HOME COMPUTER USERS

Related links

Remote Control

Remote Desktop via Secure Shell

Abstract

This document details the steps required to remote control an on-campus computer securely from on or off campus by using Microsoft's Remote Desktop Connection via Secure Shell (SSH). Secure Shell tunnelling is used because of insecurities within the Microsoft Remote Desktop Protocol (RDP).

This procedure should typically be carried out by the IT support team that manages the computer (in many cases end users don't have sufficient access to the computer to set this up).

Instead you may prefer to use remote access to University resources for access to the University Desktop. That provides access to a standard desktop rather than a specific desktop, and does not require anything to be set up.

Prerequisites

  • University username and password
  • Remote Desktop configured on target computer
  • SSH client installed on source computer
  • Username and password on the target computer
  • Fast connection to the target computer

Definitions

  • UOB username and password
    This is your University of Bristol user account and password.
  • SSH Server
    Secure Shell Server that you have an account on. seis.bristol.ac.uk is a good bet.
  • Target Computer
    The computer that you wish to Remote Control.
  • Source Computer
    The computer from which you want to remote control from. This could be a computer at home, in a lab, or in an office.
  • SSH Client
    This is software that you install on the source computer to create a secure connection (tunnel) to the SSH server.
  • Firewall
    The University's main campus firewall.
  • Command Window
    This window allows you to type system commands. I this case we are using it to create the secure connection. To open a command window goto Start, Run and type cmd into the Run window.
  • Target computer's IP address or DNS Name
    This is the address or name that is used to identify your computer on the network. Your IP address can be found by opening a command window and typing ipconfig.

Configuration Procedure

  • Configure Target Computer's RDP Connection and Users
    • Open Remote Desktop System Properties Start, Control Panel, Performance and Maintenance, System.
    • Select the Remote tab.
    • Tick Allow users to connect remotely to this computer in the Remote Desktop section.
    • Click Select Remote Users.
    • Click Add and enter your username into the box
    • Click OK twice to accept the new settings.
    • Please note: Administrators are already members of Remote Desktop Users group but you can only remotely login to them if they have a password setup. We recommend that remote users have strong passwords and detailed in the Choosing a password section of Changing Passwords
  • Configure Target Computer's RDP Firewall to accept connections only from seis.bristol.ac.uk
    • Open the Windows Firewall setting Start, Control Panel, Windows Firewall.
    • In the exceptions tab, tick Remote Desktop.
    • Highlight Remote Desktop and press Edit...
    • Click the Change Scope button.
    • Select Custom List and in the box type 137.222.10.0/255.255.255.0
    • Press OK three times to accept all the changes.
  • Download and/or run the RDP Connection Program
    • Download the RDP Connection Program
    • When prompted, enter IP or DNS name of target computer.
    • When prompted, enter your UOB username.
    • When prompted, enter your UOB password.
    • You may be asked to store the SSH key in cache, enter y or n, either will do.
    • You may get a Windows Firewall warning about blocking plink.exe. You can simply tell it to keep blocking.
    • Assiming that the target end is setup correctly you should see a login screen. Enter your username and password for the target machine. Please note: this is probably not the same as your UOB username and password.
    • Some anti-virus and anti-spyware software vendors classify one of the files we use (cmdow.exe) as an unwanted program.

Back to top

Windows XP Remote Assistance

This functionality will soon be removed due to insecurities in the Remote Assistance protocol that Microsoft uses. Please see the section below for details of how to remote control computers outside the University campus using VNC.

If your network connection is working but you have another problem on your computer, you can use the Remote Assistance feature in Windows XP to allow more tech savvy friends/family to help solve problems on your computer. If you want to do this, you need to sign up for a free account with MSN, and the latest versions of MSN Messenger and Windows Messenger installed.

  • Select Start, Settings, Control Panel, System
  • On the Remote tab, ensure Allow Remote Assistance invitations is ticked
  • From MSN Messenger, select your expert friend/family member.
  • From the Activities menu, select Remote Assistance.
  • The expert friend/family member then accepts the request.
  • You then have to acknowledge their acceptance.
  • They can now see your desktop in a "view only" mode. They can take charge or demonstrate with various buttons on their screen.
  • To stop the connection at any time, press the Escape key.

Please note: Remote Assistance also contains features to issue a Remote Assistance invitation by email, or through Help & Support. These methods will not work on ResNet due to the firewall. You must use the Messenger method above.

Please note: You cannot give Remote Assistance to anyone outside of ResNet as the protocol will not allow it. For anyone interested, this is the sequence of events that the protocol uses;

  • Both clients (Res for ResNet and Rem for Remote) connect to any of the MSN servers using port 1863.
  • Rem asks for Remote Assistance from Res through the MSN server.
  • Res responds to Rem via the MSN server with a ramdom port number z that HelpCtr.exe will be listening on.
  • Rem then tries to connect directly to Res but is blocked by the firewall.

Back to top

Virtual Network Computing (VNC)

VNC is a remote control application which allows you or a tech savvy friend to view and interact with one computer the server using a simple program the viewer on another computer anywhere on the Internet.

VNC can be downloaded from www.vnc.com

We have configured the firewall to use non-standard ports so that default connections / attacks will fail. If you install a VNC server so that someone can remote control your machine then select Options-->Connections and change Accept connections on port: from 5900 (the default) to 5950. Note that Serve Java viewer via HTTP on port: will automatically change to 5850.

You should also set a strong password using a mixture of upper and lower-case letters, digits, and punctuation marks. To do this, select Options-->Authentication-->Set Password.

To connect to the server and remote control the machine, you need to install the VNC viewer application, again this can be downloaded from www.vnc.com. In the server: box you need to type the IP address or DNS name of the machine you want to control followed by :5950 e.g.

137.222.123.234:5950

Your own IP address can be found using the ipconfig command in a command window. Goto Start-->Run type cmd and a command window will open. Type ipconfig and note down your IP Address.

Back to top