We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Tight VNC over Internet - security risk and how-to.

Medium Priority
Last Modified: 2013-11-16
Need to Tight VNC (no other) to people accessible by cable and DSL, most fixed IP, but remember, DSL not guaranteed fixed IP.  Have not had much luck over internet, always work on local NW.  Ideas on these -
1.  how to make connection over internet with tight VNC
2.  Security risk to both sides if doing this.  Would not expect remote site to always run tight VNC, just on request, but still significant hack breach possible while program running.

Looking for ideas from people already having done this with good luck, what are problems, exposure, and how to make it work reliable.  Have heard they dont need to run Tight VNC, if so pls. explain why. PS have read most links, not answer questions, please give personal experience and how you get working. Thanks.
Watch Question

Ken ConradieNetwork Manager

What are you trying to accomplish if NOT using Tight VNC is an option? Remote support? Have you considered using a paid service that doesnt require a pre-installed app, like Webex? Check this out: http://www.webex.com/solutions/online-support.html


Not interested in web-based ideas like above or logmein.com, they get your data and can login to computers unannounce.  Question ask for tight VNC input only please, thank you.

you use tightvnc over the net just like you would over the network, except you use a public ip instead of a private ip.

your problem might be with your router. i assume you have multipule computers behind a router?

you'd have to foward traffic from the ports of vnc to the specific computers.

if your not running it constantly, the risk of security is not that big. but yes, there is still a risk. if you use good passwords, you lessen the risk greatly.

as for changing ips, http://www.no-ip.com/ is your answer

you download a small program that runs in the background. it constantly keeps track of your ip. where there is a change, the server updates. this lets you connect through vnc to myname.no-ip.com this would redirect to your ip address


"you'd have to foward traffic from the ports of vnc to the specific computers"

Are you sure of this?  That means I must configure all routers to VNC to all computers on each remote network?  That seems unusable, since need to get to all systems in remote group, why do I need to do this if all systems on remote network should be reachable by VNC?  Cant you just VNC to the address and system name, like this - to get to system1 in that IP range?  

Any idea as to other comments on expert exchange, saying server dont need to run on remote machine, can login direct to port, as remote VNC act like Java app?  Not sure if this true or not, cant find out for sure...

server needs to be installed on all machines and client is used to view them.

ive never heard or used tightvnc with the /system1 swtich
If you want to use this for remote assistance only, the users can start the Tight VNC program and select "Add new Client". This means the users start the connection to your machine and therefore you don't need port forwarding in the remote routers since it is an outgoing connection. You (or the support) need to run Tight VNC in the Listening Mode.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Please all look at this thread - http://www.experts-exchange.com/Miscellaneous/Q_20753147.html

Last accepted comment, dont need tight VNC viewer, it just acts like JAVA application.  If this true, I dont need to ask all clients to install tight VNC on their machines.  I can just VNC to their system, or they go to mine (which one? - since VNC logic of client/server is back-to-front).  Server to me is one running the app. and the listen mode server of VNC is the client, since it is the one connecting to the server, but VNC manage to get this backwards, causes much VNC confusion.

Want to NOT have to configure every persons router to open port 5900 or 5800, too much hassle.  Just want to call them up and we connect so I can debug their systems.  Cant go to site to configure router, that defeat whole purpose of VNC remote assistance, "remote" does not mean a visit to their site !

Also, with VNC on their system running, I already tried  http://"their IP" : 5900 and it does not find them.
Need a internet solution with tight VNC that works remotely without a local visit.  If you check other VNC thread on expert exchange, many say cant redirect 5900 port to 80 web port, so that not work either?

So if one can run as JAVA app, that is answer, but which one, and how to configure.  Hope that focu question clearer.  Thanks for input so far, hope you have more ideas.
The VNC servers also contain a small Web server. If you connect to it with a web browser, the Java version of the viewer will be downloaded automatically, allowing you to access the remote desktop. Obviously, your Web browser must support Java applets. Also, you should not use a proxy, to let the Java applet access the remote server directly.

The server listens for HTTP connections on port 5800 + display number. (Remember a WinVNC machine defaults to the display 0.) So to connect to the display 2 on machine "myhost", you would point your web browser at: http://myhost:5802/ . The applet will prompt you for your password, and should then display the desktop.


Great, now we are getting somewhere.  So for me to debug their machines, I have to ask them to install the VNC server, which is the remote to connect to.  Then I run my listening deamon, connect to theirs at -  (example IP) and I connect, without fiddling with normal cable DSL router on their end?  I tried this, but was on 5800, and did not work.  I will ask a friend to run theirs now to test.

Also, maeb3 -- are you saying they can add me as a client, and they can initiate connection?  In that case they still have to install tight VNC, right?  Ideal would be for them not to have to install any software.  So what do I run so I can debug their system?  I thought I had to run listen mode, and they server, but if it can be done other way around, I am all ears.  Please explain, I run "server" and they just use web browser?  I thought that was not possible?  For me to see their screen, don't they have to install server?

yes, that should work, but since your are initiating the connection, their firewall might block you. (including windows builti-in firewall)

see, as im sure you know, might represent 10 computers behind a router. there is no way to know which computer your address is address to
Actually, in Logmein, you can go to the Preferences and set the permissions:

Under "Interactive User's Permissions"
Set "Ask for permission from interactive user"
Set "Default answer for confirmation message" to "No"
Set "Time Allowed..." to 10 or 15 seconds
Clear "Full Control (and Remote Control D) access rights bypass interactive user's permission"

And as for "Do not require authorization if user is not present", I guess that's up to you, you can either set it to yes, so you can get in after hrs., or no so you can ONLY get in by permission

As for TightVNC, I've found it not only to be slower than logmein, but also your info isn't encrypted, presenting a huge security risk.

Also Logmein has a free version that doesn't transfer files or do remote printing.


Logmein looks dangerous.  You log in through server on internet, all traffic go through THEIR server, so how do you know what they check, save, copy, pry into, etc.  All clients sensitive info, can hardly convince them to let me login, would not even consider login to web server, I think this VERY dangerous, so no, am not interested in ANY login to any 3rd party webserver.  All encrypted connection should be comp-2-comp, no one else should be involved at all.  I would not recommend Logmein to anyone, you might be liable for serious breach of computer security. Site gives no privacy guarantee, I think this bite you, Juanfermin.

another thing, if security is your concern:

vnc can be set up with ssh

Actually, logmein uses technology very similar to Citrix's GoToMyPC Service, with the difference being that logmein use 256 bit encryption, instead of 128 bit encryption.  My cousin works for Citrix and he tells me that if someone at their end were to "tap" into a user session, the only thing they would see is garbage, because the "Keys" are stored on the user's end machines, they are NOT stored at Citrix's Servers and the same goes for the LogMeIn Service.  I mean, come on, these people are in business to make money, do you really think they want to get sued?

While you may THINK this is very dangerous, it doesn't make it true, however what IS dangerous is setting up an unencrypted connection over the internet that ANYONE can intercept at a number of different places on the internet.  While you're afraid that someone at Logmein is checking, saving or whatever your encrypted info that they can't see, anyone with the right software can easily "tap" into your UNENCRYPTED datastream and and take your info right from under your nose.  Unless you're using VPN tunneling, if you THINK that you're connection is REALLY only going directly from your computer at home to the computer you're connecting to, you're sorely mistaken and have no clue as to how the internet works.  Sorry to be so blunt, but I tend to call it as I see it.


juanfermin - Please note, this thread asked for Tight VNC only, not long discourse on Logmein, which I do not want.  Your argument, to trust a secure connection to 3rd party, is very foolish.  The world is full of proselytes for some latest "whiz" program or other, in the end, they all turn out to dupe customers. Also to say I have "no clue how internet works" is so incredibly ignorant, you have no idea what you say.  Bye.

jjmartineziii  -- thank you for sticking to the subject, I see you getting the points on this one, I will try what you suggest and let you know if it worked.  Pls. stay on thread, will up points, may need more help.
You're the one talking about using an unsecured connection over the internet, and calling ME foolish.. hehe that's funny.

so it worked?


Haven't had a chance to test either one fully, but you gave one workable way to do this and meab3 gave another, both seemed reasonable.  Busy web page coding now, cant test with client I wanted to, but will in the future.  Thanks for your help.


i need to get started on a webpage tomorrow :\

im jumping in the water with php


been there, done that, still swimming through the PHP quagmire though.
You will find on the PHP section that everyone refers you to the PHP Docs.
I find them so cryptic, or the "official" examples so trivial, they are almost useless.
Good luck getting PHP help, not so easy as other parts of expert exchange.  Bye.

Been using logmein.com's product ever since I did some work for the DoD (Air Force, CO. Springs). Approved for use by the DoD. Excellent encryption and security.
Bottom line; if traffic is over the internet - It is not secure, no matter what one uses for remote acccess.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.