Remote Desktop
karlizeth — Wed, 08/27/2008 - 17:00
I was hoping I could get pointed to a tutorial for helping me set up the ability to do remote desktop on computers at other locations for my work. I have figured out how to do remote desktop on all the other computers physically located in the same building as me, and these computers are also part of the same workgroup. I now need to be able to connect to computers located off-site. Here's the details:
My computer:
- Running Windows XP Pro
- Part of a named Workgroup, not a Domain
- Connected to a server at the same location which manages our internet access, some file storage, and a microsoft access database
- Connection to the MS Access Database is through an SQL Server ODBC configuration, which I manage
- IP Addresses are dynamic, assigned by DHCP
Off-site computers:
- Running Windows XP Pro
- Many computers have multiple users, all with one common user called "Admin."
- Most staff members have limited accounts.
- All these computers have an existing connection to our MS Access Database through a vpn connection
- I believe each of the locations have their own router, but none of them are on a separate server
- I believe the computers have dynamic IP addresses (or at least the majority of them do)
- These computers may or may not also be on their own workgroup (none have domains)
The server at my location is the common thread; I also manage the users for the whole agency on this server.
I'm running in to a few road blocks because the few tutorials I'm finding only tend to apply to what I've already got working (remote connection to named computers w/in the same Workgroup at the same location), or to computers with static IP addresses.
I can't think of any more info to include at the moment but feel free to ask me stuff if it can help get me pointed in the right direction.
And, seriously, thanks in advance because this is going to be a HUGE HUGE HUGE time-saver, and my boss is going to love me for it. You guys rock!!!
Thanks again you guys,
karlizeth — Fri, 08/29/2008 - 07:00Thanks again you guys, awesome info and stuff I'd have a hell of a time trying to learn on my own. Will give the info listed on both of the above two posts a whirl today; also giving router config part 2 a shot (as mentioned in nessence's original post) a try later this afternoon.
If its Cisco, i gurantee its
Agoney — Thu, 08/28/2008 - 21:37If its Cisco, i gurantee its some type of ACL mismatch (well, mismatch in a sense that only one network can fully see the other. It's actually more secure this way, in a sense).
Your best bet is UltraVNC imo. It works on vista, and you can re-configure the port its accepted on (Dufe explained this above). It's free, relatively easy to install, and all you need is either the PC name or pc IP address. Of course, you will have to be able to see the remote computers on your network for this to occur. (IE, access list allows you to view them).
A quick run-down for
Dufe — Thu, 08/28/2008 - 20:53A quick run-down for ya:
Every different application that uses tcp should be trying to communicate on a different port number. These port numbers are basically a way of letting the computers know which application on the source/destination a particular data packet is supposed to be going to/coming from. Security settings on routers/firewalls are often configured to only allow traffic on certain ports.
In your case, it sounds like the ports used for certain network functions are open, while the one used by RDT is blocked. If this is the case, you may have to re-configure routers/firewalls to allow traffic on that port. Sometimes Windows Firewall/other firewall software on the PC itself also blocks this by default. I don't think RDT can be configured to run on a different port, but my memory says that some of the other software options can - just don't remember which ones.
I should mention that at
karlizeth — Thu, 08/28/2008 - 20:42I should mention that at some point, when my boss was at a remote location working on a computer that had an existing connection to the server at our main office through a vpn, HE was able to remote into MY computer, but I couldn't do the reverse. I then tried to set up the same vpn configuration on my own desktop, which allowed me to locate the computer he was working on via a search (which I couldn't see before). But neither the computer name nor its current IP address would work when I tried to get on it. I wonder, do you think our router could be blocking that type of connection via a firewall? It's a relatively heavy duty cisco router.
Lastly, tonight I'm going to attempt to configure my home router to connect to my work computer. Because I wasn't able to configure any of the routers off-site, I can at least test it out at home to see if it's going to work or not and hopefully save myself some time.
Or you could just get a copy
GrayVon — Thu, 08/28/2008 - 18:24Or you could just get a copy of PCAnywhere ...
Or if your looking for a freebie, Try LogMeIn.com
Ag, I think that might be
karlizeth — Thu, 08/28/2008 - 14:43Ag, I think that might be next week's task. Things were going great on my end; got everything set up the way it should be, only to discover that between the lady at my office who coordinated the installation of the routers at our other locations and the guy who installed them, 3 out of 4 of our remote locations have no info about the logins for the router. Their answer was "oh, gee, I thought we had taped the login info to the bottom of the router." So, at all but 1 location we can't access the router w/o resetting it, and nobody on my staff has time to do that right now. All because no one thought to write down some fucking user names and passwords.....swell.
Still saying VNC would be
Agoney — Thu, 08/28/2008 - 09:42Still saying VNC would be the easiest! :P
Carno, that looks like a
karlizeth — Wed, 08/27/2008 - 19:38Carno, that looks like a fantastic solution. Very doable given our current setup. Will tackle one location tomorrow or Friday and see what happens!!!!
I'm not sure what you mean
karlizeth — Wed, 08/27/2008 - 19:13I'm not sure what you mean by "what vpn we use" other than i know it gets pointed to our server as an "vpn.xxxxxxxxx.org" type thing (off the top of my head anyway). I can get into the cisco router at work pretty easily, but I don't know about getting into the router at other locations.
Dufe, domain thing is a
karlizeth — Wed, 08/27/2008 - 18:33Dufe, domain thing is a definite no go. I simply do not have time to make it happen and I'm the only one that could do it. This is what happens when you make your HR person do IT work....
I also just noticed you say
nessence — Wed, 08/27/2008 - 18:17I also just noticed you say your remote computers connect to the database via VPN.
You could also use that. When the remote computer connects to the VPN it will be assigned an IP address on the VPN. You should be able to remote desktop to that address if you have port 3389 on the remote computer's firewall. Also, if you open the VPN manager (it's called "routing and remote access") on your server you can see the IP addresses the VPN server gives out. The only sucky part about this is that you have to call and ask anyone you want to remote control to connect the VPN.
Karli: You will need to
nessence — Wed, 08/27/2008 - 18:10Karli:
You will need to change settings on your company's firewall and/or Internet router.
Internet -> Your ISP -> Your Router -> [Company Desktops]
Your router should have an ip address which is public - it will be something OTHER than 192.168, 172., 10.. An example would be 64.233.187.99.
This address is the address on your router, on the port which connects to your ISP. The other addresses will be on the Internal port of your router. For example, your desktop IP address maybe 192.168.0.65.
It will be the same scenario at each location. All of the desktops behind the router are on the same 'network' and will have similar IP addresses - as you've stated - assigned dynamically. This is why at your office you can connect to all the other desktops - they are on the same network as your computer. The remote computers are on a different network so you can't get to them. The desktop networks are likely 'private' networks and that's why you can't get from one to the other. If your desktops are not using public IP addresses then you have other problems (ie, let's talk about that if it's the case :) ).
The simplest solution is to setup a 'host' remote desktop workstation at each remote site. This could be an existing computer. This requires going into the router/firewall at each remote location and forwarding port 3389 on the router to the IP address of the 'host'. The 'host' needs to have a static private IP address. You will want to write down the public IP address for each public router. The best way to check out how to setup your internet router or firewall for this is to look in the manual under "port mapping", possibly in a section about NAT. Once configured, your router will basically forward all traffic to/from port 3389 on the 'host' desktop to whatever connects to port 3389 on the public IP address of the router. With this setup, you can open remote desktop on your workstation, enter the public IP address of a remote office router, and connect to that remote office's 'host' desktop. What you do from here is to then run remote desktop client on the 'host' computer and use *that* computer to connect to the rest of the computers in that office. Yes, you're basically piggy-backing off the 'host' computer. Also, any firewall software (windows, zonealarm, symantec, etc.) on the remote office computers will need to have an 'exception' added for port 3389. You should be able to google/helpfile this with the words firewall exception.
The remote office network must have different private IP addresses from your home office. If not, it won't work properly. If this is the situation, the easiest thing to do would be to change the IP address network in your home office (as opposed to ALL the remotes).
There are other ways to do this but they get complicated and/or expensive.
The last option is to install MSN messenger on every desktop and use the 'remote assistance' feature. I'm pretty sure that's what it's called... however, you rmileage may vary as to how reliable this works through your firewall. Another option is to use paid for service like gotomypc.com. Gotomypc.com is owned by Citrix so they likely have a good product. I haven't used it and don't know what it costs but it's still an option.
Here is how to open firewall exception if you just use Windows XP Firewall, as long as an overview of what you'll be doing:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308127
Here is a link that should
runhilan — Wed, 08/27/2008 - 17:34Here is a link that should help but to sum these up you will need acces to your router/firewall hardware to open ports, if you dont have acces it will never work. Find out what hardware your routers are and you may be able to hack you way in and open the ports needed. Do you know what VPN you use? RDT has the sound of the host computer broadcast on the computer you are on.
http://www.grc.com/nat/nat.htm
I would very strongly
Dufe — Wed, 08/27/2008 - 17:32I would very strongly recommend you try to get a domain going for a number of reasons. It would also make things like RDT a bit easier to manage for someone who is less experiences with networking in general.
You could try to install
Agoney — Wed, 08/27/2008 - 17:24You could try to install RealVNC or UltraVNC on each of the computers. UltraVNC is the only one that works on vista machines tho. If you can ping across your network via pc name, that's all you need to have to connection.
You can password protect the connection, as well as designate where the source connection is only allowed from. We have near 1500 computers in my network, and the majority of them have this software on it.
Runhilan, I've been to the
karlizeth — Wed, 08/27/2008 - 17:19Runhilan, I've been to the site you linked before and read through most of the other stuff; I don't quite follow the port stuff though. It kinda goes over my head. I don't understand the significance of it, how I would check to see my current configuration is, etc. I don't get the reference about sound, either. Can you explain a bit?
Port 3389 is the only port
runhilan — Wed, 08/27/2008 - 17:14Port 3389 is the only port you need to open. Windows will attempt to stream sound through User Datagram Protocol (UDP) first. If no port is available for UDP, sound will stream through a virtual channel in Remote Desktop Protocol, which uses port 3389.
And here is a quick RDT tutorial.
http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx
Each computer has its own
karlizeth — Wed, 08/27/2008 - 17:12Each computer has its own accounts and security though I think. We use the standards windows login screen, not the one I've seen in bigger companies that have the more formal login screen. Anyone who is an administrator on their computer can add/remove users, change access, etc etc. So yeah, not super secure, I know...
Same thing at both my office and the remote locations, except the remote locations have no server hub. They use the VPN to dial into the database that lives on XXXXserver here at the main office.
Um, well, I know that all
karlizeth — Wed, 08/27/2008 - 17:14Um, well, I know that all the computers here at the main office are in the workgroup "XXXXNET". (Xs for privacy). However, the server itself has it's own name, "XXXXserver". There is nothing listed in the domain name when you go into computer properties. When I create connections via ODBC/VPN I have to tell it to point to XXXXserver though. Did that make sense? I am still very weak on networking stuff.
Do you guys run a domain
Dufe — Wed, 08/27/2008 - 17:04Do you guys run a domain server? Or does every computer have it's own seperate computer accounts/security/etc?