cancel
Showing results for 
Search instead for 
Did you mean: 

VNC to remote NC clients

Hobnob_
Occasional Contributor

VNC to remote NC clients

I've got two NC policies - one for our IT personnel which is wide open, and another one for standard users that only allows access to certain resources. I want to be able to VNC (port 5900) TO a remote NC client from our LAN. When the remote user is logged in using the IT policy, VNC works just fine. But when I have a standard user logged on to NC, attempts to reach the remote client time out. I've used Wireshark to look at the traffic and it appears that the SA2500 (6.4R1) is blocking the traffic. Among other things on the standard user ACL, I have "tcp://*.5900". Is there something else I need to do here? This setting allows the remote client to connect to a computer on the LAN (as expected), but not the other way around.
5 REPLIES 5
William_
Occasional Contributor

Re: VNC to remote NC clients

You need to create a rule that permits your LAN network and the ephemeral ports you'll be using in your policy. For example, if your LAN network is 192.168.1.0/24 you will need a NC policy that permits tcp://192.168.1.0/24:* or some range of ephemeral ports which varies based on operating system.
Message Edited by William on 10-16-2009 09:58 AM
Mrkool_
Super Contributor

Re: VNC to remote NC clients

i think the correct format is tcp://*:5900" where you have a . instead of a :
thobdey_
Not applicable

Re: VNC to remote NC clients

I'm the originator of this thread, but the logins to these forums are so screwed up I'm not sure I'm logged in as me. Anyway... I tried having both tcp://*:5900 and tcp://<lan address range>:1024-65535 in the NC ACL at the same time. This should absolutely take care of the problem, but it didn't.

What's particularly irritating is that when I first put this box in production, it worked. We could VNC to remote clients just fine. No change has been made (at least not by me), but now it doesn't work. I tried updating the software to 6.5 and that didn't make any difference.

As I think I mentioned in my original post, I used Wireshark to monitor both the LAN client and the remote VPN client. During the attempt to connect with VNC, the LAN client showed it was sending packets, but the remote client was receiving nothing.

Mrkool_
Super Contributor

Re: VNC to remote NC clients

how about the local firewall on the PC? We use GPO to modify the local firewall policies all the time.

William_
Occasional Contributor

Re: VNC to remote NC clients

You can also try the tcpdump tool under "Troubleshooting->Tools" to get a packet capture to/from the SSL-VPN appliance.