Questions
Why can't my VNC viewer connect to my VNC
server?
Can I use VNC to remotely control another
computer across the internet?
What's about fullscreen sessions?
Is VNC secure?
How do I use VNC through my firewall?
Answers
Why can't my VNC viewer connect to my
VNC server?
VNC requires TCP/IP network connectivity between the viewer and server
computers. A simple test is to use the ping utility. If you can't ping
from your viewer to your server, and vice-versa, than VNC will not
work!
Can I use VNC to remotely control
another computer across the
internet?
Yes. VNC uses the TCP/IP protocol which is the networking standard of
the Internet. You can use VNC over LANs, WANs, broadband ISP, and
modem dialup ISP. The performance will vary with the amount of
networking bandwidth you have, but there are special encodings and
compression to make the most out of the bandwidth available. There is
also an automatic linespeed detector, which will dynamically switch in
the most suitable compression scheme for the connection you have. You
should read the FAQ on security, and about using VNC through firewalls.
What's about fullscreen
sessions?
PMVNC doesn't support fullscreen sessions. If you switched to
fullscreen and can't return to desktop - select "Send Ctrl-Alt-Del" in
your VNC viewer - PMVNC will switch to desktop on receiving CAD
sequence (not reboot!).
Is VNC secure?
The only really secure computer is one without a network. VNC requires
a password when a viewer tries to connect to a server. This password
is encrypted to deter snooping, but the following graphical data, the
VNC protocol, is not. In many ways, VNC is more secure than remote
login programs such as telnet where the password is and the following
data are sent in the clear as ascii characters. Many people find it
perfectly acceptable to use VNC like this behind a corporate firewall,
across a VPN, or between computers within the home. However, if the
computer or network is connected to the internet, we strongly advise
the use of additional security. See how to make VNC
secure using SSH. You might want to know how to use VNC
with a firewall.
How do I use VNC through my
firewall?
Many organisations operate firewalls to reduce the risk of intrusion by
malicious attackers via the Internet. These firewalls typically operate
by only allowing connections in to machines in that organisation on
specific ports. Which ports are permitted access depends upon the
network protocol that uses the port and the degree of security it
provides.
VNC servers can accept incoming connections through firewalls in two
main ways. Although the first is usually the simplest to arrange, we
recommend using the SSH tunnelling method wherever VNC is to be used
over an untrusted network such as the Internet.
- Opening Ports - The simplest way to allow VNC
connections in through your firewall is to configure your firewalling
software to allow connections to the VNC ports. If N is the
display number of a particular VNC server then it will accept
connections on port 5900+N. Configuring your firewall to allow
connections to this port will allow VNC to work. If you wish to use the
in-built web server and Java VNC Viewer then you will also need to
allow connections to port 5800+N. Unfortunately, because VNC
traffic is not encrypted, this approach weakens the security provided
by your firewall, and so is not advisable.
- Secure Tunnelling - Most organisations that operate
firewalls allow connections to a number of standard ports, that are in
principle used only by secure or harmless protocols. While VNC in its
present incarnation is not suitably secure for this to be advisable, it
can be "tunnelled" through a secure protocol layer to achieve the same
effect. The Secure Shell (SSH) protocol is one example of such a
wrapper, and is one which most firewalls allow access through. The
Secure Shell client is run on the VNC client computer and is made to
forward connections to a particular port on that machine to a port on
the VNC server machine. The forwarded connection is encrypted by the
SSH software, which can provide both encryption and authentication. For
more details on how to do this, see here.
|