First
published: November 15, 2008
Last Revised: September 11, 2015
Introduction
When it comes to remote access, there are 2
primary approaches:
- Remote
Node: establish your home/roaming PC/devices as
full-fledged LAN-based workstation @HQ. This is achived by
establishing an VPN, via packet encapsulation.
Note: the term "VPN" as used by consumers is a complete misnomer.
They're simply trying to say TLS/SSL Web Proxy, not-at-all a virtual
private network!
- Remote
Control: your PC/devices
acts as a terminal, viewing the output of the target host,
where all processing is happening. You also have keyboard/mouse control
of that target host.
- dedicated session (virtual video
"card"): RDP/TS/Citrix (w/ anti-aliasing)
- shadow session (via
"screen scraping" + "video hook"): Microsoft Remote Assistance, VNC
(all variants) and similar, Bravo RMx (1-click download & run)
Each approach has its pros and cons. Most use case scenarios are
particularly well-suited to one or the other. Some can accommodate
both, while others might be impractical with one of them.
This article covers one
particular aspect of
Remote
Control
—achiving connectivity at the TCP/IP
"plumbing" level .
Backgrounds
& Concepts
- Network Address Translation (NAT):
- used by all home & small biz users,
to share a single random
ISP-issued public IP address with multiple PCs and devices, via
self-issued, non-routable private IP addresses.
- mid- to large-size businesses have blocks
of public addresses
- FYI: TimeWarner charges $35/month for a
block of 5 static addresses
- Inbound traffic (any at all)
- is precluded
by nature for all NAT hosts with private IP
address, unless
- explicit steps are taken, with
technical knowledge, and
- all cascaded routers involved support
Port Address Translation (PAT)
- is automatic for non-NAT exposed
locations--unless explicitly blocked by IT
- Outbound traffic (other than TCP 80,
443)
- is non-issue at home
- relatively unrestricted at most public
places, and
- impossible without explicit approval at
IT-controlled places
- To enable end-to-end connections
- one must gain control to perimeter
router(s), and
- administrator rights to the host station
during setup (but not actual usage)
- all methods involving active
intermediaries (beyond passive ISPs) are considered insecure
by-definition, as full-time unfettered control
& content discernment of both systems (source
& target) is granted to 3rd partie(s).
- Connections via LAN and WAN are entirely
different!
- Testing from outside locations is mandatory!
- Dynamic DNS (DDNS) service required on target
end, if it doesn't have static public IP address (internal private reserved DHCP is
fine)
- logistical details: power source &
endurance, sleep mode(s), WOL, LAN based IP address stability (either
static or reserved)... and many others
Types
of Locations:
Source PC/Device & Target Host
# |
Location
|
control
of router |
NAT |
MAC address filtering |
out-bound
filter |
upload
speed |
rate
& quota throttling |
1 |
Your own Home/Sm Biz |
Yes |
Yes |
No |
TCP 25 only |
very slow |
No |
2 |
Other's Home |
maybe |
Yes |
maybe |
TCP 25 & possibly others |
very slow |
unlikely |
3 |
Restaurant (unmanaged public) |
No |
Yes |
No |
TCP 25 |
slow~extremely slow |
maybe |
4 |
Hotel (managed public) |
No |
Yes |
No |
mild |
slow |
expected |
5 |
Campus (IT-controlled public) |
No |
No |
No |
severe |
OK~extremely slow |
certainly |
6 |
Corporate (IT-controlled) |
No |
No |
Yes |
100% whitelisted |
fast w/ authentication |
certainly |
7 |
Personal Hotspot or Phone Tethering |
minimal |
Yes |
No |
minimal |
very slow |
per plan specs |
e.g. from home to your small biz office (#1->#1), or
from hotel to your home (#4->#1), or from restaurant to
IT-controlled corporate HQ (#3->#6), or work to home
(#6->#1)
NOTE: Tethering thru mobile phone, or via discrete
"personal hotspot" device, is basically between #1 and #2 above.
Methods/Paths
of Connection
- A connects to
B
- B
connects to A with Reverse
Session
- B connects to C to establish a TCP socket for
A. A then connects to C to obtain that info, in order to reach B (partial
disclosure& trust)
- A connects to B as gateway, which reroutes
packets to C as final destination (partial disclosure
& trust)
- A connects to B as proxy, which discerns
everything, and in turn connects to C on A's behalf (full
disclosure& implicit trust)
- A and B both connect to C as data exchange hub (full
disclosure & implicit trust)
Layers
& Issues Specific to RDP
- Network Level Authentication (NLA) - mandatory as
of March 12, 2012
- TS/RDC Service status (services.msc)
- group policies (gpedit.msc)
- host side OS
edition must be: Professional/Enterprise/Ultimate
- client side could be "home edition" PC, or
Android device with special setup
- all host-based firewall(s): Windows
Firewall, Symantec End-Point, etc.
- perimeter firewall (in- and out-bound rules)
- SLA/QoS settings, end-to-end coordination
Layers
& Issues Specific to VNC (all
variants)
- numerous items in wide scope & deep
depth
- specific version-/variant-dependent
- impractical to enumerate here
Aspects
of Remote Control NOT COVERED here:
- making Wifi/wired LAN connection per
instructions from local establishment (hotel?)
- remote control session procedural tips,
techniques & best practices
- session handling
- console screen stale message/status
- logoff vs disconnect
- seamless handoff/resumption
- unattended overnight background
processing
- stray defunct sessions (logoff mishaps)
- multi-level nested
sessions
- locations without certificates
- coping with screen size mismatch &
changes
- to emulate & scroll, or to
dynamically redefine viewport
- auto-arrange annoyance &
outright harm
- invisible windows! (X,Y-Pos beyond viewport scope)
- to full-screen or not?
- suppress connection bar? auto-hide?
- toggle/escape full-screen mode
- special keys issues
- pass-thru or not? which? when?
- RDP session-specific command keys
- RDP-equivalent keys: e.g. Ctrl-Alt-End
= Ctrl-Alt-Del
- double-redirect local printing
- x86/x64 cross-platform scenarios
- 3rd-party utilities for remote printing
- application-level tricks
- local drive sharing/mapping
- special considerations for IM clients
- access Windows Security Menu
- remote restart
- custom script
- mitigate risks of inadvertent remote
shutdown
- POP/IMAP cooridination & overlaps
- target host BIOS "after power
loss/resumption" default mode
- host credentials & authentication
process
- strict enforcement of Network Level
Authentication (NLA)
- non-PC client device compatibility
implications
- concurrent sessions
- bandwidth optimization
- hybrid browsing (selective copy of URL for
local browsing)
- implications of asymetrical up/down
speed
- video codecs, transcoding/recompression
- color depth, fade effects &
animations
- application-specific optimization
- QoS considerations & latency
strategies
- encryption & other
security-/privacy-related topics pertaining remote access
SEE
ALSO
|