Solved

Windows Desktop Sharing API

Posted on 2014-04-14
9
821 Views
Last Modified: 2014-04-22
I have integrated Windows Desktop Sharing API in our application.

We're able to remote share a session via a LAN or VPN but we're having not much luck with purely Internet.
A viewer PC in the Internet cannot share a sharer PC in the Internet but if these PCs are connected via a VPN connection then it does work.

is this a limitation with Windows Desktop Sharing API on connecting two PCs via purely Internet.

Thanks in advance.
0
Comment
Question by:carlostriassi
  • 5
  • 4
9 Comments
 
LVL 23

Expert Comment

by:Coralon
ID: 40002380
It sounds like a network routing issue.  Does your application take a lot of these internet issues into account?
* NAT
* Latency
* Bandwidth
* Proxies

When you put up a VPN, you are eliminating most of these.  My guess for you -- I'd be looking at the NAT or Proxy issues.  Most users are behind a NAT, and many ISPs use non-routable addresses on their own internal routing. (I've done a number of traceroutes over the years that traverse an ISP network that uses non-routable addresses while they are in the ISP's network, but are NAT'd back gain when they hit the public sides.

Coralon
0
 

Author Comment

by:carlostriassi
ID: 40010714
Thank you for comments.

Sorry for not responding quickly.

These are good points and we had emphasize those areas of NAT using Microsoft API techniques, latency when viewer fails to connect sharer and then doing a reverse connect that worked for us, we have tested using proxies.

How do I go about that to trace this issue if it is NAT and ISP related.

A hint, a few times this one remote PC I was able to share my session. Interesting enough it had work after I used logmein to verify that another product would work. It had seemed has done something to make our remote share worked but can't pin point what did it.


Carlos.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40010841
You'll want to collect network traces on both ends and start digging into the packets.  (Typically WireShark these days :-)

Now, if I am reading this correctly, you tested the same machine with LogMeIn.  LogMeIn runs over SSL, so NAT's become generally transparent, since the inbetween routers can't open the SSL stream, all they can do is wrap their own data around it, and then peel off their own layers.  

Are you using SSL for your product?

Coralon
0
 

Author Comment

by:carlostriassi
ID: 40011626
Thanks for your response.

We're going to use SSL on our product in a few months.

Microsoft claims the following from this blog http://blogs.msdn.com/b/rds/archive/2007/03/08/windows-desktop-sharing-api.aspx

a) Connectivity: Windows Desktop Sharing does support connectivity to intelligent appliances, wireless devices and PC's in uPnP framework and also teredo tunneling to provide connectivity to IPV6 machines behind IPV4 NAT's.
b) Reverse Connect: It is an interesting feature, where sharer can connect to the viewer if viewer cannot reach the sharer via direct connect. For example, the viewer may not be able to connect to the sharer because of network address translation (NAT)

I have tested and our reverse connect has worked on VPN connection and we did notice an expected delay but it worked.

Would SSL work under Microsoft Rdpencom.dll technology using Remote Desktop Sharing API?

Carlos.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 23

Expert Comment

by:Coralon
ID: 40011707
That helps give me a picture of what you are working on.  Correct me if I am wrong, but you are looking at some sort of alternate to RDP utilizing that framework on the system.  

Now, given that, I'd almost guarantee your issue is going to be handling the NAT.  RDP & ICA (Citrix) both have capabilities to handle NAT.  There is a utility in the RDS/TS hosts called AltAddr that is used for NAT.  It tells the system what the outside ip address of the connection is so that when the connection is established through a NAT, the host will respond with the outside address of the connection instead of the inside.  I haven't used it in over a decade, but it is still available.  The way RDS & ICA handle it these days is through the use of a gateway server that handles that NAT translation for the packets.

Assuming all of this is correct, you'll want to look into how you are handling NAT.  

Coralon
0
 

Author Comment

by:carlostriassi
ID: 40011761
Remote sharing API is an utility for meetings instead of using remote desktop. Basically the person that hosted the meeting invites as many user to share his/her screen.

The person who share his/her screen called the sharer creates an invitation that all invitees would use to connect to the sharer.

The invitation format created by one of Microsoft APIs is as follows, this invitation is prvided to all invitees.

<E><A KH="j5jT32dNuQjj6o++32paqNiwDVc=" ID="WinPresenter"/><C><T ID="1" SID="761889938"><L P="52002" N="fe80::840e:653f:c2c2:859e%12"/><L P="52003" N="fe80::4cce:9b4a:92e7:72a6%11"/><L P="52004" N="fe80::5efe:192.168.1.7%37"/><L P="52005" N="fe80::5efe:192.168.1.11%37"/><L P="52006" N="192.168.1.7"/><L P="52007" N="192.168.1.11"/><L P="52008" N="172.16.7.127"/></T></C></E>

Connectionstring API that uses invitation ticket input generated by the sharer.

IRDPSRAPIInvitation::ConnectionString property

HRESULT get_ConnectionString(
  [out]  BSTR *pbstrVal
);


i don't know how much control we can interject in this API since I was expecting Microsoft to handle the NAT under the hood.

I don't know any way around this.


Carlos.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 40011977
Ok, based on what I can make out of that string, you just need to translate the NAT address.  You'll need to detect your external IP address.  The key will be determining which end you need to translate.  My guess will be that the client end of connection (not the initiator) will need to provide the correct external address.  

As I mentioned before, RDS/TS provides a utility that assigns an external address.  Your clients will need to be able to provide that information, and they will have to open the ports on their firewall to handle the routing on that side.  

Your other options are to create a gateway piece that runs from the client side to handle that NAT traffic, or you can use some sort of broker product.  

The way WebEx and GoToMeeting work is that they have a broker and both the client & server piece of the connection establish connections to the broker, and then the broker connects the 2 streams together.  This lets both clients establish outbound connections, which *generally* eliminates the issue with firewall, since most firewalls allow direct outbound connections without too many restrictions. But, that is also where most companies rely on SSL, since SSL outbound is virtually never restricted.    

So, ultimately, you will need to establish and handle the connections outside of the sharing API - you have to get that tunnel/translation established first.  

The last option I can think of would be to use some sort of SSH tunnel between the client & server, and again, you'll have to make sure that the intervening firewall handles it correctly.

I wish I could offer you a better option, but with the solid identification of the problem going across the internet, those are your only options that I can think of.  

Coralon
0
 

Author Comment

by:carlostriassi
ID: 40014024
Thanks for you explanation to make very clear what needs to be done.

I guess two thing I need to do:

1. Handle NAT Traffic via gateways, a broker product or SSH Tunnel.
2. replace the NAT IP address to the external address in the invitation ticket so that the client or viewer is going to connect to the sharer screen.

On #1, what would suggest handling NAT traffic based on our solution that is a peer-to-peer remote sharing between viewer and sharer. What URL link would you suggest to start reading on.

Carlos.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40016591
Unfortunately, I can't help you with that one.  I'm not a heavy developer...   You'll have to look into ways to wrap your protocol on the internet, and then have your gateway strip that extra layer.  

Good luck!

Coralon
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now