall on your desktop to accept the connection.
But I suspect that your company isn't going to let you hook the internet
directly to your machine only, so I don't think that will work in an office
environment.

 

[Wowbagger]

If you take your computer out of the network, bypass the firewall, and hook
the internet directly up to your computer, then yes you could connect at the
computer and port forwarding would not have to be used, but you'd have to
configure your personal firewall on your desktop to accept the connection.
But I suspect that your company isn't going to let you hook the internet
directly to your machine only, so I don't think that will work in an office
environment.

No... I'm referring to your suggestion to set the office firewall to only
accept port 3.1415 connections arriving from 000.127.000.127 (or whatever
the home IP is). I propose to have the office IT guy to just forward all
requests on port 3.1415 to my machine and let my software firewall reject
anything that isn't coming from home.

 

[Phil]

No... I'm referring to your suggestion to set the office firewall to
only accept port 3.1415 connections arriving from 000.127.000.127 (or
whatever the home IP is). I propose to have the office IT guy to
just forward all requests on port 3.1415 to my machine and let my
software firewall reject anything that isn't coming from home.

Oh, ok, I see what your saying now. If your router/firewall supports the
function of specifying only certain ip's to get forwarded, then yes you
could set it up that way. Not all firewalls/routers do this. Usually the $50
router that does nat only does not have this function. The firewall I have
at the office that does do this cost about $250.
If your router does do this(check the routers help or settings) then you
won't have to worry about a software firewall to reject other connection
attempts. The router/firewall will reject them before they even get
forwarded. The router/firewall would only forward a connection from your
specific ip, all others get dropped/blocked by the router/firewall.

 

[Wowbagger]

I asked for the port forwarding to be set up. The admin said no because he
was afraid somebody would install a keystroke logger, but that he would help
me set up pcAnywhere (which would require port forwarding....)

 

[Phil]

Yes pc anywhere would need port forwarding, isn't as fast as remote desktop,
and last I new still passed it's passwords in plain text. Anyone could then
view that packet and get your password.
Tell your admin to stay away from pcanywhere, rd is better imo. Also does
he/she know what they're talking about? Someone might install a keylogger.
Why would they, who would, how would they do it? Your admin is grasping at
straws. If the firewall is setup correctly then only rd connections would
get thru. You could also set the firewall to drop all scan attempts as well
so that no one will ever know a port is open. Plus you can change the port
to any available port. There's over 65,000 ports on a computer, so you have
a better chance getting struck by lightning.
Keylogger.................lol............that's a good one.