Setting up VNC through BT 'security'

HeggyBo · ‎02-05-2008

Hello there

I'm trying to set up remote access to my workshop PC from my home PC using VNC

However the BT security package ( on the Workshop PC ) appears to be 'blocking' the VNC for incoming internet traffic

It does work if accessed say from a laptop plugged into the Workshop's local LAN though ( so the feature is working ) ?

How do I tell the BT package to allow access to VNC connections from the internet ?

Thanks

Heggybo

chris · ‎02-05-2008

Taken from online BT Business Internet Security Pack Help and Support.

The Advanced Firewall Settings allow you to add, edit, and remove rules pertaining to incoming and outgoing Internet traffic.

Advanced Firewall Settings take precedence over rules for Internet Programs.

To create an advanced rule:

On the security software console, click the Firewall button.

On the Firewall menu, click Firewall Settings.

In the left pane of the security settings window, click Advanced. Then click Add.

In the Advanced Firewall Rules window, in the Description text box, type a description for the rule.

In the Rule type option, select one of the following:

Allow network traffic – Select this option to create a rule allowing Internet traffic to and from your computer.

Block traffic – Select this option to create a rule blocking Internet traffic to and from your computer.

6. In the Remote system option, select one of the following:

All - The rule applies to all remote systems.
IP Address(es) - Type the single IP address or comma-separated address list for which you want the rule to apply.
IP Subnet - Type the IP Subnet Address and Mask for which you want the rule to apply.

7. In the Protocol option, select one of the following:

Any - The rule applies to all protocols.
TCP -The rule applies to Transmission Control Protocol traffic.
UDP - The rule applies to User Datagram Protocol.
IP - The rule applies to Internet Protocol traffic.
ICMP - The rule applies to Internet Control Management Protocol traffic.

In the Local Port(s) text box, type a local port or comma-separated list of ports for which the rule applies (optional).

In the Remote Port(s) text box, type a remote port or comma-separated list of ports for which the rule applies (optional).

Note: Not all protocols use ports and these options are only available for UDP and TCP.

8. In the Type(s) drop-down list, select a type of communication (optional).

If you selected IP in Step 7, you can now further specify the types of IP traffic that you want to create a rule for:

2: IGMP – Internet Group Management
4: IP in IP – Encapsulation
8: EGP – Exterior Gateway Protocol
9: IGRP, IGP – Interior Gateway Protocol
46: RSVP – Reservation Protocol
47: GRE – General Routing Encapsulation
50: ESP – Encapsulating Security Payload
51: AH – Authentication Header
53: SWIPE – IP with Encryption
103: PIM – Protocol Independent Multicast
115: L2TP – Layer Two Tunneling Protocol

--------------------------------------------------------------------------------

If you selected ICMP in Step 7, you can now further specify the types of ICMP that you want to create a rule for:

0 – Echo Reply
3 – Destination Unreachable
4 – Source Quench
5 – Redirect
6 – Alternate Host Address
8 – Echo Request
9 – Router Advertisement
10 – Router Solicitation
11 – Time Exceed
12 – Parameter Problem
13 – Timestamp Request
14 – Timestamp Reply
15 – Information Request
16 – Information Reply
17 – Address Mask Request
18 – Address Mask Reply
30 – Traceroute
31 – Datagram Conversion Error
32 – Mobile Host Redirect
33 – IPv6 Where-are-you
34 – IPv6 I-Am-Here
35 – Mobile Registration Request
36 – Mobile Registration Reply
37 – Domain Name Request
38 – Domain Name Reply
39 – SKIP
40 – Photuris [RFC2521]

9. In the Traffic Direction option, select one of the following:

Incoming – The rule only applies to incoming traffic.
Outgoing – The rule only applies to outgoing traffic.
Both – The rule applies to both incoming and outgoing traffic.

10. Click Apply to save the rule. Click OK to close the Advanced Firewall Rule window.

11. Click Apply. If you require your primary e-mail address and password to change Firewall Settings, the Administrative Action dialog box displays. Type your primary e-mail address and password . Click OK.

12. Click OK to close the Firewall Settings window.

The simplest way to allow VNC connections in through your firewall is to configure your firewal software to allow connections to the VNC ports. If X is the display number of a particular VNC server then it will accept connections on port 5900+X. Configuring your firewall to allow connections to this port will allow VNC to work. If you wish to use the in-built web server and Java VNC Viewer then you will also need to allow connections to port 5800+X. Unfortunately, because VNC traffic is not encrypted, this approach weakens the security provided by your firewall, and so is not advisable.

Chris.

HeggyBo · ‎02-05-2008

Thanks Chris

I had a quick look at the BT site but all it appeared to do was want to sell me stuff for £39.99 😉

I dont recall seeing the advanced tab ( maybe I didn't notice it ) but had stumbled on the 'filters'

although I stepped backwards sharpish and I hoped I could maybe just find an 'allow VNC program' box

somewhere ( since Windows Firewall allows it by default when VNC is installed by an administrator )

Anyway, I'll have a wee delve in there later

Cheers

Heggybo

spank · ‎08-07-2009

Heya,

Aye there is a way to just add a program, here it is

http://support.plato.com/kb/tip.asp?psid=2304

Not for VNC but should work all the same.

You will also need to configure the router to allow VNC connections.

Put 192.168.1.254 in your browser. Click settings tab, firewall, Allow Applications, Pinholes and DMZ Mode and select the computer hosting the vnc.

Click the ALL applications filter and VNC is at the bottom.

Happy days.

fevr6 · ‎10-07-2009

Hi HeggyBo,

What version of VNC are you using as there may be some security risks - theres more to it than just opening up some ports on the firewall?

HeggyBo · ‎10-07-2009

Hi there

Yeh I was a bit concerned about that originally as I was just using VNC free version.

The whole thing went quiet after that anyway and it was never put in place !

Any advice greatfully accepted though

Cheers

fevr6 · ‎11-07-2009

If you want to use the free versions of VNC available the best way is to ensure that it is tunneled through an encrypted link as the traffic would otherwise be easy to intercept, including passwords over the internet!!

1. Either start vnc up after estblishing a vpn connection say through a Cisco PIX or Juniper SSG(my favorite) - this makes life easy if you are dealing with lots of platforms like Mac, Windows, Unix, Linux etc and I try to go this way as I don't usually have issues between vnc clients as you can use any that will work with the vnc server. As the encryption is done with the hardware, the on screen redraw you get in vnc is usually better than the following two

2. Or start up vnc after establishing a SSH tunnel (openSSH is good and free!) - here's a guide I found

http://members.shaw.ca/nicholas.fong/vnc/

3. Pay for an secure enterprise version - RealVNC do a good version but cost$.

4. If you are only working within Windows/Mac networks you could ditch VNC and use something like LogMeIn which you can get free (for non-commercial), doesn't need ports opening up on the firewall and takes 5 minutes to install!!

https://secure.logmein.com/products/free/

The important thing to always remember is that once a port has been opened on a firewall you can be seen from the outside and whatever service is using that port must be as secure as possible.

Message Edited by fevr6 on 11-07-2009 11:15 AM

HeggyBo · ‎11-07-2009

Thanks for that

It was just intended to access one particular work PC from home, however the whole thing went

on the 'back burner' anyway and clearly we have managed to live without it !

I may revive it sometime though and perhaps try the Logmein caper.

Cheers