I decided the other day that I would set up remote desktop the otherday but I seem to be having some trouble connecting to it. I live in coronado and can access my desktop from my laptop and my roommate's laptop but for some reason I can not access it from anywhere outside of coronado. I had some of my friends try who live in different state but they could not get it and I can not seem to access it either here @ replay. I thought it may have something to do with VPN so I set up VPN on my laptop but still can't access it. I also thought it might be a port problem so I set up the web remote desktop (http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx) but that does not seem to work either. Am I doing something wrong or is there something else like the dorm routers blocking it?

My guess is that the routers in the dorms block all traffic on 3389, the default RDC port. They probably do this to protect against bots looking for computers without passwords on the user accounts.

Chris, do you have any sort of router in your room? (wireless or wired)

No I do not use a router in my room

ResNet uses a reflexive access list rather than specific port blocks, or at least that used to be the case. If you're unfamiliar with an RAL, that means that all traffic that travels into the network must have been requested. So, in order for data to flow through the RAL, a computer on the inside had to have sent a request. When the reply comes back, the routers compare the incoming packet to outgoing requests, match them up and let them through. Traffic inside ResNet is unrestricted, thus iTunes sharing, etc works, as well as your remote desktop. Once you're outside ResNet, there is zero externally initiated access into ResNet.

I have no idea if there's any easy way to circumvent this sort of firewall, but I lean towards no.

-from inside apache dorm to another computer in apache, it'll work
-from apache to la paz dorm, it will not
-from my house to la paz dorm, it will not work

the port blocking has made providing my friends with computer help over remote assistance (same concept as remote desktop) a pain in the butt :(

kind of wish it would be allowed to work from the help desk to people's desktops in the dorms so they wouldnt have to lug their towers around for tech help. haha

If that is indeed the case, Adam, then there's really no way to make it work short of some goofy port forwarding on your own router. Rats.

Two ssh tunnels would do the trick.

It'd work out to something like this:

initial connections
client-->mid<--server

data flow after connections
client<-->mid<-->server

Since both client and server are presumably behind firewalls and can't accept connections, they'd both need to connect to mid, some machine that they both can access and is capable of ssh port forwarding. The U-system machines would work fine for this. I just tried it.

Steps


server sets up a 'remote' tunnel to mid, which allows mid to connect to port on localhost, which would go through the active ssh connection to server and forward to the port for whatever service it's running.
client sets up a 'local' tunnel to mid, which allows client to connect port on localhost, which would forward through the active ssh connection to port on mid (and because of step 1, on to server).
client connects to localhost on port, using the remote desktop client, thereby forwarding through mid, and to server.


It's easiest to just keep port and port the same, but if you can't specify the port for the service server is running or the client client is running, you'll have to use the service's standard port for port. Also, if this is the case and port must be below 1024, you'll have to choose another for port. port must be non-privileged (above 1024), assuming you're a normal user on mid (say one of the U-System machines).

This is actually really quick & easy to do. Just about any ssh client for Windows will forward ports, but there are also downloadable programs specifically for this purpose, like Internet Secure Tunneling (http://www.han-soft.com/index.php), which will do ssh forwarding without opening a terminal or anything. It takes about 30 seconds (not including possible travel time between server and client).

edit:
Doing this would probably go against ResComp use policy.

I will have to test that out when I have some time. I will post back telling if it works or not, thanks for the help guys.

I know you CAN do this, but should we really be advertising a way to circumvent the UA dorm firewall in the public forums??.. Perhaps we could move this thread over to OSCR General or something? Just seems like bad karma to me.

I guess it depends on the level of censorship people want this forum to have. If it's against dorm policies, that's another story...if that's the case then it wouldn't be wise to do it, and obviously OSCR wouldn't condone it.

So it comes down to whether we're supposed to forfeit our freedom of speech if the information requested allows inappropriate activity. Personally, I think it's up to the individuals who are behind the firewall to decide on their own actions. Not providing completely legal information (which is also just as readily provided on the U-System's own ssh man page) simply because it allows the activity would remind me of suing a software company because their software permits copyright infringement.

If any FTE's think I should delete my post, please let me know, and I will. I think if we're to censor stuff like this, public users (once they come around here) will post it anyway, and it'll make OSCR look less knowledgeable :shock:

Not only that, we'd have to delete tons of people's posts regularly.

Maybe just a warning that whatever is posted might go against some policy would suffice.

The residence life networks are governed by the ResComp Acceptable use Policy (http://www.rescomp.arizona.edu/guides/aup.php) and by the University of Arizona Acceptable Use Policy (http://security.arizona.edu/uaacceptableuse.html). As OSCR employees, and people likely to be asked for, and give advice on computing issues, it is highly recommended that we all actually read these policies. In particular is #8 on ResComp where it states:
The use or employment of remote administration tools on others' computers via the network (SubSeven, Netbus, Back Orifice, etc.) is prohibited. This is obviously intended to prohibit unauthorized access, and a case could likely be made that you are acting at the behest of your friend, and not attempting to do anything illegal, but who knows.

As always, not knowing the rules doesn't mean you are not subject to them, from ResComp:# 15. Using or traversing the ResComp Network constitutes FULL agreement with and understanding of this Acceptable Use Policy and any future modifications thereto. The firewall restrictions were likely set up to prevent casual and unintentional misuse of the network, and attemps to circumvent this may be viewed suspiciously.

As for forum censorship, I don't think anything discussed here has crossed the bounds of what we should or should not be providing in a public forum. (Yet, and I may be overridden at any time). I'm much more concerned about keeping the language of the posts considerate and avoiding personal attacks than the ideas or concepts presented in the posts. But that is getting far too much into policy issues and we go off topic enough as it is in these threads so I'll stop there. :D

Two ssh tunnels would do the trick.

server sets up a 'remote' tunnel to mid, which allows mid to connect to port on localhost, which would go through the active ssh connection to server and forward to the port for whatever service it's running.
client sets up a 'local' tunnel to mid, which allows client to connect port on localhost, which would forward through the active ssh connection to port on mid (and because of step 1, on to server).
client connects to localhost on port, using the remote desktop client, thereby forwarding through mid, and to server.

How does mid know to take traffic coming in from client over the tunnel and pass it on to server through the second tunnel? Is there something that needs to run on mid?

...Is there something that needs to run on mid?

Nope, a 'remote' ssh tunnel opens a port on the remote machine, whereas 'local' opens one on the local machine.

If you did something like:
ssh user@system -R 5097:127.0.0.1:22

from a machine normally blocking incoming ssh connections, the remote machine you connect to would then be able to ssh to it by doing ssh user@localhost -p 5097.

The way that it knows is that the client is forwarding to the same port on mid that the server has set up on mid to forward to itself.

In terms of legality, I'd say if you aren't sure, just don't do it. Better safe than sorry. You'd feel stupid if you got a letter from ResComp saying they're going to revoke your network privileges.

I would raise hell if rescomp tried to play that @#%#

Chris-

Hey, this is Dane - long time no see. Hope college is going swimmingly.

Anyhoo, I don't know if you're still having this problem, but I figure you should try this.

Go to hak5.org and download episode 7 (the newest one) - they show you how to tunnel VNC over SSH by more or less mapping port 5900 over port 22 and starting an SSH session - I'm thinking you could do the exact same thing using port 3389 over port 80 (or just use VNC - since I use OS X, Windows, and Linux, VNC has become my RDC tool of choice). The dorms I'm pretty sure do block most of the ports (I can't even VPN into my dorm room (port 1723) and I'm sure 3389 is blocked as well), and I haven't tried this myself, but if you could tunnel your RDC session thru port 80, it may work.

Oh, and definitely use DynDNS - it's way easier than remembering your IP address.

I just bothered reading the rest of the thread.

hi, i want to do the obvious, tried going to the hack5 site, and can't figure out how to download ep 7\\

im so confused! i learn quickly, if anyone could coach me in this, i'd be so grateful! please email me at potassium913@yahoo.com or im me at AIM = firehaaazzard

if you can help

thanks so much!

--jackie

I bought a slingobox and tried to set it up and it doesnt work. it needs to be connected to a router, and the problem with that is that the router is used as a switch if you have it on the university network. Is there any way for the university to open up a port so i can use my slingbox? or is my investment just a waste and my parents who live in China dont get to watch American TV?

^ Not going to happen.

I suggest returning it or selling it on eBay. The university doesn't make exceptions.

have you guys tried Hamachi (http://www.hamachi.cc/)? Should work even behind the most restrictive firewalls ... just be sure to install at the same time or close so you get near IP addresses

I bought a slingobox and tried to set it up and it doesnt work. it needs to be connected to a router, and the problem with that is that the router is used as a switch if you have it on the university network. Is there any way for the university to open up a port so i can use my slingbox? or is my investment just a waste and my parents who live in China dont get to watch American TV?

My best suggestion: find a buddy who lives off campus who would be willing to help you out with this. Otherwise, as Dan said, not gonna happen.

have you guys tried Hamachi (http://www.hamachi.cc/)? Should work even behind the most restrictive firewalls ... just be sure to install at the same time or close so you get near IP addresses

Looks pretty cool, might be useful for my friend to play LAN games of warcraft with a friend in washington..

Jackie, you wrote me a month ago on match, i didn't get it till tonight, yes... email me back jay@statewidebusinessbrokers.com




QUOTE=khinsaaa;13278]hi, i want to do the obvious, tried going to the hack5 site, and can't figure out how to download ep 7\\

im so confused! i learn quickly, if anyone could coach me in this, i'd be so grateful! please email me at potassium913@yahoo.com or im me at AIM = firehaaazzard

if you can help

thanks so much!

--jackie[/QUOTE]