Need help setting up VNC to be browser accessible through a DMZ/Gateway machine by multiple users.
Use Case: Set up multiple "well known" externally (internet) visible ports on a gateway machine for using VNC to/from firewalled/NATed machines so people outside the office can set up spur of the moment screen sharing with arbitrary users. The multiple part is so people don't step on each others sessions. Each person wanting to "serve" will have a "display" number on the gateway to use for there own purposes. The net traffic shall be encrypted for confidentiality. Would like other people people to be able to use VNC Viewer program AND web browser (no software installation issues with using the browser). I'm trying to get web browsing on ports other than 5800 working but I keep getting "java.net.ConnectException: Connection refused" after being presented with the password dialog when I access http://gateway:5880/ (for example). A configuration issue? It does work if I set up to use ports 5900/5800. What I've done: On "Gateway"(a Linux box with a well known public IP address running ssh server) each of the potential server users has an account/password and is an allowed user in ssh configuration. SSH server allows port forwarding and gateway. Gateway has iptables with the following relevant rules: /sbin/iptables -A tcpin -p tcp --dport 5980 -j ACCEPT /sbin/iptables -A tcpin -p tcp --dport 5880 -j ACCEPT /sbin/iptables -A tcpin -p tcp --dport 5900 -j ACCEPT /sbin/iptables -A tcpin -p tcp --dport 5800 -j ACCEPT (I want to tighten this up to allow vnc ports only from ssh'd machines, or perhaps restriced by MAC, or .... But that is another day.) I used the standard 5900/5800 pair for testing. Now I want to expand to set up 5980/5880 to allow multiple sessions. On PC "Server" ( the one sharing the screen, who may be behind a firewall and NATed) user uses PuTTY to connect to Gateway via SSH. puTTY on PC Server machine configured to uses SSH tunnelling/port forwarding: "Remote Source:5980 Destination:localhost:5900" "Remote Source:5880 Destination:localhost:5800" (This connects the local (default VNC) ports on the machine to different ports 5980/5880 on the gateway). On the PC Servers VNC Viwer properties: display socket(0) and java (enabled). (AllowLoopback = 1) in the registry. The Server machine user starts the puTTY SSH session, gets validated and SSH forwards the ports... Then s/he starts the VNC Server. (Prefer not running a service or other automagic until everyone is comfortable and it works). On some other machine "PC Viewer" (perhaps also behind firewall and NATed) user points VNCViwer program to "gateway:80", answers the password prompt, and away they go, no problem. However, Problem: I want the PC Server user to be able to share the screen with others (PC "Viwers") who point their browser to http://gateway:5880 (dead simple KISS instruction) This is a guerilla movement so I would like the browser browser to work first, then the sales pitch is "Point your browser at, password is foobar. Watch what I do... ;-)) I keep getting "java.net.ConnectException: Connection refused" after being presented with the password dialog when I access http://gateway:5880/ with a browser. (This works fine if I use 5900/5800 i.e. no offsets) I read in the archive (only after banging my head ;-( ) that several years ago VNC did NOT use the port number in the URL to calculate the port for the "non browser" communication, i.e it did not calculate 5880+100=5980. I can kludge it so that the browser points at gateway:5880 and ports 5880 and 5900 are open on the gateway and the browser does work but that means that only one user can access at a time since the 5900 port is being used by every browser session. Is it still the case (i.e. sort of broken) for the current Real VNC version or is there some configuration tweak that I missed ????? Thanks, Michael P.S. I will get around to using Stunnel on the gateway (or other SSLification , if someone thinks better) so that the entire link is encrypted from the PC server to the gateway (SSH) and from the gateway to the browser(SSL via https) if I can get the port issue squared away. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
