I re-read the VNC FAQ about 8 times, followed by re-reading the SOHO manual about 4 times. The SOHO allows custom services that listen for incoming traffic on certain ports and redirects it to an internal IP address. That sure sounds like port-forwarding to me, although they don't call it that AND it is also stated that the SOHO units don't allow port-forwarding.
So, I was able to make it work by: I. Setting up multiple custom services on the SOHO - one for each workstation I want to access. For example 5900 is redirected to the fileserver, 5901 is redirected to Workstation #1, and 5902 is redirected to Workstation #2. II. The VNC Server on each computer was set (via registry edits) to a) Turn off auto port selection, and b) define specifically which port it was listening on. In my example, 5901 for Workstation #1, 5902 for Workstation #2. The fileserver didn't require edits since port 0 is the default port. III. The remote computer trying to connect uses the external IP of the SOHO, followed by ':0' to connect to the fileserver, ':1' to connect to Workstation 1, ':2' to connect to Workstation 2. This all seems obvious now that it works, but it was certainly confusing while I was struggling. VNC's documentation didn't help much with the confusion of "display number" really meaning "port", and the like. It also would be easier if you didn't have to hack the registry to change the listening port. Taking security advice from multiple posts in the archives, I'm not allowing use of the java viewer (although that would seem easier on the remote user since they can just use their browser, and could create one-click desktop shortcuts to connect), and I'm only allowing connections from specific IP addresses. I suppose as well that it might be a little more secure to NOT use ports at the beginning of the allowable range (too predictable). Thanks for your help & patience! Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: VNC behind Watchguard SOHO Thanks, I'll give this some thought! Mark -----Original Message----- From: Scott C. Best [mailto:[EMAIL PROTECTED] Sent: February 05, 2004 12:20 PM To: [EMAIL PROTECTED] Cc: Mark Subject: Re: VNC behind Watchguard SOHO Mark: Heya. The part that is unclear is how you can connect to Joe at all if your SOHO box doesn't allow port-forwarding. My guess is that the SOHO has put Joe into the "DMZ", meaning it forwards all ports, by default, to Joe. Not very secure, but I'm sure it works. Here are some ideas to get things working better: 1. Install an SSH server on Joe, and SSH clients on Mary and Martha. You can then use SSH to setup a "reverse tunnel", so that port 5901 on Joe actually connects to Mary, and 5902 connects to Martha, etc. 2. You can VNC to Joe, and then from Joe open a VNC Viewer and connect to Mary or Martha. 3. You can replace your SOHO box with a $30 LinkSys box that handles this much more nicely. 4. You can install Kaboodle on Joe, and then setup a "personal VPN" connection to Joe from anywhere on the Internet. Once connected, you can connect to Mary or Martha (Kaboodle uses Zebedee to act like a connection-forwarding service). Hope one of these helps! -Scott > Ok, let's hope this is clearer: > > I have a Windows2k Network with a single fileserver. Let's call it > "Joe". This network shares a DSL connection to the internet, and we > have a Watchguard SOHO Firewall. This network has (among others) two > workstations. One is running WindowsXP-Pro, let's call that one > "Mary". Another workstation is running Windows98SE, let's call that > one "Martha". > > Right now, I can successfully run VNC Server on Joe, and from anywhere > with an internet connection, use the VNC viewer to connect to Joe. > > I'd like to also run VNC Server on Mary and Martha, and, from anywhere > with an internet connection, use VNC viewer to connect to Mary and > Martha. <snip> _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
