Remotecontrol pc behind nat

Hi list ,

 I have a requirement where in I want to remotely control a windows machine from internet which is behind a firewall and has a natted ip. The firewall has a public ip configured on its untrusted interface and it has http, https and ftp ports open. The restriction here is that with out making any changes to the existing firewall and nat configuration this has to be achieved? Is this possible  ?Any suggestions will be appreciated.

 I know a package from ultra vnc (NAT2NAT plug-in) which can do this but unfortunately vnc port is also blocked in my case.

 Thanks in advance

 

... ciao:

: on "11-28-2006" "Safe Packet" writ:
:  remotely control a windows machine ... behind a firewall

... have the client initiate the connection ...

--
... i'm a man, but i can change,
    if i have to , i guess ...

Try using WebEx or Citrix's GoToMeeting. The software utilizes port 80
to remotely control machines.

-Shariff

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of terry white
Sent: Monday, November 27, 2006 3:03 PM
Cc: firewalls@...
Subject: Re: Remotecontrol pc behind nat

... ciao:

: on "11-28-2006" "Safe Packet" writ:
:  remotely control a windows machine ... behind a firewall

... have the client initiate the connection ...

--
... i'm a man, but i can change,
    if i have to , i guess ...

You can use VNC, assuming you have control of one of your firewalls:

How can I make the VNC server connect to a client, instead of the other way around?

Occasionally it is more convenient to have the server make the connection to a client; if the server has a dynamic IP, this may be the only way to do it.

Here's the process.

Let's say we have a machine at address 192.168.1.1, Client1, which wants to "take over" Server1.
 
(1) Start VncViewer on Client1 with the "-listen" switch, like:

vncviewer -listen

(2) On Server1, make sure that WinVNC is running as a service if possible; it needs to be running already for this to work.  If not, then she just starts it the normal way.  Make sure it's already started before going to Step 3.
 
(3) On Server1 you just run Winvnc with the "-connect" option. If Server1 is typically used only to connect to Client1, you may want to make a shortcut something like this:

"C:\Program Files\ORL\VNC\Winvnc.exe" -connect 192.168.1.1

From http://dev.remotenetworktechnology.com/vnc/vnc.htm

 

Good luck,

 

AC

 

---

From: listbounce@... [mailto:listbounce@...] On Behalf Of Safe Packet
Sent: Monday, November 27, 2006 12:54 PM
To: firewalls@...
Subject: Remotecontrol pc behind nat

 

Hi list ,

 I have a requirement where in I want to remotely control a windows machine from internet which is behind a firewall and has a natted ip. The firewall has a public ip configured on its untrusted interface and it has http, https and ftp ports open. The restriction here is that with out making any changes to the existing firewall and nat configuration this has to be achieved? Is this possible  ?Any suggestions will be appreciated.

 I know a package from ultra vnc (NAT2NAT plug-in) which can do this but unfortunately vnc port is also blocked in my case.

 Thanks in advance

 

Why not just use remote desktop (aka terminal services), and have it
listen on a different port?  This web article shows you how to change the
port setting:
http://support.microsoft.com/kb/187623

It defaults to 3389, but there is no reason you can't put it on 80, 443,
or 21 as long as there aren't other services already listening on them.

Be smart about it though, don't get owned!  Keep the box patched and user
accounts locked down with strong passwords, especially since you can't
restrict the source IP's that will connect from the firewall.  Expect that
you will get scanned, and someone will try and break their way in.


Cheers,
- Ralph

On Tue, 28 Nov 2006, Safe Packet wrote:

One think I do, is went IPv6. If you have a IPv6 internet connection (or
get a free connection via freenet6.org project) you just connection to
your machine.

You can create IPv6-IPv4 NAT Traversing and now your home machine has a
routed IPv6 address!



On Mon, 27 Nov 2006, Ralph Forsythe wrote:

--
Joseph Renda <Joseph@...>

The best FREE service for this purpose is LogMeIn - http://logmein.com

Optionally, if you want the harder way, you should use a ssh tunnel back to Linux box in the Internet (at home, university, ...). the dynamic IP addresses issue can be solved by http://www.dyndns.org or noip.com ...

ssh -R 3389:localhost:3389 <my_linux_box> (it will create a tunnel from TCP port 3389 of your Linux box to the port 3389 (RDP) of your Windows box. For SSH on Windows try Cygwin or PuTTY, you can do this even through proxy servers (suggestion: run your sshd on port 443)

Regards,
Fabio Fagundes
Rio de Janeiro - Brazil

Please, glance at http://www.stunnel.org/ . This is an Open Source initiative to perform SSL tunnels (VPN-SSL).

Whith this solution, you will can open a https (SSL) connection from internet to firewalled https services behind the wall.

This solutions works if your firewall hasn't any 'anti-ssl' tunnels controls. You will need install the stunnel client in the internet client system and the stunnel server in the protected host where the https connection is permitted. When the tunnel are open and stablished you can use whatever protocol inside, such as RDP or VNC to control remotely the firewalled https host.

You have a lot of commercial solutions from the majors vendors also (some examples: Cisco ASA, Juniper SSL solutions -formerly IVE Neoteris- and F5 FirePass).

... But thinking about it carefully, all this smell like if you was trying to cheat an explicit firewall rule ... Why? This is not a good practice !!! Be carefull.

Regards,

--
Luislo

pub  1024D/8A688104 1999/07/28 Luis Lopez luis.lopez@...
Key fingerprint = 550F 3545 C847 F61E 821C 3D8C 1A12 2C19  8A68 8104

"These are the thoughts and opinions of Luis Lopez, and does not represent Atos Origin company policy."

"Estos son los pensamientos y las opiniones de Luis Lopez, y no representan la política de compañía de Atos Origin."


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of joseph
Sent: miércoles, 09 de mayo de 2007 21:51
To: Ralph Forsythe
Cc: Safe Packet; firewalls@...; firewalls-return-5517-joeml=securesoftware.ca@...
Subject: Re: Remotecontrol pc behind nat


One think I do, is went IPv6. If you have a IPv6 internet connection (or get a free connection via freenet6.org project) you just connection to your machine.

You can create IPv6-IPv4 NAT Traversing and now your home machine has a routed IPv6 address!



On Mon, 27 Nov 2006, Ralph Forsythe wrote:

--
Joseph Renda <Joseph@...>


------------------------------------------------------------------
This e-mail and the documents attached are confidential and intended solely
for the addressee; it may also be privileged. If you receive this e-mail
in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos Origin group
liability cannot be triggered for the message content. Although the
sender endeavours to maintain a computer virus-free network, the sender does
not warrant that this transmission is virus-free and will not be liable for
any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener informacion
confidencial destinada solamente a la(s) persona(s) mencionadas
anteriormente. Pueden estar protegidos por secreto profesional Si usted
recibe este correo electronico por error, gracias de informar inmediatamente
al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos
Origin no se hace responsable por su contenido. Su contenido no constituye
ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por
ambas partes.
Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor
no puede garantizar nada al respecto y no sera responsable de cualesquiera
danos que puedan resultar de una transmision de virus
------------------------------------------------------------------