[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VNC client/server combo doing VNC over HTTP

On Saturday 11 March 2006 02:02 am, Mark Fletcher wrote:
> Hal Vaughan wrote:
> >On Friday 10 March 2006 09:29, nullman wrote:
> >>2 short infos to clarify :
> >>
> >>1. VNC over http doesn´t exist
> >>2. Port-Numbers can be altered with any version
> >>
> >>Solution would be : ssh on Port 443 ... with that you can trick most
> >>proxies with the "connect" method to use any proxy-capable ssh-client
> >>(putty for example)
> >>-> after ssh-connection is ok .. you can do vnc-over-ssh (simple
> >>Port-forwarding)
> >
> >I couldn't get this to work in one of my situations, due to a nasty
> >firewall.  What I have found that seems to work is using stunnel to
> >tunnel the VNC data through port 443 as HTTPS data, close to what is
> >mentioned above.  I'm still working on part of the solution, since I
> >can't easily install stunnel on my clients Linux systems.  When I'm all
> >done, I'll post my results, since there has been very little on this
> >list to directly apply to this -- at least on my case.
> >
> >Here's a link to stunnel: http://www.stunnel.org
> >
> >And here's a link to a tutorial about it, but it follows Windows, so
> >you'll have to make some allowances and when they tell you to use
> >ca.bat, it'll work best to download the file, extract the files that do
> >the work, and convert them to Linux and run just those lines.  You'll
> >get some "directory does not exist" errors, but if you make the
> >directory and re-run the program line, it'll work.  At one point it'll
> >complain about no index file, so do "echo 00 >index" and it'll fix it
> >-- forgot what dir that is needed in, though.
> >
> >I'll have more detailed instructions later, when I've got all my stuff
> >behaving at 100%.
> >
> >Hal
>
> Again thanks a lot for the suggestion, I'll try this too -- but I have a
> possibly stupid question. What protocol will the gateway of my corporate
> WAN think it is being asked to handle in this case? I don't think it
> will allow any connections going out on VNC protocol, regardless of the
> port number in use. HTTP / HTTPS is fine, not a lot else is...

<austin_powers:dr_evil>
	muhahaha... 
</austin_powers:dr_evil>

<simpsons:burns>
	HTTPS, eh? excellent.
</simpsons:burns>

try running ssh on port 443 at home and then try ssh-ing from work. the nice 
thing about HTTPS is that it's not a TLS type thing where you start off 
unencrypted and then do an encryption handshake. therefore, there shouldn't 
be *any* unencrypted data flowing back and fourth that the firewall can look 
at. the encrypted exchange is designed to stop man-in-the-middle. that takes 
the firewall out of the picture since it has nothing in the data flow that it 
can look at and go, "yes, it is indeed HTTPS". it's just relying on the port 
being 443. so any protocol should work as long as the port is 443.


anoop.

>
> Am I just totally wrong on this? Or do I need to do something else to
> disguise VNC packets as HTTP / HTTPS / something else a corporate
> firewall can reasonably be expected to allow?
>
> Mark

-- 


anoop
aaryal@foresightint.com
Reply to: