Remote Assistance: Random ports in Vista

[Memnoch]

Does anyone know of a way to get RA on Vista Business to only use port 3389 or
at least a static port rather than a completely random one?

You've probably guessed that this is a NAT related question. On my own network
I can get Vista and XP machines accepting and requesting RA without any
problems. But I have a friend of mine with both an XP and Vista machine behind
a router, set to forward port 3389. I can connect to his XP machine without
any problems because it uses port 3389. But on the Vista machine, the file
that is sent out uses a random port, such as below:

RCTICKET="65538,1,192.168.1.3:49682,"

You can't just change that port number as the program isn't listening on this
port.

This is a real pain and I can't find any information on this, and there is a
lot of BS floating around on Usenet too such as "XP machines can't accept
Vista RA requests", unless this was changed in SP1.

Any help with this would be much appreciated. I can't expect my friend to keep
opening random ports on his firewall to let me in, or al least modify the
existing rule.

Howard

 

[Paul Montgumdrop]

Does anyone know of a way to get RA on Vista Business to only use port 3389 or
at least a static port rather than a completely random one?

You've probably guessed that this is a NAT related question. On my own network
I can get Vista and XP machines accepting and requesting RA without any
problems. But I have a friend of mine with both an XP and Vista machine behind
a router, set to forward port 3389. I can connect to his XP machine without
any problems because it uses port 3389. But on the Vista machine, the file
that is sent out uses a random port, such as below:

RCTICKET="65538,1,192.168.1.3:49682,"

You can't just change that port number as the program isn't listening on this
port.

This is a real pain and I can't find any information on this, and there is a
lot of BS floating around on Usenet too such as "XP machines can't accept
Vista RA requests", unless this was changed in SP1.

Any help with this would be much appreciated. I can't expect my friend to keep
opening random ports on his firewall to let me in, or al least modify the
existing rule.

Howard

You should have your friend put the machine into the DMZ of the router,
if it has one, that exposes the machine and all ports to the public
Internet, because you are not coming around the random port thing if the
solution is behind the router.

You could also use something like MS Netmeeting's Remote Desktop
sharing, which can run on Vista and other NT based O/S platforms that
have those static ports.

Or you can use some other (free) 3rd party remote desktop sharing tools
that have those static ports, if all you're wanting is to do gain access
to your friend's machine and control his machine remotely while having
his machine staying behind the protection of the router.

 

[Memnoch]

You should have your friend put the machine into the DMZ of the router,
if it has one, that exposes the machine and all ports to the public
Internet, because you are not coming around the random port thing if the
solution is behind the router.

You could also use something like MS Netmeeting's Remote Desktop
sharing, which can run on Vista and other NT based O/S platforms that
have those static ports.

Or you can use some other (free) 3rd party remote desktop sharing tools
that have those static ports, if all you're wanting is to do gain access
to your friend's machine and control his machine remotely while having
his machine staying behind the protection of the router.

All valid solutions of course. What I had considered doing was opening ports
49152-65535 and have it as a temporrary rule and point it at a normally unused
IP address, and when he needs help switch whichever machine I need to look at
to that IP address statically. Not ideal but it would work too.

Why did MS mess around with a solution that basically worked? Thanks for your
suggestions by the way. Not ideal but it confirmed my fears. MS are idiots
sometimes.

 

[the wharf rat]

Any help with this would be much appreciated. I can't expect my friend to keep
opening random ports on his firewall to let me in, or al least modify the
existing rule.

Can you connect using a string like remote.pc.com:3389 ?

 

[Paul Montgumdrop]

All valid solutions of course. What I had considered doing was opening ports
49152-65535 and have it as a temporrary rule and point it at a normally unused
IP address, and when he needs help switch whichever machine I need to look at
to that IP address statically. Not ideal but it would work too.

Why did MS mess around with a solution that basically worked? Thanks for your
suggestions by the way. Not ideal but it confirmed my fears. MS are idiots
sometimes.

What that someone could hijack the traffic on that static port and take
over control as opposed to it being a random port assignment that is
hard to track?

It makes perfect sense to me.

 

[Memnoch]

Can you connect using a string like remote.pc.com:3389 ?

Connect using what? I can't see that working for anything other than Remote
Desktop. I am referring to Remote Assistance though, which appears to use a
random port in a fairly large address range. I just can't see why they didn't
just have a command line switch or something to allow you to specify a single
port.

Unless you are referring to something else of course?

 

[the wharf rat]

Unless you are referring to something else of course?

RA uses the Remote Desktop protocol. If you "Offer Remote Assistance"
to pc.wherever:3389 does it work? Your target will have to allow your IP in
the "Offer Remote Assistance" list first... Check out Control Panel->System
and Maintenance->Remote Settings->Remote Assistance.

 

[Memnoch]

RA uses the Remote Desktop protocol. If you "Offer Remote Assistance"
to pc.wherever:3389 does it work? Your target will have to allow your IP in
the "Offer Remote Assistance" list first... Check out Control Panel->System
and Maintenance->Remote Settings->Remote Assistance.

It does but not on port 3389. It uses the ports 49152-65535 randomly which
makes port forwarding a bit of a pain. If you have a UPnP capable router it
makes things a little easier. Today I have been looking at either using
something like Hamachi or just define temporary port forwarding rules to allow
this. I am loathe to use the DMZ option. It's just far too risky and since I
am trying to help someone with their laptop I see no good reason in exposing
it entirely to the rest of the world on top of that.

 

[the wharf rat]

It does but not on port 3389. It uses the ports 49152-65535 randomly which

What I'm thinking is that if you OFFER remote assistance there
must be a known port on the target to make that offer to, and I'm sure it's
3389. If the offer is accepted they probably negotiate the random high
port.

BTW, there's absolutely nothing wrong with "allow established" on
1024-65535. IOW since you have an established connection (you get the
ticket and port number from the target) a stateful firewall should be capable
of allowing incoming traffic on ports associated with that conversation.

 

[Memnoch]

What I'm thinking is that if you OFFER remote assistance there
must be a known port on the target to make that offer to, and I'm sure it's
3389. If the offer is accepted they probably negotiate the random high
port.

Then you've never used it. It works this way on XP but not Vista. For the
record Remote Desktop does use 3389 but not RA. What OS do you use by the way,
for the record? If you OFFER remote assistance you also need to open port 135
(DCOM) for this to work. No way on earth am I going to ask him to open that
one up. I'll leave you to do your own research on this one as to why it is a
"bad idea", and you can look up how RA works under Vista while you are at it!!

BTW, there's absolutely nothing wrong with "allow established" on
1024-65535. IOW since you have an established connection (you get the
ticket and port number from the target) a stateful firewall should be capable
of allowing incoming traffic on ports associated with that conversation.

That sounds a a little like UPnP, which I don't touch with a barge pole. I use
a Cisco PIX myself, and Cisco refuse to support UPnP, unless that atitude has
change with the ASA devices. My friend is using a NetGeat DG834GT router which
does support UPnP, but I'm not sure if he has that enabled on his wife's
laptop, which is the Vista one. That would be an option but I don't feel
comfortable allowing someone who doesn't know the implications of it and
leaving it enabled.