Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

ssh, vnc, and firewalls

Aug 31, 2005 8:31AM PDT

Here?s a problem that has been bugging me for a while.

I have been trying to use VNC to access my Windows computer. Since VNC is not a secure protocol, I decided to tunnel it over ssh. I installed OpenSSH (via cygwin) and TightVNC, and everything works great?. unless I have a firewall running. ZoneAlarm will only allow access to sshd from computers in the ?Trusted Zone? This really doesn?t work in my case because I need to access my computer from public machines. I also tried Sygate, and it allowed a remote computer to connect to sshd, but for whatever reason blocked sshd from connecting to the VNC server.

I need a solution that:
1) does not need a second PC
2) allows access from public PCs (I don?t have the IPs)
3) allows me to have a bi-directional firewall on my computer (so not Windows Firewall)

If anyone knows any firewalls that work with this setup, or any configuration options I may have missed, I would appreciate it.

Thank you in advance.

Discussion is locked

- Collapse -
Since ssh is a secure protocol...
Aug 31, 2005 8:35AM PDT

Why not open up the port number you selected?

- Collapse -
i tried that...
Aug 31, 2005 8:58AM PDT

I tried that with Sygate. I opened port 22, had sshd and the vnc server checked off as being able to access the internet (and act as servers), I even added the loopback address to the trusted zone (or whatever Sygate calls it).

The only thing I didn't do was have the client's IP listed as trusted - I can't do that because I access my computer from a different machine every time. I figured I wouldn't need that if the port was open.

Does this make any sense to you? Do you know what could possibly be causing that?

Thanks again.

- Collapse -
In reviewing this again...
Aug 31, 2005 9:47AM PDT

You need to talk to the firewall maker's support. I know this does work, but you may have some odd setting I didn't see here.

Keep at it since I've seen this work with zone alarm just super.

Bob

- Collapse -
Thank you Bob
Sep 2, 2005 7:21AM PDT

Thanks the reassurance that this is indeed possible (I almost gave up). After poking around the manufacturer?s website, posting to their forums, and generally asking around I finally figured out what the problem was. It turns out that it was in fact a problem with the VNC server. Apparently, if you want to log into a locked Windows NT/2000/XP computer, you need to have the VNC server running as a system service, otherwise it will just close the connection.

I had never heard this before, so I assumed that it was the firewall because I initially had a lot of trouble trying to get it to work with ZoneAlarm. It turns out that in order to open ports, you need ZoneAlarm Pro. With the free version you can always add different IPs to the ?Trusted Zone?, but if you are not logging in from the same place every time this is not a very good option. The free version of the Sygate firewall works well for this setup, though.

Thanks again.

- Collapse -
And my oversight at fault...
Sep 2, 2005 11:13AM PDT

I always select the 'as service' install since I want the system to be able to boot up, not be logged in on the console and it to just work. I never tried it any other way. So I never ran into what issue you encountered.

Sorry about that.

Bob