BRAVO TECHNOLOGY CENTER

Establishing Remote Control by Sam C. Chan
 
JUMP TO:   locations * paths * aspects

First published:  November 15, 2008
Last Revised:  September 11, 2015

Introduction

When it comes to remote access, there are 2 primary approaches:

  1. Remote Node: establish your home/roaming PC/devices as full-fledged LAN-based workstation @HQ. This is achived by establishing an VPN, via packet encapsulation. Note: the term "VPN" as used by consumers is a complete misnomer. They're simply trying to say TLS/SSL Web Proxy, not-at-all a virtual private network!  
  2. Remote Control: your PC/devices acts as a terminal, viewing the output of the target host, where all processing is happening. You also have keyboard/mouse control of that target host.
    • dedicated session (virtual video "card"): RDP/TS/Citrix (w/ anti-aliasing)
    • shadow session (via "screen scraping" + "video hook"): Microsoft Remote Assistance, VNC (all variants) and similar, Bravo RMx (1-click download & run)
Each approach has its pros and cons. Most use case scenarios are particularly well-suited to one or the other. Some can accommodate both, while others might be impractical with one of them.

This article covers one particular aspect of Remote Control achiving connectivity at the TCP/IP "plumbing" level .

Backgrounds & Concepts

  • Network Address Translation (NAT): 
    • used by all home & small biz users, to share a single random ISP-issued public IP address with multiple PCs and devices, via self-issued, non-routable private IP addresses.
    • mid- to large-size businesses have blocks of public addresses
    • FYI: TimeWarner charges $35/month for a block of 5 static addresses
  • Inbound traffic (any at all)
    • is precluded by nature for all NAT hosts with private IP address, unless 
      • explicit steps are taken, with technical knowledge, and
      • all cascaded routers involved support Port Address Translation (PAT)
    • is automatic for non-NAT exposed locations--unless explicitly blocked by IT
  • Outbound traffic (other than TCP 80, 443)
    • is non-issue at home
    • relatively unrestricted at most public places, and 
    • impossible without explicit approval at IT-controlled places
  • To enable end-to-end connections
    • one must gain control to perimeter router(s), and
    • administrator rights to the host station during setup (but not actual usage)
  • all methods involving active intermediaries (beyond passive ISPs) are considered insecure by-definition, as full-time unfettered control & content discernment of both systems (source & target) is granted to 3rd partie(s).
  • Connections via LAN and WAN are entirely different! 
    • Testing from outside locations is mandatory!
  • Dynamic DNS (DDNS) service required on target end, if it doesn't have static public IP address (internal private reserved DHCP is fine)
  • logistical details: power source & endurance, sleep mode(s), WOL, LAN based IP address stability (either static or reserved)... and many others  

Types of Locations:  Source PC/Device & Target Host

# Location control of router NAT MAC address filtering out-bound filter upload speed rate & quota throttling
1 Your own Home/Sm Biz Yes Yes No TCP 25 only very slow No
2 Other's Home maybe Yes maybe TCP 25 & possibly others very slow unlikely
3 Restaurant (unmanaged public) No Yes No TCP 25 slow~extremely slow maybe
4 Hotel (managed public) No Yes No mild slow expected
5 Campus (IT-controlled public) No No No severe OK~extremely slow certainly
6 Corporate (IT-controlled) No No Yes 100% whitelisted fast w/ authentication certainly
7 Personal Hotspot or Phone Tethering minimal Yes No minimal very slow per plan specs
e.g. from home to your small biz office (#1->#1), or from hotel to your home (#4->#1), or from restaurant to IT-controlled corporate HQ (#3->#6), or work to home (#6->#1)
NOTE: Tethering thru mobile phone, or via discrete "personal hotspot" device, is basically between #1 and #2 above.

Methods/Paths of Connection

  1. A connects to B
  2. B connects to A with Reverse Session
  3. B connects to C to establish a TCP socket for A. A then connects to C to obtain that info, in order to reach B (partial disclosure&  trust)
  4. A connects to B as gateway, which reroutes packets to C as final destination (partial disclosure & trust)
  5. A connects to B as proxy, which discerns everything, and  in turn connects to C on A's behalf (full disclosure& implicit trust)
  6. A and B both connect to C as data exchange hub (full disclosure & implicit trust)

Layers & Issues Specific to RDP

  • Network Level Authentication (NLA) - mandatory as of March 12, 2012
  • TS/RDC Service status (services.msc)
  • group policies (gpedit.msc)
  • host side OS edition must be: Professional/Enterprise/Ultimate
  • client side could be "home edition" PC, or Android device with special setup
  • all host-based firewall(s):  Windows Firewall, Symantec End-Point, etc.
  • perimeter firewall (in- and out-bound rules)
  • SLA/QoS settings, end-to-end coordination

Layers & Issues Specific to VNC (all variants)

  • numerous items in wide scope & deep depth
  • specific version-/variant-dependent
  • impractical to enumerate here  

Aspects of Remote Control  NOT COVERED here:

  • making Wifi/wired LAN connection per instructions from local establishment (hotel?)
  • remote control session procedural tips, techniques & best practices
    • session handling
      • console screen stale message/status
      • logoff vs disconnect
      • seamless handoff/resumption
      • unattended overnight background processing
      • stray defunct sessions (logoff mishaps)
      • multi-level nested sessions
      • locations without certificates
    • coping with screen size mismatch & changes
      • to emulate & scroll, or to dynamically redefine viewport
      • auto-arrange annoyance & outright harm
      • invisible windows! (X,Y-Pos beyond viewport scope)
      • to full-screen or not?
        • suppress connection bar? auto-hide?
        • toggle/escape full-screen mode
    • special keys issues
      • pass-thru or not? which? when?
      • RDP session-specific command keys
      • RDP-equivalent keys: e.g. Ctrl-Alt-End = Ctrl-Alt-Del
    • double-redirect local printing
      • x86/x64 cross-platform scenarios
      • 3rd-party utilities for remote printing
      • application-level tricks
    • local drive sharing/mapping
    • special considerations for IM clients
    • access Windows Security Menu
      • remote restart
      • custom script
      • mitigate risks of inadvertent remote shutdown
    • POP/IMAP cooridination & overlaps
    • target host BIOS "after power loss/resumption" default mode
  • host credentials & authentication process
    • strict enforcement of Network Level Authentication (NLA)
    • non-PC client device compatibility implications
    • concurrent sessions
  • bandwidth optimization
    • hybrid browsing (selective copy of URL for local browsing)
      • implications of asymetrical up/down speed
      • video codecs, transcoding/recompression
    • color depth, fade effects & animations
    • application-specific optimization
    • QoS considerations & latency strategies
  • encryption & other security-/privacy-related topics pertaining remote access

SEE ALSO

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us