How does Remote Assistance access a computer behind a router's firewall without any firewall configuration?

Posted on 2004-09-30
Medium Priority
Last Modified: 2010-04-10
Following on from this question: http://www.experts-exchange.com/Networking/Q_21114583.html

How is that without doing any port forwarding a computer on the internet is able to access a supposedly secure xp machine sitting behind a firewall with nothing but the windows xp software to authenticate the access request from the remote assisting computer?

How does this work under the hood?
Question by:micknorman11
  • 4
  • 2
LVL 20

Expert Comment

ID: 12189629
Remote assistance uses Terminal Services technology, allowing a helper to assist you via a remote Terminal Services session. Remote Assistance uses a simple, secure process in establishing a connection between you and a helper. The request is encrypted in a public key and sent using XML. As long as your router is letting the Remote Desktop ports through, remote assistance will work.

LVL 20

Expert Comment

ID: 12189643
Additional Notes:

Configuring Port 3389 to Enable Remote Assistance
Remote Assistance runs over the top of Terminal Services technology, which means it needs to use the same port already used by Terminal Services: port 3389.

Note: If the person who is being helped is behind a firewall, NAT, or ICS, Remote Assistance will still function as long as the person being helped initiates the session via Windows Messenger. However, as stated above, Remote Assistance will not work in cases when the outbound traffic from port 3389 is blocked.

Using Remote Assistance in a Home Network
If you are using Personal Firewall or NAT in a home environment, you can use Remote Assistance without any special configurations. However, if you have a corporate-like firewall in a home environment, the same restrictions apply: you would need to open Port 3389 in order to use Remote Assistance.

Author Comment

ID: 12189651
I neglected to mention that the remote assistance was working before I got the router configured to support remote desktop (ie enabled the port forwarding)
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

LVL 20

Expert Comment

ID: 12189730
Most consumer-grade routers do not have the firewall enabled by default. Even if they do, they may not be blocking those ports. If you get port-scanned from the outside, you can see which ports you have open and which are closed...
Shields Up!

Author Comment

ID: 12189782
Hrm ... I'll go check out the router asap. I thought the firewall was on, but I could have overlooked it. Best double check.

I was just reading another EE question and discovered MAC filtering doesn't prevent sniffing wireless routers either - ACK!

There's at least one change I'll be making on the router - enable WEP.

I've been told 802.11b is piece of cake to bust into anyway ... I'll have to look further into that.

Back in a couple of days ... tks for the input so far :)
LVL 20

Expert Comment

ID: 12189828
yea from a linux box, even WEP is no match...

Accepted Solution

ccceqo2 earned 2000 total points
ID: 12198205
What I understand is:
You were using a router performing NAT, the standard setup to let multiple PCs share an internet connection.
You had no port forwarding configured on this router.
But you still managed to remote assist one of the PCs behind this router.

And you want to know how this could work?

Normally, when the requester has port forwarding enabled, anyone could send a TCP request to their IP address and their router would forward it through to the requester. When the port is blocked, the requester has to send out the TCP request, because this is their only way of establishing a connection with hosts outside their local network.

There could be two ways to do this, one if the person providing assistance had THEIR router/firewall configured to allow incoming port 3389 traffic to reach them, and the other if the person providing assistance did not ie. both users were blocked off from incoming requests.

1) If the assister has THEIR firewall configured, the software accepts the request and then looks for the incoming request from the requester. Once the assister has accepted this request, a link is established between the two PCs. This is a clever hack to allow TCP requests to be established in the opposite direction to normal and is used by all sorts of software like ICQ, and file sharing programs.

2) If neither have their firewalls configured, then another external host with its firewall properly configured will be required to assist. The requester sends TCP requests to this third party, and when the assister accepts the request, they too send TCP requests to the third party. When the third party host sees the matching incoming requests, it accepts them both and "joins" them by relaying traffic from one TCP session to the other. The third party host will need to handle all traffic involved in the remote session. This hack is also used to allow programs like ICQ to run chat session between users who are all behind firewalls.

I hope you understand this overview of what is going on. To understand all the details you need to study how the TCP/IP protocol stack is designed and how it operates.

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question