# java-vnc problem

## thecooptoo

i dont think I understand the connections.

I want to access the desktop of a machine behind my FW, using the browser applet.

ive downloaded the java-vnc  applets and put them in http:/blah.../vnc/

http://blah../vnc/index.html

loads the java applet , but m stuck after that

I want to connect to x11vnc running on 192.168.0.200:5900.

 ie 

client FF browser ->www->my router(192.168.0.100)->192.168.0.200:5900

 so does the applet connect from x.x.x100 to x.x.x200

ie

 <PARAM="HOST" VALUE=192.168.0.200>

<PARAM="PORT" VALUE=5900>

if so , i cant get t to work  - i just get a socket error message

or

should I connect to the machine the applet is coming from, and use port forwarding to connect to the target 

ie

 <PARAM="HOST" VALUE=192.168.0.100>

<PARAM="PORT" VALUE=5900>

and use shorewall to forward x.x.x.100:5900 to x.x.x.200:5900

thanks for any help

----------

## Moriah

I use vnc all the time, and have since 1997, but I do not use the java applet, as it was always too slow in the "good old days", and I have adapted to using vncviewer and vncserver directly.  If I am on my lan, I just connect the vncviewer directly to the vncserver, but if I am roving with a laptop, then I use ssh to build a tunnel between the vncserver and the vncviewer.  Since my laptop can have just about any ip address at all, compliments of dhcp and various wifi connections or sprint wireless broadband, and the workstation back home running vncserver is behind multiple firewalls, here is what I do:

I ssh from the laptop to the gateway firewall, mapping the appropriate vnc port number in the process:

```

ssh -L 590x:localhost:590x me@my.gateway.fw

```

Then I ssh thru the choke firewall:

```

ssh me@choke.fw

```

Then I ssh from the choke to my workstation:

```

ssh me@workstation.lan

```

Once on the workstation where the vncserver is, I project the associated vnc port back to the gateway firewall:

```

ssh -R 590x:localhost:590x me@gateway.fw

```

This completes the port mapping tunnel, and I then start my vncviewer on the laptop:

```

vncviewer localhost:x

```

where "x" is the vnc display port sans the "590".

The advantage of this technique is that it lets you get thru the firewalls without having to keep a port mapped all the time, and you enjoy SSL encryption from the ssh tunnels.  If I am running windoze on the laptop, then I use cygwin and openssh to build the tunnel.

Hope this helps!    :Very Happy: 

----------

## thecooptoo

thanks - SSH is available to me (putty off a stick)  but not really to everyone who would be involved and IT arent happy about VNC for all. 

apahe shows the web pages being served but Im having problems  getting the connection to the target machine - i wonder if its anything to do with the ISA proxy that is in the way. 

any way of debugging that and looking at the java authentication thats going back an forth ? 

And -  when i try to connect wirelessly to a machine on my LAN it freezes the wireless AP !

----------

## Moriah

Have you tried tcpdump, snort, or wireshark?  That will show you the traffic.  Of course, you have to know how to interpret it...

----------

## thecooptoo

having dug into it a bit , Ive now created a signed java applet  according to http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html.

the error I get is now

"Network error :could not connect to server 192.......";

wireshark on the target machine shows nothing coming from my server .

so i think its something to do with the security policy of the java  that is (currently) restricting access to elsewhere on  my LAN

----------

## Moriah

Do you have an external firewall between the client and the server?

----------

## cach0rr0

ISA will no doubt interfere with this if using a default ruleset 

You would need to create a new firewall rule in ISA, near the top of your firewall rules

From=>Network Group=>External

To=>Network Group=>Internal (unless you've defined another group for VNC systems)

-make sure this applies to 'All  Users' an not 'All Authenticated Users'

-ensure it's TCP 5xxx (whatever ports you require)

-do the inverse of this so the connection can be returned outbound

You should also be able to view what's being dropped within the ISA Management snapin, if anything. 

I don't recall, as it's been a good 6 months or so since I've had to touch ISA, but I don't think it has anything for VNC under "publish a server"

Realistically this is NOT the best  method for giving remote users access to internal machines. This is a band-aid approach that will cause you nothing but problems. 

The correct way to do this is to create a proper VPN using OpenVPN or similar, that bypasses ISA completely. That's a free, sane route to go. 

There are other alternatives like gotomypc, gotomeeting, etc, but these cost money. 

If you want something that's  both easy for you to set up, and easy for users, trying to fiddle with ISA to get the connections allowed is NOT the best way to go.

----------

