Use Caseyou frequently give remote assistance to users in very heterogeneous environments
Problemuser-side firewalling makes it impossible to just start up e.g. a vnc server.
Solution
let the user initiate a ssh tunnel from his machine to yours, forwarding his local vnc server port.
Rationaleit is way easier for you to allow for incoming traffic once than it is to do the same on every user's machine.
ImplementationServer
enable your sshd and create a dedicated help user with shell
/bin/falseClient
use a shell script to start the vnc server and the ssh tunnel. this is only non-trivial for windows, so I shall outline that below.
Extensions- use a private/public key pair for ssh authentication
- use a different server user for each supported user
- automatically react on incoming ssh sessions
Esp. the last one is interesting: you can tell people to "just click on the support button when you need help" and you will get instant notification with direct access to their desktop.
Appendix: Client on Windows- Download the tightvnc zip distribution, unzip
- Download plink (the putty ssh command line client) and save it into the vnc folder
- start winvnc.exe
- enter a password (you will use this later when using your vnc client to connect to the user's machines), fix the port to 5900, quit the application
- startup regedit
- add a dword key "AllowLoopback" with value 1 to LOCAL_MACHINE\Software\ORL\WinVNC3
- export LOCAL_MACHINE and CURRENT_USER\Software\ORL to vnc.reg and vnc2.reg in your vnc folder
- close regedit
- create the batch file and zip the whole directory for distribution:
create a file
run.bat in your vnc directory that contains the following lines:
reg import vnc.reg
reg import vnc2.reg
taskkill /F /IM winvnc.exe
start winvnc -run -shareall
plink helpaccount@my.dns.org -pw helppassword -N -R 5900:localhost:5900
where
helpaccount and
helppassword match the local account you created on your server and
my.dns.org is your server's hostname.
after running this script, you should be able use a vnc viewer to connect to localhost on your server and see the client's screen. you will want to set
-compress 9 -encoding tight explicitly to tune the connection.