VNC Viewer behind a firewall/http proxy

Discussion:

Raji Siddoo

2001-03-12 10:54:24 UTC

I am very novice user of VNC and I am trying to
connect my VNC viewer (behind firewall that asks for a
http proxy account)
to my VNC server at home that is on the internet with
nothing restricting
access to that particular computer.

Now, if I dial in through my ISP and than try to
connect to the VNC server it works with no problems.
But once I am behind my office network firewall I
cannot get through
the firewall/http proxy with VNC viewer (because I do
not know how to configure
the viewer to access that proxy).

A little background and aside I guess that may be
useful...when I try to
connect to the internet using Internet
explorer 5 a http proxy window pops up asking me for a
password and login and to access
the firewall. Also I use this yahoo messenger as well
and this seems to only work if I
specify in the preferences area to enable the http
proxy with the proper server name
and server port.

So in summary how do I get this VNC viewer to connect
through my firewall to my home computer
on the internet running VNC server.

I should mention that I do not have an adminstrative
privalleges to my office network. So
therefore I cannot make any changes to that. Also I am
not very skilled at oo languages so
if a person provides an explanation please be as
fundamental and basic as possible.

Hope someone can help :-)

Thanks
rs

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Janice Adams

2001-03-12 16:51:55 UTC

Permalink

SET IE TO NOT USE PROXY FOR THIS PARTICULAR ADDRESS

-----Original Message-----
From: Raji Siddoo [mailto:***@yahoo.com]
Sent: Friday, March 09, 2001 5:43 PM
To: vnc-***@uk.research.att.com
Subject: VNC Viewer behind a firewall/http proxy

I am very novice user of VNC and I am trying to
connect my VNC viewer (behind firewall that asks for a
http proxy account)
to my VNC server at home that is on the internet with
nothing restricting
access to that particular computer.

Now, if I dial in through my ISP and than try to
connect to the VNC server it works with no problems.
But once I am behind my office network firewall I
cannot get through
the firewall/http proxy with VNC viewer (because I do
not know how to configure
the viewer to access that proxy).

A little background and aside I guess that may be
useful...when I try to
connect to the internet using Internet
explorer 5 a http proxy window pops up asking me for a
password and login and to access
the firewall. Also I use this yahoo messenger as well
and this seems to only work if I
specify in the preferences area to enable the http
proxy with the proper server name
and server port.

So in summary how do I get this VNC viewer to connect
through my firewall to my home computer
on the internet running VNC server.

I should mention that I do not have an adminstrative
privalleges to my office network. So
therefore I cannot make any changes to that. Also I am
not very skilled at oo languages so
if a person provides an explanation please be as
fundamental and basic as possible.

Hope someone can help :-)

Thanks
rs

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Harmen van der Wal

2001-03-13 00:20:34 UTC

Permalink

Janice Adams wrote:
>
> SET IE TO NOT USE PROXY FOR THIS PARTICULAR ADDRESS
>

The java vncviewer will not use the browser configured proxy (for
590x/rfb) anyway, and it can not be configured to do so at all.

I have been working on a Java vncviewer that does transparently use the
browser configured proxy (and that should work with proxy authentication
also).

It tunnels rfb (or any tcp-layered protocol) over http with
java.net.URLConnection instead of java.net.Socket. A http-tunnel-server
forwards the connection to the vnc-server. I have taken security issues
with this into account for the next release.

But here's my problem: a http proxy will log all http requests, and with
rfb that means a lot. It's not just that a mousemove or a keystroke will
already generate several http requests (a bit of buffering will help
there). But the viewer will request a framebuffer-update whenever it is
ready to receive data, and for things like blinking cursors that is once
every second or so. It just wouldn't be right to put such strain on a
http proxy. Socks is OK though.

Anyway, the next release will not include a Java VNCviewer for this
reason:-( I switched to telnet and SSH.

Off course there's other firewall tunneling equipment, that does not
have the problems a restricted Java applet has:

http://www.nocrew.org/software/httptunnel.html
http://www.htthost.com/
http://www.totalrc.net/s2h/
http://www.mokabyte.it/2000/06/firewallutil.htm

http://www.mindbright.se/mindterm/ is also proxy-aware, but used as an
applet, it requires permission to connect to the proxy-host.

I will not notify the list for the next release, because it will no
longer be related to VNC. I will keep my other http-proxy java
vncviewer, that is only useful in particular circumstances (and does not
support proxy authentication), at the old location:
http://www.workspot.net/~harmen/vnc/

Will keep reading the list though:-) And have been trying some other
trick that works with my Squid, but is just too weird to be included in
what I would like to become a respectable package eventually;-) I will
be focussing my efforts on that one though, once I finish the next
release.

Harmen.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Scott C. Best

2001-03-13 07:01:06 UTC

Permalink

Raji:
Hello! As Harmen wrote, I'm a big fan of:

> http://www.nocrew.org/software/httptunnel.html

I found it terribly easy to setup. Source compiles
quickly, giving two binaries: htc and htc. You run htc
at your workplace, telling it to forward port 8888 (for
example) on your local machine thru your work's proxy server,
and off to your VNC machine. Then on your VNC machine, you
run hts and tell it to listen on (for example) 9999 and
forward what it hears to port 5900.
Both htc and hts should startup and sit quietly.
Then you run your VNC viewer at work and connect it to
'localhost 8888'...and it reaches thru the proxy to
connect to your VNC server.
I just had to do this today, and it took maybe
15 minutes to get it working, with no need to touch
the firewall settings. Very cool. As Harmen suggested, for
something noisy like VNC, follow the README example for
choosing a good buffer-size. If your IT guys at work ever
complain, ask for SSH to be permitted instead. :)

Good luck!

-Scott
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Harmen van der Wal

2001-03-13 16:27:24 UTC

Permalink

"Scott C. Best" wrote:
>
> Raji:
> Hello! As Harmen wrote, I'm a big fan of:
>
> > http://www.nocrew.org/software/httptunnel.html
<...>
> As Harmen suggested, for
> something noisy like VNC, follow the README example for
> choosing a good buffer-size. If your IT guys at work ever
> complain, ask for SSH to be permitted instead. :)
>
> Good luck!
>
> -Scott

Hope I didn't leave the impression that it's wrong to use VNC through a
HTTP proxy...

It's just that the particular firewall tunneling method that has to be
used for restricted Java applets, requires a http POST requests whenever
there's data to be send from client to server, imposing huge workloads
on a http proxy with VNC.

I know little about httptunnel, but I can guess what it does, and tail
my proxy logs while using it.

httptunnel, will just use 1 GET and 1 POST requests for all data both
ways, so the overhead will be low, and the're won't be a lot of logging
to do for a http proxy. So using it with VNC is OK.

However: setting a buffersize with httptunnel (when using a buffering
http proxy) will get you multiple POST requests for sending data = more
overhead. So you should only set a buffer when your http proxy requires
this.

Using httptunnel with a buffering http proxy with VNC is not a good
idea, IMHO.

Harmen.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

S.C.Best

2001-03-14 18:03:47 UTC

Permalink

Raji:
Hello! So if I recall the situation correctly...your
workplace firewall only allows a handful of 'standard' ports
thru, like HTTP and FTP, and not something like VNC. You've
an NT machine behind this firewall at work, and want to VNC
to your home Win98 machine that's using an always-on
Internet connection.
Tricky. :) Counterintuitively, it'd be a world easier
if you had *another* machine at your home that was on the LAN
with your Win98 machine that you wanted to connect with. I've
not had much luck getting Win98 boxes to do networking tricks,
as opposed to a Linux box or even a WinNT one.
Any chance this is an option?

-Scott

At 7:23 AM -0800 3/14/01, Raji Siddoo wrote:
>Thanks for all your help guys. It seems I have some
>hope to get this thing to work with even my feable
>skills. But I have run into a snag.
>
>My machines is NT @ work (behind the firewall) but the
>other is at home running on Win 98. I realized quickly
>that when I try to run nts on Win 98 it does not seem
>to be compatible and does not start up. Any other
>versions of this software that may support running
>both platforms or other suggestions anyone may have
>would be appreciated.
>
>Thanks,
>rs
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Harmen van der Wal

2001-03-14 20:54:01 UTC

Permalink

"S.C.Best" wrote:
>
> Raji:
> Hello! So if I recall the situation correctly...your
> workplace firewall only allows a handful of 'standard' ports
> thru, like HTTP and FTP, and not something like VNC.
>You've
> an NT machine behind this firewall at work, and want to VNC
> to your home Win98 machine that's using an always-on
> Internet connection.
> Tricky. :) Counterintuitively, it'd be a world easier
> if you had *another* machine at your home that was on the LAN
> with your Win98 machine that you wanted to connect with. I've
> not had much luck getting Win98 boxes to do networking tricks,
> as opposed to a Linux box or even a WinNT one.
> Any chance this is an option?
>
> -Scott

I don't see how having another machine at a home-LAN would help, and why
Win98 can't do network tricks (allthough I have no experience with it
98).

But let's be clear about what only being able to connect on standard FTP
and HTTP ports means.

1) You can only connect out on certain ports because of a packet
filtering firewall.
2) You can only connect out through a proxy, using certain protocols
with that proxy, like http or ftp (or maybe socks-protocol).

When your problem is 1) all you need to do is tell your vncserver to
listen to another port (a port your firewall allows.) Allthough this is
tricky if you insist upon using the Java applet. Or use a simple
portforwarder. I don't know about any portforwarders for windows, but
I'm sure they're available.

When your problem is 2) you need to get yourself a tunnel-tool, that
handles the protocol for you when talking to the proxy, usually http.

To make things a little more complicated: with problem 1) you can use a
http proxy for your portforwarder (if it supports HTTP CONNECT on your
port even without a tunnel-server.) That is basically what I made my
vncviewer for. I had a restrictive ISP with a packet filter on all but a
few ports, and couldn't control the port my (Workspot-) vncserver
listened to myself.

But I guess Radji's problem is, that the NT-binaries for httptunnel
don't not work on Win98? What about HTTPort (or whatever it is called
these days)?

>
> At 7:23 AM -0800 3/14/01, Raji Siddoo wrote:
> >Thanks for all your help guys. It seems I have some
> >hope to get this thing to work with even my feable
> >skills. But I have run into a snag.
> >
> >My machines is NT @ work (behind the firewall) but the
> >other is at home running on Win 98. I realized quickly
> >that when I try to run nts on Win 98 it does not seem
> >to be compatible and does not start up. Any other
> >versions of this software that may support running
> >both platforms or other suggestions anyone may have
> >would be appreciated.
> >
> >Thanks,
> >rs

--
Harmen
Firewall VNC Client: http://www.workspot.net/~harmen/vnc/readme.html
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

m***@altavista.com

2001-03-13 09:13:34 UTC

Permalink

Hi Scott!

Will vnc client and server work faster if both ends have high speed dsl. How about if only the vnc client has dsl.

Thanks
Mario

On Mon, 12 March 2001, "Scott C. Best" wrote:

>
> Raji:
> Hello! As Harmen wrote, I'm a big fan of:
>
> > http://www.nocrew.org/software/httptunnel.html
>
> I found it terribly easy to setup. Source compiles
> quickly, giving two binaries: htc and htc. You run htc
> at your workplace, telling it to forward port 8888 (for
> example) on your local machine thru your work's proxy server,
> and off to your VNC machine. Then on your VNC machine, you
> run hts and tell it to listen on (for example) 9999 and
> forward what it hears to port 5900.
> Both htc and hts should startup and sit quietly.
> Then you run your VNC viewer at work and connect it to
> 'localhost 8888'...and it reaches thru the proxy to
> connect to your VNC server.
> I just had to do this today, and it took maybe
> 15 minutes to get it working, with no need to touch
> the firewall settings. Very cool. As Harmen suggested, for
> something noisy like VNC, follow the README example for
> choosing a good buffer-size. If your IT guys at work ever
> complain, ask for SSH to be permitted instead. :)
>
> Good luck!
>
> -Scott
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to ***@uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Richard Harris

2001-03-13 09:30:19 UTC

Permalink

> From: Liza Vorster <***@mepta.pwv.gov.za>
> Subject: Putting vnc in logon script

> I would just like to find out if there is a way that we can put vnc in
> our logon script to install on our client pc's? And then also a way to
> make the password a standard password automatically.

You could do it with a batch file for Windows 9x, but NT won't let
you as you need admin access.

Have a dig in the archieves about an install script (it works a treat).
Failing that, there's my attempt at www.synik.f9.co.uk/vnc/ which
should give you some pointers.

Hope that helps!

---------------------------------
Richard Harris
Environment IT
Nottinghamshire County Council
Tel: 0115 977 4509
Fax: 0115 977 2417
Web: www.nottscc.gov.uk
---------------------------------

"I find your lack of mirth disturbing."
~ Darth Tarby
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Richard Harris

2001-03-13 10:09:20 UTC

Permalink

> VNC has two password types.
>
> 1. The Default Password which is controlled from: (Global)
> "Start Menu -> VNC -> Administrative Tools -> Show Default Settings"
>
> 2. The Current User Password which is controlled from: (Per User)
> "Start Menu -> VNC -> Show User Settings"

Michael,

Once you've set the password, have a look in the
HKLM\Software\Orl\WinVNC\Default key. I know NT stores the
default VNC password in here.

With NT, you don't need to have that password replicated into each
user that logs on. I'm wondering if you could set your password,
then export the key and value into:

HKLM \ Sofware \ ORL \ WinVNC \ Default

Key = Password, Type = Binary.

Would that fix the Win2000 problem?

---------------------------------
Richard Harris
Environment IT
Nottinghamshire County Council
Tel: 0115 977 4509
Fax: 0115 977 2417
Web: www.nottscc.gov.uk
---------------------------------

"I find your lack of mirth disturbing."
~ Darth Tarby
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

James ''Wez'' Weatherall

2001-03-13 10:21:55 UTC

Permalink

> > VNC has two password types.
> >
> > 1. The Default Password which is controlled from: (Global)
> > "Start Menu -> VNC -> Administrative Tools -> Show Default Settings"
> >
> > 2. The Current User Password which is controlled from: (Per User)
> > "Start Menu -> VNC -> Show User Settings"
>
> Michael,
>
> Once you've set the password, have a look in the
> HKLM\Software\Orl\WinVNC\Default key. I know NT stores the
> default VNC password in here.
>
> With NT, you don't need to have that password replicated into each
> user that logs on. I'm wondering if you could set your password,
> then export the key and value into:
>
> HKLM \ Sofware \ ORL \ WinVNC \ Default
>
> Key = Password, Type = Binary.
>
> Would that fix the Win2000 problem?

Setting the password with the Default Properties dialog will access the
Default key described above.

Cheers,

James "Wez" Weatherall
--
"The path to enlightenment is /usr/bin/enlightenment"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK - Tel : 343000
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Raji Siddoo

2001-03-14 15:27:01 UTC

Permalink

Thanks for all your help guys. It seems I have some
hope to get this thing to work with even my feable
skills. But I have run into a snag.

My machines is NT @ work (behind the firewall) but the
other is at home running on Win 98. I realized quickly
that when I try to run nts on Win 98 it does not seem
to be compatible and does not start up. Any other
versions of this software that may support running
both platforms or other suggestions anyone may have
would be appreciated.

Thanks,
rs

--- "Scott C. Best" <***@best.com> wrote:
> Raji:
> Hello! As Harmen wrote, I'm a big fan of:
>
> > http://www.nocrew.org/software/httptunnel.html
>
> I found it terribly easy to setup. Source compiles
> quickly, giving two binaries: htc and htc. You run
> htc
> at your workplace, telling it to forward port 8888
> (for
> example) on your local machine thru your work's
> proxy server,
> and off to your VNC machine. Then on your VNC
> machine, you
> run hts and tell it to listen on (for example) 9999
> and
> forward what it hears to port 5900.
> Both htc and hts should startup and sit quietly.
> Then you run your VNC viewer at work and connect it
> to
> 'localhost 8888'...and it reaches thru the proxy to
> connect to your VNC server.
> I just had to do this today, and it took maybe
> 15 minutes to get it working, with no need to touch
> the firewall settings. Very cool. As Harmen
> suggested, for
> something noisy like VNC, follow the README example
> for
> choosing a good buffer-size. If your IT guys at work
> ever
> complain, ask for SSH to be permitted instead. :)
>
> Good luck!
>
> -Scott
>
>

=====
Raji Siddoo
Email: ***@iname.com

Vancouver Telephone: (604) 736-5751

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to ***@uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------