>> Gateway has iptables with the following relevant rules: >> /sbin/iptables -A tcpin -p tcp --dport 5980 -j ACCEPT >> /sbin/iptables -A tcpin -p tcp --dport 5880 -j ACCEPT >If you are using SSH tunneling you don't need these ports open.
These are the ports that SSH opens up from the server on to the Gateway for VNC Viewers to connect to. I think I need the ports open through the gateway for viewers to connect to my gateway because they (the viewers)are not using SSH tunneling, only the servers are. The reason I use the gateway is that the VNC servers might be behind a NAT/Masqueraded firewall for example and not reachable from the public net. So the Gateway will be a proxy VNC server at a well known IP address:Display. This is the diagram: Arbitrary VNC Server <=== SSH ====> Gateway <----public net -->Arbitrary VNC Viewer (localhost:5880/5980) 22/ssh 22/ssh (5980/5880) (using GateWayIP:80) If I had another person who wanted to serve I would have him use SSH to the gateway and open say 5990/5890. His counterpart viewer would useGateWayIP:90. >I'm not sure I follow you here. Just using SSL on the https port will not >encrypt the VNC traffic from the Java viewer to the gateway, just the >delivery of the applet. Duh = Brain lock :-) I'm still trying to think of a dead simple way to get an encrypted screen view using a browser . The VNC position of building on, not building in, security, while elegant technically, is working against me for "new user comfort level", on a shoestring budget (manhours and $$$). The viewers have to "install" the security if it is not in the browser/applet. So I kind of glommed on to SSL before realizing (in the morning!)that the applet had nothing to do with the browser connection ;-( So far I'm thinking it's one of: (1) Don't worry about encryption nobody will bother (2) Put the MindTerm SSH application on the gateway and have viewers connect via ssh applet using a guest account (:-() then connect to the VNC server if they are concerned about encryption. (License issues?) (3) I suppose I could hack the applet but that's not in the guerilla budget ;-( Regards, Michael _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
