0

Integrated Access Solutions, a premier Microsoft partner, wins a major account deploying Lync and managed services by Servera’s Kontinuum UC service platform.

http://www.prnewswire.com/news-releases/microsoft-lync-beats-cisco-shoretel-and-mitel-for-a-unified-communications-deployment-at-a-global-manufacturing-enterprise-125365268.html

Integrated Access (www.integratedaccess.net)

Continue Reading

How to Use VNC Through a Firewall

Published on 15 June 2011 by admin in Remote Access

0

VNC is great. We use it ALL the time. People often ask us how to solve the fundamental networking challenges associated with using VNC as a remote support tool.

We wrote this article to help explain how to use the different VNC flavors in order to deliver remote support to multiple customers given the requirements below. The solutions below represent everything we tried however the problem is we found in order to meet our requirements we had to write a solution to “wrap” VNC. We also walk through those components which we’re happy to share. Enjoy!

Kerry Shih  kerry.shih@servera-inc.com


Requirements: Using VNC as a Remote Support Tool

1) How to use it to deliver support to remote sites without firewall changes

2) How to do it in a standard manner to manage a bunch of different remote sites in the “real world”.

3) How to do this without relying on end user interaction.

4) How to make it as secure as possible.

5) How to have multiple concurrent sessions at the same time.

6) How to do this in a team environment where people can work from anywhere.


Below we’ve laid out the challenges and solutions to solve this problem.  There are many ways to do it with varying levels of work involved.  Let’s assume going forward that by VNC I mean all flavors (VNC, TightVNC, RealVNC, UltraVNC).  The VNC Viewer machine means your PC / laptop. VNC Server Host is the device running a VNC Server.

VNC Viewer to VNC Server Host (Direct on LAN):

VNC viewers connect to VNC servers by connecting to the server host address. This by default is over TCP port 5900. Note that the TCP connection is made outbound from VNC Client to VNC Server Host. This is important as we discuss firewall issues later.


VNC Viewer to VNC Server Host


How to Set VNC Up / Assumptions:

1) VNC Server Host ip address is reachable from your laptop. Basic ping from your laptop let’s you know it’s reachable at a network level.

2) Install VNC Server. Make sure the VNC Server Host OS firewall (such as Windows Firewall) allows TCP port 5900 inbound (by default) from your laptop. Most VNC installers will handle this.

   a. Control Panel -> Windows Firewall. Go to the Exceptions tab. Click “Add Port”. Name it “VNC Server” and set the Port Number to 5900. Make sure protocol says TCP. Hit OK.

3) Neither firewalls nor network devices should block connections between the VNC Viewer and the VNC Server Host. You can test the raw socket connectivity using telnet.exe. (Note: obviously VNC doesn’t run telnet but this is the simplest way to test a raw TCP socket connection) If it connects you will see the console turn black otherwise you will see an error.

   a. From command line: telnet 192.168.1.20

4) The VNC Viewer OS does NOT have an OS firewall (such as Windows Firewall) blocking either your VNC Viewer executable nor connections going to 192.168.1.20. This isn’t as likely but watch out for Anti-Virus etc.

   a. Check your Security / Firewall settings from your Control Panel


Problems:

1)     This pattern doesn’t meet nearly any of the requirements but I wanted to lay out the basics first.

VNC Callback. VNC Server Host -> VNC Client (On LAN)

Since firewalls block inbound connections it would make sense to have the VNC Server Host initiate the connection outbound to the VNC Viewer. VNC supports this as a feature called VNC Callback. Even though the VNC Server Host initiates the connection the behavior after the connection is still the same (meaning you see the server host screen). Remember that firewalls for the most part are focused on blocking the TCP connection. Once that is established they have a habit of letting the data transfer normally from either direction from there on.


vncThroughFirewallDiagram2


1) From your laptop launch VNC Viewer in “Listen” mode. There is an option from your program menu items of you can right click the VNC icon in your systray and look for the option there.

2) Go to the VNC Server Host and Right click the VNC Server icon in the systray and click Add Client.

3) Enter your laptop’s ip address and the port (ex: 192.168.1.1::5900). Note: You should use 2 colons in the address. The 2 colons means to specifically use 5900. A single colon means you want to use an ordinal port value starting at 5900.

4) The VNC Viewer should popup and now you have a remote session.

5) If you get a failed connection refer to “How to Set VNC Up / Assumptions” above.


VNC Callback Assumptions:Someone is able to get to the VNC Server Host to initiate the connection. This is a huge hassle however at least an end user could initiate it since they are the ones needing support.

1) VNC Server Host OS firewall (such as Windows Firewall) allows port 5900 outbound (by default) to your laptop

2) Neither firewalls nor network devices would block connections nor data transfer between the VNC Server Host and the VNC Viewer.

3) Your laptop does NOT have an OS firewall (such as Windows Firewall) blocking either your VNC Viewer executable nor connections inbound from the Server Host’s external IP address (or translated ip address once it is in your network).

   a. Check your Security / Firewall settings from your Control Panel


Problems and Assumptions:

1) This VNC Callback pattern helps a little as we think about the next step of getting through remote site firewall.

2) Someone would have to be at the server to initiate the connection.

VNC Callback. VNC Server Host to VNC Client (2 Different Sites)

Here is where the challenges really exist. Now since we don’t want to change the Remote Site Firewall how can we make the callback pattern work? Your Router & Firewall won’t accept connections on 5900 (by default) and then know how to route it to your laptop…

vncThroughFirewallDiagram3


Partial Solution #1) Callbacks routed to your laptop.

The idea here is to preemptively setup routes on your network so that VNC Server Host callback sockets get routed to you. Then an end user can initiate the session with a specific address that would make it to you. Not great but this worked for us for a while.

1) Install VNC Server Hosts on the remote devices you want to connect to. Make sure they are running as services.

2) Add firewall routes on your network to forward TCP ports (say 62000 – 62020) to your internal ip address of your laptop (192.168.1.1). In other words connections destined for 76.1.1.1 port 62000 go to 192.168.1.1 on port 62000 etc.

3) When you want access to a VNC Server Host ask the end user to right click the VNC Server icon and “Add Client”. They will enter your External Ip address and port (76.1.1.1::62000). Note that 2 colons is required here.

4) Make sure you have a VNC Viewer running on your laptop in Listen mode.

5) Make sure your Windows Firewall allows TCP connections inbound to 62000 through 62020.

6) If you want to have multiple sessions going on then run another listener and have the next end user use 76.1.1.1::62001 etc.


Problems:

1) This pattern still requires an end user to initiate the connection. This is a huge hassle however at least an end user could initiate it since they are the ones needing support.

2) This doesn’t support working in a team environment very well.

3) It doesn’t support technicians working from anywhere they want since the ip address’ are relatively hardcoded.

4) This still isn’t secure and the Remote Site firewall could still easily block outbound 62000

Take Away:
Write some software to wrap the solution to eliminate the rest of these hassles.  As we scaled out supporting customers we found that the Requirements we set out before were what we wanted but we couldn’t get there without writing some software to fix the remaining problems. To reiterate:


Requirements

1) Use it to deliver support to remote sites without firewall changes

2) How to do it in a standard manner to manage a bunch of different remote sites in the “real world”.

3) How to do this without relying on end user interaction.

4) How to make it as secure as possible.

5) How to have multiple concurrent sessions at the same time.

6) How to do this in a team environment where people can work from anywhere.

Final Solution: Relay Server in the Cloud to Broker Connections



Below is what we did:

We wrote what we call a Packet Relay Server (PRS) that runs in the cloud. Then we wrote a Server Relay which runs at the remote Site. Then a user can browse to the web interface of the PRS, choose a customer / server relay and request a connection via a java applet that loads in the browser. Meanwhile the Server Relay checks in every so often to see if anyone wants to connect to it. Once both entities are connected up, some authentication occurs and both the Client Relay Applet and the Server Relay broker the connections appropriately through the Packet Relay Server. The Applet launches the VNC Viewer to ride over the SSL tunnel. The Server Relay handles its end by handing off streams to the VNC Server. Voila!


vncThroughFirewallDiagram4


Results:

1) No firewall changes. All connections are initiated outbound over 443 using SSL which works extremely well. We have thousands of devices under management this way. This also solves the problem of needing to setup routes on your side. Of course a network admin could block everything outbound but what we have found is that outbound TCP 443 wrapped in SSL works 98% of the time in real world environments. See “More on VNC and Firewalls” below.

2) There is no need for an end user to manually initiate the session.

3) Technicians can work from anywhere because they just login using a browser.

4) Technicians can work on many customers at the same time. Different technicians can work on different customers based on permissions.

5) It is secure because it is encrypted in SSL and there is some reporting on users and sessions. On top of that there are login credentials for the app itself.


Problems:

1)     The only problem we found was that installing our Server Relay on every Host was a hassle…

Final Solution Plus: Add a Micro Appliance

We provisioned a $99.00 Linux Micro Appliance that runs the Server Relay component that we place at the remote site. It allows that final step of letting us connect to all the devices at the remote site without those devices needing the Server Relay. In other words the Server Relay routes us to the final Server / Host of your choice.

Better yet. We added support not only for all flavors of VNC but also Remote Desktop Protocol (RDP), Putty / SSH, Telnet and even browsing over the tunnel! Since most windows machines have Remote Desktop Server this means you only need the Micro Appliance and your done.

vncThroughFirewallDiagram5


Picture of Linux Micro Appliance running our “Server Relay” agent.

vncThroughFirewallDiagram6



Picture of ConnectMe app, launching various tools and protocols through the Micro Appliance

vncThroughFirewallDiagram7


Summary:

It took us a long time to figure out the best way to be whole on all the requirements. There are robust off the shelf solutions but we felt they were all about supporting end user laptops etc. and we needed access to servers and other devices, plus it would have taken all the fun out of it!

I encourage you to try the various ways of using VNC to learn about what it can and can’t do out of the box.

If you want to try our ConnectMe” application just send me an email and I’d be happy to set you up!


Kerry Shih

Founder, Servera, Inc

kerry.shih@servera-inc.com


Downloads & References

http://www.tightvnc.com

http://www.realvnc.com

http://www.uvnc.com


More on VNC and Firewalls:

Firewalls are often blocking any outbound ports that aren’t 80 or 443. This is so that Trojan software doesn’t start doing proprietary connections to strange sites. The good news is that 80 and 443 must be open if they want to let the Server Host device get out to the web through HTTP or HTTPs. Keep in mind that for basic firewalls this is a yes/no decision. Deep packet inspection devices can let the connection be established but then terminate it if it isn’t benign html over http(s) being transferred. However developers have learned that all you really need to do is use HTTP as the protocol but then transport different data types thus giving them firewall friendly custom protocols.

Continue Reading

Cloud Fueling SMB Growth for VARs

Published on 16 November 2009 by admin in Uncategorized

0

The cloud is hot, for sure, but what’s the SMB opportunity? A new report from AMI Research shows that remote managed IT services for small to medium size businesses is set to grow rapidly in North America over the next five years. Inside, we take a deeper look at how the SMB MSP market is, and will be, affecting the channel. Channel Insider

Continue Reading

MSPs Say Network Visibility is #1 Problem

Published on 10 September 2009 by admin in Industry

0

Channel Insider

Users hitting YouTube, Pandora and other high-bandwidth sites can bring mission-critical network traffic down to a crawl…

This makes sense. Since off-site applications and web apps are used more and more IT needs some controls in place. This is just one of the many opportunities for VARs and MSPs.

Continue Reading

Good CTO article on Cloud Services

Published on 10 September 2009 by admin in Industry

0

http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf

Provided certain obstacles are overcome, we believe Cloud Computing has the potential to transform a large part of the IT industry, making software even more attractive as a service and shaping the way IT hardware is designed and purchased. Developers with innovative ideas for new interactive Internet services no longer require the large capital outlays in hardware to deploy their service or the human expense to operate it…

Continue Reading

Affant – Servera Partnership

Published on 08 September 2009 by admin in Announcements

1

Today is a good day. Affant Communications and Servera have partnered up to bring Kontinuum-Clear Skies to the Affant customer base. The Affant team is a truly talented group located Orange County and they deliver high quality managed services for core infrastructure and applications. We’ll be doing a more formal announcement later but the partnership puts together 2 of the best components to a great recipe. Great people and great software. More soon…

Continue Reading

ITExpo – Los Angeles

Published on 01 September 2009 by admin in Announcements

0

A few of us will be visiting the IT Expo in Los Angeles. It will be interesting to see how the players are responding to Cloud based applications. Last time I went it was extremely busy but that was a couple of years ago. I’ll be looking for any new management plays as well as partnership opportunities for those interesting in MPLS monitoring, SIP Management or software to power their remote managed services.

Continue Reading

Founder’s Demo – Webinar

Published on 09 August 2009 by admin in Announcements

0

Folks, we’ll be doing a webinar Sep 17th at 10:00 am PST. I’ll be doing a tour of the new version of Kontinuum and we’ll end it with Q & A. Looking forward to it.

Continue Reading

What Changed?

Published on 20 July 2009 by admin in Kontinuum

0

Application performance is dependent on brittle dependencies between a lot of stuff. That stuff was hard enough to manage when it was all behind the firewall. Now that applications depend on off-site infrastructure such as MPLS, co-location centers, SaaS vendors & Cloud computing the job just became even more challenging. “What changed” must be one of the most fundamental questions in IT management yet its very hard to get an answer to. Fortunately at Servera our team has spent more time then we care to mention working on application problems that were based on “change”.  The team really focused on getting just the right data aggregated, then we put controls in place to know healthy boundaries for performance and availability, finally we put the automation and audit trail in place to make our customers feel good when they get an answer to “what changed?”.

Continue Reading

BC2 – Servera Partnership

Published on 12 June 2009 by admin in Announcements

2

BC2 Telecom and Servera have created a formal partnership to market Kontinuum-Remote Support and Kontinuum-Clear Skies to the BC2 Telecom customer base. Nancy Griffith, Founder of BC2 Telecom says “Kontinuum allows us to enable brand new managed services to our distribution channel at a time when services are the key to growing in this economy.”. BC2 has a significant channel presence in representing multiple value add products that surround SIP PBX and SIP Trunking solutions.

Continue Reading