Remote desktop over vpn

Run VNC on his computer and then connect to his private IP address back through the VPN.

Those will only work if the VPN is configured to allow that, i.e. he has to have a virtual IP and policies to allow the traffic. Some boxes do that by default, some allow you the option, some do not allow you to do it. Depends on both ends of the VPN.

You can get remote control of just about any PC with internet access via

A commercial service that I feel is well worth the money for remote support of firewalled PC's.

If the VPN client doesn't allow Internet traffic out while on the VPN, and doesn't allow a virtual IP connection back, you might be toast. That seems like an unlikely combination though.

-Russ.

Yes, but in most cases people posting to this group don't have their firewall setup to restrict at the port/service level. I suspect that VNC would work just fine.

Unless expressly permitted, all traffic is implicitly denied.

That's how firewalls work. Why assume otherwise when responding to posts?

Triffid

Because that's not how many devices called Firewalls since the advent of the NAT Router and Windows PPTP work. While my Watchguard or other appliances may block by default, a simple Linksys/D-Link/Netgear where the user creates a PPTP session to another network, will let the remote network tunnel back through the VPN session to the host/host network that created it without being blocked.

I am offended that the Marketing departments have been able to get away with calling simple NAT solutions Firewalls when they are just routers.

While I can create, in essence, a 1-way VPN with port/IP limitations, in my real firewalls, the cheap NAT units that also do IPSec tunnels (like the Linksys BEFVP41) offer nothing more than a fully open 2-way connection on their end. This means that unless one side is a real firewall, one that allows rules to configure VPN traffic, that the user could VNC back through the VPN to the users desktop (if they were running VNC).

The reason I guess that they are not using real firewalls is based on how the post was presented/worded - I suspect that neither side is using a real firewall, only a cheap SOHO/residential solution. One other thing, any admin that would post I have a firewall.... already knows how to do what they asked here, so it was another reason to suspect they are using cheap SOHO/Nat units.

90% of people, when configuring a VPN, configure it wide open, all ports and protocols.

However, some devices allow traffic in only one direction for a software VPN some both. I suspect that is the OP's issue.

-Russ.

Guys, it's software on the remote end, not hardware.

So as I've said, some software allows the remote end to be addressed from the head office, some does not, some depends on the configuration.

-Russ.

I think I've said the same - since we don't know, based on the description, I figured it was not a quality VPN solution.

Can you define ASSUME? Murphy will bite the user and the enterprise that is silly enoungh to do either!

Even Joe XP/Home edition users are implementing deny all/all, so lot's of luck.

Jeff, how many corporate VPN's have you had experience with?

The suggestion that 90% of people configure a VPN wide open is, in my

*experience* approximately correct. Perhaps 10 to 20 percent high, but no more.

One of the first things we typically address when consulted.

The reason is that they use the tunnel to run a workstation from remote as if it were on the LAN. Have you ever tried to enumerate all the ports and protocols required for a typical corporate workstation to do a domain log in, run exchange, read file shares, print, hit a few client/server applications, and allow the centrally managed coprorate update/virus/support tools? Once you open that much stuff up, you may as well open up the rest because your behind is hanging out so far anyway on so many interesting services...

-Russ.

The nicest I saw was at a company in Saragoza (Spain): VPN over several locations in Spain, and then an unencrypted WiFi (WLAN) access point at the center location in Saragoza, and _repeating_ all packages of the VPN onto it ;-)

Yours, VB.

Egad...

Thanks for sharing... LOL...

-Russ.

Wide open is not needed to permit a workstation to access the company network - as most remote workstations only need to hit a limited number of IP, you can setup a rule that only permits Remote IP to access Local IP, while it's not a good solution, it does limit them to the resources required.

I personally use VPN with IP:3389 to a fixed location so that they can only RD into one node, no other ports, and it works quite well for all of the users.

Using just 3389 is a pretty easy way to grant pretty wide access with pretty minimal exposure; one of my favorite methods. And your other comments are valid, I'm just relating what I've seen in the field. When (if?) people try to lock it down, application X doesn't work, application X's vendor doesn't seem to be able to come up with a good explanation of what it does and it's all over the map such that logging doesn't reveal a satisfactory answer, so they leave it open.

Much better to use RDP IMHO.

-Russ.