PDA

View Full Version : VNC on 3389 ?




Bulla666
Sep 6, 2011, 01:01 PM
I've just acquired a shiny new Imac with Lion installed and I'm having trouble getting my head around remote access.

I'm new to OSX but basically I want to be able to connect from my Windows machine at work to my Mac but it needs to be via port 3389.

As far as I can tell its not possible to change the default lion sharing to use anything other than 5900 ? I've tried to find an alternative VNC Server so that I can change the port to 3389 but am I right in thinking that they are all broken at the moment due to Lions new sharing features ?

Please help a Windows user get to grips with his new mac :-)



spidey3
Sep 6, 2011, 02:07 PM
I'm new to OSX but basically I want to be able to connect from my Windows machine at work to my Mac but it needs to be via port 3389.

If you are connecting on port 3389 then it is most likely not VNC, but rather Microsoft RDP.

To connect to this you will need to use Remote Desktop Connection Client for Mac (http://www.microsoft.com/mac/remote-desktop-client) or CoRD (http://cord.sourceforge.net/).

As for which is better, the Microsoft tool has the better implementation of the protocol, but CoRD has a better user interface.

Also, are you sure you will be able to connect directly to port 3389 at work? Leaving that port open to the public internet is not suggested, as it is a HUGE security risk.

Spidey!!!

Bulla666
Sep 6, 2011, 02:32 PM
If you are connecting on port 3389 then it is most likely not VNC, but rather Microsoft RDP.

To connect to this you will need to use Remote Desktop Connection Client for Mac (http://www.microsoft.com/mac/remote-desktop-client) or CoRD (http://cord.sourceforge.net/).

As for which is better, the Microsoft tool has the better implementation of the protocol, but CoRD has a better user interface.

Also, are you sure you will be able to connect directly to port 3389 at work? Leaving that port open to the public internet is not suggested, as it is a HUGE security risk.

Spidey!!!

Sorry should have made myself clearer. In the past I would use my work PC (Windows 7) to RDP to my home machine (Windows 7) .

I have bought an Imac to replace my home Windows 7 PC.

The firewall at work wont allow access out on 5900 but it does allow 3389. My idea was to run a VNC client and tell it to use port 3389 to connect to my Imac at home.

The problem is the Lion VNC server doesnt allow you to change the default port to 3389.

I guess I need to use a non standard VNC Server like Vine or similar but I cant seem to find one that works.

spidey3
Sep 6, 2011, 02:59 PM
Sorry should have made myself clearer. In the past I would use my work PC (Windows 7) to RDP to my home machine (Windows 7) .

The firewall at work wont allow access out on 5900 but it does allow 3389. My idea was to run a VNC client and tell it to use port 3389 to connect to my Imac at home.

The problem is the Lion VNC server doesnt allow you to change the default port to 3389.


You should NEVER leave a VNC service (on 5900, 3389 or any other port) open to the public internet. It truly is a HUGE security risk, as the VNC protocol is NOT secure, and you are also left open to brute force password guessing attacks.
A more secure method is to establish an IP tunnel from your work machine to home via SSH and connect through that. On the Mac, enable SSH service using System Preferences->Sharing->Remote Login. You may also need to adjust your firewall settings. On the Windows machine Putty (http://www.putty.org/) is probably the easiest tool available to create the tunnel.
IMPORTANT: Check and double-check that you are not violating your employer's rules by connecting outbound in this manner! Just because the port is open doesn't mean using it in this way is allowed. People have lost their jobs over violations of such rules!


Spidey!!!

Bulla666
Sep 6, 2011, 03:11 PM
You should NEVER leave a VNC service (on 5900, 3389 or any other port) open to the public internet. It truly is a HUGE security risk, as the VNC protocol is NOT secure, and you are also left open to brute force password guessing attacks.
A more secure method is to establish an IP tunnel from your work machine to home via SSH and connect through that. On the Mac, enable SSH service using System Preferences->Sharing->Remote Login. You may also need to adjust your firewall settings. On the Windows machine Putty (http://www.putty.org/) is probably the easiest tool available to create the tunnel.
IMPORTANT: Check and double-check that you are not violating your employer's rules by connecting outbound in this manner! Just because the port is open doesn't mean using it in this way is allowed. People have lost their jobs over violations of such rules!


Spidey!!!

Thanks Spidey

I have worried about 3389 being open before. The only way I reassured myself was having a very strong password (15+ characters without dictionary words) and to tell my router to only allow inbound connection from my work ip. Not fullproof I guess its better than nothing.

Once I establish the connection with putty will I be able to view my desktop as normal a la RDP/VNC ?

No worries with work rules, I'm well within them :-)

spidey3
Sep 6, 2011, 03:58 PM
I have worried about 3389 being open before. The only way I reassured myself was having a very strong password (15+ characters without dictionary words) and to tell my router to only allow inbound connection from my work ip. Not fullproof I guess its better than nothing.

Once I establish the connection with putty will I be able to view my desktop as normal a la RDP/VNC ?

You didn't tell me you had a router in the picture!

Since you do, you have some options:

Given that you have locked down connections to be only from your work IP address, I suppose you could continue to do as you were doing, with no SSH tunnel. You will need to arrange in your router configuration to forward the outside port [3389] to your internal VNC port [5900]. Most routers support this sort of remapping of port numbers. This is the simplest solution, but there is a downside: You still leave yourself open to an attack which uses IP spoofing, and keystrokes could be snooped from the VNC stream.
You could tunnel straight through the router; this would require arranging for a port which your company allows to be passed through the router and on to the SSH port (22) on the Mac. Putty will need to be configured to connect on this port.
If you can ssh to the router itself (I use DD-WRT (http://dd-wrt.com) which is configurable for this), then you can establish the tunnel from your work PC to the router, and then tunnel VNC through that. This is what I do.
Assuming you do configure and start up the SSH tunnel using Putty, then once that is established you should be able to connect VNC to the local port of the tunnel. I'm a bit too lazy to go over all of the configuration requirements for all of this, but if you Google around [e.g. for "vnc via putty tunnel"] I am sure you will be able to find guidance. If you still have questions after that, feel free to post them...

Spidey!!!

Bulla666
Sep 7, 2011, 02:29 AM
Thanks for all the help Spidey, I'll be back with a progress update ! :D

Bulla666
Sep 10, 2011, 08:58 AM
You didn't tell me you had a router in the picture!

Since you do, you have some options:

Given that you have locked down connections to be only from your work IP address, I suppose you could continue to do as you were doing, with no SSH tunnel. You will need to arrange in your router configuration to forward the outside port [3389] to your internal VNC port [5900]. Most routers support this sort of remapping of port numbers. This is the simplest solution, but there is a downside: You still leave yourself open to an attack which uses IP spoofing, and keystrokes could be snooped from the VNC stream.
You could tunnel straight through the router; this would require arranging for a port which your company allows to be passed through the router and on to the SSH port (22) on the Mac. Putty will need to be configured to connect on this port.
If you can ssh to the router itself (I use DD-WRT (http://dd-wrt.com) which is configurable for this), then you can establish the tunnel from your work PC to the router, and then tunnel VNC through that. This is what I do.
Assuming you do configure and start up the SSH tunnel using Putty, then once that is established you should be able to connect VNC to the local port of the tunnel. I'm a bit too lazy to go over all of the configuration requirements for all of this, but if you Google around [e.g. for "vnc via putty tunnel"] I am sure you will be able to find guidance. If you still have questions after that, feel free to post them...

Spidey!!!

Bit of an update Spidey,

Option one to use 3389 and port remap to 5900 was a non starter as my router Netgear WNR2000 cant do it :-(

So I guess now I'm stuck until a point that Vine or some other OSX VNC Server allows me to chnage the incoming port to 3389.

I did try and setup SSH but for some reason when I connect from my local Win 7 box using Putty I get a connection but it never accepts my password even though I know its right.

spidey3
Sep 10, 2011, 07:59 PM
Option one to use 3389 and port remap to 5900 was a non starter as my router Netgear WNR2000 cant do it :-(

So I guess now I'm stuck until a point that Vine or some other OSX VNC Server allows me to chnage the incoming port to 3389.

I did try and setup SSH but for some reason when I connect from my local Win 7 box using Putty I get a connection but it never accepts my password even though I know its right.

Actually, I believe WNR2000 does support port forwarding.

See "Adding a Custom Service" on page 5-7 of ftp://downloads.netgear.com/files/WNR2000_UM_24FEB09.pdf

As for why your ssh is not accepting your password, it is probably because it is the router you are hitting, not the machine inside the router...

Bulla666
Sep 11, 2011, 02:14 AM
Actually, I believe WNR2000 does support port forwarding.

See "Adding a Custom Service" on page 5-7 of ftp://downloads.netgear.com/files/WNR2000_UM_24FEB09.pdf

As for why your ssh is not accepting your password, it is probably because it is the router you are hitting, not the machine inside the router...

Hi Spidey,

Hmm I think i am being stupid then. I know how to forward a port but if I put 3389 as the start port and 5900 as the final port then it doesnt work ? I can open 3389 or 5900 but then that doesnt solve my issue because Lion VNC only works on 5900 ?

Ah sorry should have said this was on the local network only and still SSH gave me access denied.

Since speaking to you I have found a solution of sorts using Real VNC where I was able to change the listening port to 3389 and connect from another network using 3389. The only downside is I need Enterprise edition which carries a license cost, although it may be a small price to pay for remote access.

spidey3
Sep 11, 2011, 06:25 AM
Hmm I think i am being stupid then. I know how to forward a port but if I put 3389 as the start port and 5900 as the final port then it doesnt work ? I can open 3389 or 5900 but then that doesnt solve my issue because Lion VNC only works on 5900 ?

Ah sorry should have said this was on the local network only and still SSH gave me access denied.

Since speaking to you I have found a solution of sorts using Real VNC where I was able to change the listening port to 3389 and connect from another network using 3389. The only downside is I need Enterprise edition which carries a license cost, although it may be a small price to pay for remote access.

Ah, looking at that Netgear doc a little more closely I see that you are right -- it doesn't actually support an internal port differing from the external port. You might consider loading DD-WRT (http://www.dd-wrt.com) onto your router - it is much more flexible.

As for why you cannot ssh to your Mac, do you have Sharing -> Remote Login enabled for your userid? And have you set the router so that port 22 is passed through to your Mac?

As for buying Real VNC -- you should not need to spend any money to get this working. You already have all of the tools you need in hand for free -- just need to arrange them correctly...

Gomff
Sep 11, 2011, 10:14 AM
Spidey

I PM'd you about something relating to this thread, asking for some help if you have a spare few minutes.

Cheers

Bulla666
Sep 12, 2011, 09:10 AM
Ah, looking at that Netgear doc a little more closely I see that you are right -- it doesn't actually support an internal port differing from the external port. You might consider loading DD-WRT (http://www.dd-wrt.com) onto your router - it is much more flexible.

As for why you cannot ssh to your Mac, do you have Sharing -> Remote Login enabled for your userid? And have you set the router so that port 22 is passed through to your Mac?

As for buying Real VNC -- you should not need to spend any money to get this working. You already have all of the tools you need in hand for free -- just need to arrange them correctly...

Looking at the DD-WRT page I think it only supports v2 of my router and sadly I only have v1. I guess that rules out ever being able to forward 3389 to 5900 unless I buy a new router that is :-)

I suppose the only other hope is that a free version or the official version of VNC will eventually allow port change that works on Lion.

By the way I'm connected at the moment from work on port 3389 via Real VNC client and Server and it works great !

Thanks

Bulla