Don't even consider option 2, that's 26 holes in your firewall. Option 1 is your best option, except I would use RDP to get to your server, and then run VNC from it. RDP is MUCH faster than VNC. Use a tool like VNCCon on your server to manage all the VNC sessions, and it will alllow you to start and stop your VNC services when you are done.
Are you saying a MS port is worse than other ports? That's absurd. Ideally NO port should be open unless it's into a DMZ. I guess it should be added that a VPN session for administration is the best route. Also, you can change RDP ports just as easy as VNC ports. I laugh at the consortium that refers to it, just as you, as a Microsoft Port though. It's the same port as citrix!
I have a small network (25) pcs and all connections come through a file server with a D-Link DI-604. Now I want to access a Windows XP machine on say 192.168.0.199 with WINVNC but I am unsure on how to set this up.
You have two options, since all connections come through a NAT router, and since the 604 only supports ONE public IP, you can do one of the following methods:
1) VNC into server, run VNC from server to other workstations - this means you only forward 1 port inbound and then bounce from the server to the workstations to see them.
2) Setup 26 different port forwards in the router, one for each machine, one unique port per machine. Set each machine to listen for VNC on one of those unique ports. This exposes your internal network to 26 different ports from outside.
Option 1 is the best option as you don't have to change any of the VNC ports - except on the server, don't use the default port on the machine that will act as your gateway type device.
Yea, I almost didn't mention it, but I got blasted for not presenting all sides of a solution a couple days ago :)
I would never expose RDP to the net, it's just not worth it. VNC on a non-default port, using a NON-NT account, with a nasty password, and have it set to SHARE ALL sessions and then to Lock-Desktop when exiting in case the user gets disconnected.
There is also a product called TightVNC that's available.
The less MS ports you expose through your router the better.
In essence I am. What I'm saying is that with the History of all the exploits and holes that I'm not willing to expose any MS ports (except for ones absolutely needed) to the net. If there are open-source products that have passed threat tests and ones where I can view the code (since I write code in several languages) I feel more secure with those than with the MS solution.
We're almost on the same page, but I just don't trust the MS products to be secure, and from the history of them with networking products, it's a valid concern.
Don't get me wrong, I'm a MS Partner and ISV, and I build solutions around MS products, but the only remote management port I'm going to expose to the internal server/network is the one for VPN sessions, and that's going to be a VPN into the firewall appliance (not a cheap router) and then only with a different user/password than the DC network user (two user/password layers).
As for small shops that don't have the proper Firewall Appliance, one that supports at least PPTP terminating at the firewall, then port forwarding to the Server for VPN is a viable solution. I would rather see them install VPN or VNC to the server and then branch out from Inside the network than expose the RD product to the net.
I've never had a compromised network, and we have clients with branch offices all over the country using VPN's between offices, and I'll stick with my non-MS remote connection methods until MS designs a totally secure OS.
Taking a moment's reflection, snipped-for-privacy@w-manager.com mused: | | How to ensure VNC is secure so that i can access my home | machine when i 'm traveling ?
Download UltraVNC, and the DSM Plugin "MSRC4Plugin.dsm" which will provide 128-bit encryption for your connection. Enable MS Logon in the VNC server which will require a valid computer Username and Password to access the server.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.