Remotely controlling a WINXP box (behind a firewall)

If you only allow Remote Assistance, a user from your XP (Pro?) machine will have to make a Remote Assistance Request for you to connect to it. If you want to remotely access the XP box at any time, I recommend that you enable Remote Desktop (My Computer--> Properties-->Remote Tab).

Remote desktop will allow you to do most everything except transfer files unless you connect through a VPN connection. The VPN connection will allow you access to both local and remote drives.

The only way to use any remote access software through a routeri s to forward the TCP port for that application to the client machine that you need to access. Otherwise, the router doesn't know where to direct the request. I have worked with WinVNC, PC Anywhere and Remote Desktop. They all have their advantages, but I use RDP almost exclusively now. The connection over DSL is astounding.

Another advantage of Remote Desktop is that you can connect to MS Terminal Server as a client. I use it for remote administration.

One last note about RDP, when you login to your XP box, the current user will be logged out unless you are the currently logged in user. If you close the connection without logging off, you will remain the currently logged in user.

Hoeyc Is correct.

My semester just started. As a result, I can only try these suggestions during weekend. Thanks a lot for all the suggestions though. I really appreciate them.

-Mike

Beside remotely controlling the XP box, I also want to have file transfer capability.

Can you give me instructions on how to setup a VPN connection (both client and server sides)? What is PPTP and IPSec and which one is better for VPN?

I can tell you that Remote Desktop will not work with NAT running on both sides.  Your Linksys box is technically not a firewall, it is only a NAT device (Network Address Translation).   I am sure if you are attempting this from school they have there own internal IP address structure and firewall in place.

PPTP is Point to Point Tunneling Protocol and IPSec is IP Security Protocol.   IPsec and NAT are inherently not compatible.

Heres a great site on both:
http://www.iss.net/security_center/advice/Countermeasures/VPN/default.htm

Here is a link that may explain some of the difficulties involved in implementing IPSec with NAT: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-02.txt

If you install termianl services on both machines, You will have full control of your home PC. Setup a user profile for your home PC to logon with terminal servies. Install terminal services on your work PC with the disk that will be created. I connect to my PC at home through a  Asante router that has NAT and never had any problems or some of my friends that use the same box.

I use XP Pro at home and at work to do this. I never tryed XP home for this. I can't remember if home supports this.

I would setup a Windows 2000 Server machine to handle all this, As it is designed for this and has better security over all.

>I can tell you that Remote Desktop will not work with NAT running on both sides

Unless you run a VPN that encapsulates the data before the translation engine gets a chance to play with it, which is what he has been talking about from the first post, in case you didn't read back that far.

My only other advice is to get a router/firewall that does your VPN for your, since relying on microsoft for security is utterly laughable (why does anyone still think this is a good idea?), not to mention the security implications of running your VPN server *behind* your firewall - if you run it behind your firewall, now you suddenly have two "firewalls" to configure, or else you open your entire internal network up to whatever nasty pranks may originate from the other end of the connection.

Cheers,
-Jon

The--Captain... is all over this...  That would be the ultimate way to set this up....

That Linksys box won't cut the mustard, pick up an 800 series Cisco router at a minimum. It will support Firewall\3DES!!  Need minimum 20 MB Ram to support that config.

MSGeek

xxx

You asked to split points between MSGeek, and The--Captain
I have reduced the points on this question from 100 to 50 as indicated by your request at Community Support. Please copy the URL and create a new question in this topic area for the other Experts to whom you wish to award points. The title of the question should read "Points for", followed by the Expert's name. In the question itself, you should paste the link to the original question and perhaps a comment stating that the points are for their help with that question. Once you have created the new questions, you can go back to the original, and accept the comment from the Expert for whom you did not create a new question. The Experts will  comment in your new "Points for" question(s), which you then accept and grade to close.
If you have any questions, please don't hesitate to ask.
Thank you.

** Mindphaser - Community Support Moderator **

MSGeek is wrong.  I have a linksys NAT router at work, and at home and I am able to Remote Desktop DOES IN FACT WORK FINE with this.  I am actually using this right now to post this.  Funny how someone says you can't do something that you have been doing for 12 months...

Soulgiver9

I do not see how nat at two locations would pose a problem.  All of my clients have some form of NAT running, whether it be on a PIX, Linksys, SonicWall...etc..  and every place I am at when I connect is using NAT to gain outside access.

I am confused as to why this statement was made.  "I can tell you that Remote Desktop will not work with NAT running on both sides.  Your Linksys box is technically not a firewall, it is only a NAT device (Network Address Translation).   I am sure if you are attempting this from school they have there own internal IP address structure and firewall in place. "   

If you want to setup your PC so you can control it and transfer files, I suggest using a VPN, mapping drives once the VPN is established to facilitate the transferring of files, then using terimal services to control the remote desktop.

How big are the files you plan on transferring?  The cisco 800 is good, but the linksys does also support 3des.  however the file transfer speeds are somewhat pathetic.  

Bottom line is that MSGeek swept into this question, gave incorrect information, and walked away with points.  Really points out the inadequacies of EE.

I did not collect the points for this and will request that my question containing the points be closed.   I do not care about the points.   I am here to learn and share what I know.

When I indicated remote desktop sharring would not work with NAT running at both ends, that was based upon the use of Remote Assistance invitations.  Microsoft has documented that this will not work:

http://support.microsoft.com/default.aspx?scid=kb;en-us;301529

>>MSGeek is wrong.  I have a linksys NAT router at work, >>and at home and I am able to Remote Desktop DOES IN FACT >>WORK FINE with this.  I am actually using this right now >>to post this.  Funny how someone says you can't do >>something that you have been doing for 12 months...

>>Soulgiver9

Soulgiver9... If you have it set up another way that will assist miketla why don't you share it with us?  If it is set up just as kstaker indicated could you please let us know.

getzjd... I was hoping this thread would continue, I believe you were on the right track.

Ahh Ok i see where the confusion was.... remote assistance requests are slightly different than remote desktop.  I think the easiest way would be to use terminal server on top of an existing VPN connection, then map drives between the two machines so that file transfer can take place. There is also a feature in the XP Remote desktop client that will allow mapping of local drives.  But i am not sure if it is supported when connecting to a desktop and not a server.  http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp

Ok!
I have port forwarding to our XP machine that is running Remote Desktop, not Remote Assistance.   I have actually never used Remote Assistance.   This is somewhat different than Remote Desktop.  One will take over the computer(RD), the other will join in actively with the active session(RA).  I believe that in the top he was asking about Remote Dekstop/VPN etc.  Here is the cut-n-paste:
>>(VNC, PCAnywhere, Remote Desktop, etc) from the internet.

At work I have:

Linksys Router.  (Simple cheap kind running advanced NAT with port forwardng)  It is forwarding 3389 to the one XP machine.  The other end I have Linksys Router/WAP/4 port hub that is forwarding to my XP machine.   3389. I can connect from my machine to one, then connect to the other and back again.  (gets confusing with all of them remote desktops showing around....heh)  but it is possible.  

On a side note:
I have actually done this:
Terminal Server to my Win2k Advaced Server, open a VPN to school then do a Remote Desktop to a server there, then do a PCAnywhere to a friends computer (also linksys Router), then from there open a VPN connection to school and do a Remote Dekstop to the computer that I was using to start it all with.   Very funny it was yes!  Although it was a bit slow at the end.  HEH

Soulgiver9

Thanks for straitening us out here.. I was a little confused by kstaker:

>>Your best best for an XP box is Terminal Services- Remote Desktop Protocol.  This is secure, and encrypted.  All you need to do in enable Remote Assistance on your XP Box using the following procedure

Sounds like Remote Desktop and Remote Assistance are the same thing, it is just a matter of how it is accessed?  By means of an invitation through NAT on both sides it will not work, but if configured as Soulgiver9 states it will function with NAT on both ends?

It seems this discussion started again.

miketla didn't accept an answer yet, so I upped to points back to the initial 100 and you folks have to take care of the question now :-)

** Mindphaser - Community Support Moderator **

Sorry for any confusion -

Remote Assistance can be configured so as to allow people to connect into the box.  They do not need to request an invitation or any of that junk.  You can enable it based on a per username basis.  In this respect it is the same as Terminal Services.  The difference is that you do not create your own session but instead have a shared desktop.

This can work through a PPTP tunnel, and certainly through a linksys router.

To clarify, if you go to properties of My Computer in XP then to the Remote Tab, there are two seperate and different options that you may enable.  One is Remote Assistance.  The other is Remote Desktop.  They are not under the same name, they are not both referred to as Remote Assistance.

Hi all,

First of all, I would like to apologize for the late response. My computer has been acting up very weird lately after I tried to install and uninstall one program after another (while trying out VPN, SSH, VNC, etc.) At the end, I even have to do a system restore to a day that's about a month back and reinstall the software I needed.

Anyway, I would like to thank all for contributing to help me solve my problem. Follows are the reasons why I award points to each member:

100 points to kstaker
For giving me the port # for both Remote Desktop (3389) and VPN (1723).

50 points to MSGeek
For warning me that NAT will not work. I read all the comments posted and still not very clear how come I couldn't get it to work. From my understanding, a NAT device will block all inbound traffic UNLESS the information is originally requested from a machine behind the firewall. I did forward port 3389 on my LinkSys to the local IP of my WinXP desktop box (@ home) and couldn't reach it from school through my router external IP. At the end, I have to place my WinXP desktop box in the DMZ and installed 2 software firewalls on it (Zone Alarm Pro and Norton Personal Firewall).

50 points to The--Captain
For clarifying about how VPN encapsulate data and how that might not work through a NAT. I would also like to thank him for suggesting me to seek a non Microsoft solution, which I did. In the process of seeking a non MS solution, I found SSH to be a good alternative solution.

I would also like to post the list of stuffs I tried and the road blocks I encounter in case someone ran into a similar situation.

Using Remote Desktop and VPN:
I forwarded the port 3389 and 1723 to my WinXP Desktop on my NAT. Having done this, I still could not remotely access my system from school. I then place my Desktop in the DMZ and was able to access using Remote Desktop from school (this proof that my school firewall wasn't the culpit that blocked my previous attempt).

I tried the VPN solution provided by Microsoft but couldn't get it to work. I then tried using WinGate VPN to establish a connection. I successfully connected my laptop from school to my Desktop at home using  VPN but I could not browse the network behind my Linksys NAT. After a few days trying in vain, I gave up and switched to using SSH.

Using SSH, VNC and WinSCP:
I installed the Win32 port of OpenSSH on my Desktop. I then used Putty on my laptop to create an encrypted tunnel to my Desktop and forward port 59xx so I can run VNC through the tunnel. Having done this, I can securely control my desktop and still have a backup method in case I couldn't open a SSH tunnel. In that case, I can always fall back to using Remote Desktop as my backup solution. Plus, using SSH and PSTOOLS (can download for free), I can do some administrative task such as listing, killing a process or shutting-down/logging-out-current-user/restart-computer. PSTOOLS really enable me to perform administrative task that Remote Desktop wouldn't let me (Remote Desktop only let me disconnect the current session, not logout or restart the computer).

To transfer file using a GUI interface, I used WinSCP, which also utilize SSH tunnel to securely transfer files.

Last but not least, feel free to comment/clarify on anything I say. For example, how come forwarding ports on the NAT doesn't work (which forced me to put my Desktop in DMZ) or how come I couldn't browse the network after I established a VPN tunnel.

-Mike

Question point for The--Captain
https://www.experts-exchange.com/questions/20510555/question-points-for-The-Captain.html

Question point for MSGeek
https://www.experts-exchange.com/questions/20510553/question-point-for-MSGeek.html

-Mike

The VPN tunnel is designed to secure communications between the NIC in your home PC and the laptop.  I am not sure, but if you placed a second NIC in the desktop, you may then be able to browse your network through a VPN connection.

You also need to enable IPSec forwarding on the linksys.  On mine I have port 500 forwarded as well for VPN and that is the only way that it worked for me.  Remote Desktop for WinXP is very limited compaired to its sister Terminal Services from the Windows 2000 Server club.  (That is what I use).   Did you click the enable for your linksys?   Did you forward both TCP andUDP for 1723 and 3389 AND 500 (not sure why I need 500 but i think it has to do with TTPT2 connections if I remember correctly, hey, its been a year and a half since I monkied with that router...)  

NOTE:  once you establish a VPN you can not do a Remote Desktop with the router's public IP address.  It will not work.  You need to establish one with your computers internal IP address such as 192.168.1.2 or however you have your dekstop configured.   From your Run command, run CMD then run ipconfig             This will tell you what your NIC IP address is.   This is why your VPN AND RD did not work.   Forget the 500 port, that is for TTPT2 and it does not work with Linksys NAT at this time.

Hi The--Captain

Please follow this link to collect your question point.

https://www.experts-exchange.com/questions/20510553/question-point-for-MSGeek.html

easy, why has this gone on so long....

1)setup ssh server on the client
2)forward 22 on the linksys to the client
3)connect from wherever with putty forwarding 3389 to the client
4)fire up terminal services client and connect to localhost

secure....reliable...easy