Solved

How does Remote Assistance access a computer behind a router's firewall without any firewall configuration?

Posted on 2004-09-30
7
363 Views
Last Modified: 2010-04-10
Following on from this question: http://www.experts-exchange.com/Networking/Q_21114583.html

How is that without doing any port forwarding a computer on the internet is able to access a supposedly secure xp machine sitting behind a firewall with nothing but the windows xp software to authenticate the access request from the remote assisting computer?

How does this work under the hood?
0
Comment
Question by:micknorman11
  • 4
  • 2
7 Comments
 
LVL 20

Expert Comment

by:DVation191
ID: 12189629
Remote assistance uses Terminal Services technology, allowing a helper to assist you via a remote Terminal Services session. Remote Assistance uses a simple, secure process in establishing a connection between you and a helper. The request is encrypted in a public key and sent using XML. As long as your router is letting the Remote Desktop ports through, remote assistance will work.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12189643
Additional Notes:

Configuring Port 3389 to Enable Remote Assistance
Remote Assistance runs over the top of Terminal Services technology, which means it needs to use the same port already used by Terminal Services: port 3389.

Note: If the person who is being helped is behind a firewall, NAT, or ICS, Remote Assistance will still function as long as the person being helped initiates the session via Windows Messenger. However, as stated above, Remote Assistance will not work in cases when the outbound traffic from port 3389 is blocked.

Using Remote Assistance in a Home Network
If you are using Personal Firewall or NAT in a home environment, you can use Remote Assistance without any special configurations. However, if you have a corporate-like firewall in a home environment, the same restrictions apply: you would need to open Port 3389 in order to use Remote Assistance.
0
 

Author Comment

by:micknorman11
ID: 12189651
I neglected to mention that the remote assistance was working before I got the router configured to support remote desktop (ie enabled the port forwarding)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 20

Expert Comment

by:DVation191
ID: 12189730
Most consumer-grade routers do not have the firewall enabled by default. Even if they do, they may not be blocking those ports. If you get port-scanned from the outside, you can see which ports you have open and which are closed...
Shields Up!
http://www.grc.com/x/ne.dll?rh1dkyd2
0
 

Author Comment

by:micknorman11
ID: 12189782
Hrm ... I'll go check out the router asap. I thought the firewall was on, but I could have overlooked it. Best double check.

I was just reading another EE question and discovered MAC filtering doesn't prevent sniffing wireless routers either - ACK!

There's at least one change I'll be making on the router - enable WEP.

I've been told 802.11b is piece of cake to bust into anyway ... I'll have to look further into that.

Back in a couple of days ... tks for the input so far :)
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12189828
yea from a linux box, even WEP is no match...
=)
0
 
LVL 3

Accepted Solution

by:
ccceqo2 earned 500 total points
ID: 12198205
What I understand is:
You were using a router performing NAT, the standard setup to let multiple PCs share an internet connection.
You had no port forwarding configured on this router.
But you still managed to remote assist one of the PCs behind this router.

And you want to know how this could work?

Normally, when the requester has port forwarding enabled, anyone could send a TCP request to their IP address and their router would forward it through to the requester. When the port is blocked, the requester has to send out the TCP request, because this is their only way of establishing a connection with hosts outside their local network.

There could be two ways to do this, one if the person providing assistance had THEIR router/firewall configured to allow incoming port 3389 traffic to reach them, and the other if the person providing assistance did not ie. both users were blocked off from incoming requests.

1) If the assister has THEIR firewall configured, the software accepts the request and then looks for the incoming request from the requester. Once the assister has accepted this request, a link is established between the two PCs. This is a clever hack to allow TCP requests to be established in the opposite direction to normal and is used by all sorts of software like ICQ, and file sharing programs.

2) If neither have their firewalls configured, then another external host with its firewall properly configured will be required to assist. The requester sends TCP requests to this third party, and when the assister accepts the request, they too send TCP requests to the third party. When the third party host sees the matching incoming requests, it accepts them both and "joins" them by relaying traffic from one TCP session to the other. The third party host will need to handle all traffic involved in the remote session. This hack is also used to allow programs like ICQ to run chat session between users who are all behind firewalls.

I hope you understand this overview of what is going on. To understand all the details you need to study how the TCP/IP protocol stack is designed and how it operates.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now