Using remote control software for support

At 10:14 AM -0700 9/30/04, Bob Peterson wrote:
>I'd like to know how to use ARD or VNC to provide technical support
>to my Mac-using family and friends.
>
><<http://db.tidbits.com/getbits.acgi?tbart=07821>http://db.tidbits.com/getbits.acgi?tbart=07821>
>
>Back when Timbuktu came in a version called Housecall, this was
>almost as easy as I could wish. (I can imagine some pretty
>astoundingly easy schemes, but that doesn't make them practical or
>marketable.)
>
>How can I use VNC for easy support? Mind you, some of these people
>are behind firewalls and routers. As I recall, Housecall was made
>possible through the use of a Netopia server that mediated the
>sessions.

        I do something a bit similar, without ARD. I installed DynDNS
on my father's Mac, put OSXvnc in his /Applications folder, turned on
ssh, and enabled it in his firewall. If he was behind a Linksys, I
mapped port 22 (not sure ATM). I also added myself as an admin on his
machine, of course. I also used /Applications/OSXvnc/storepasswd to
create an encrypted password file on his Mac.

http://www.dyndns.org/
http://www.redstonesoftware.com/vnc

        When needing to do graphical troubleshooting, I ssh into his
dyndns address and set up a tunnel (see sample below -- I have
several of these set up as shell aliases), start OSXvnc via command
line (specifying the pre-configured password file), and then point my
VNC client at localhost.

ssh -C -L 5910:localhost:5900 mybox.dyndns.org

        This runs VNC through a tunnel, at which point Dad says
"Neat!" while I drive his mouse, and I immediately cut down the
resolution of his screen to make it faster while I work.

        Note: DynDNS names expire after a few months of non-use, so
just telnet to it if you get an expiration warning

        If I were doing this with ARD and less paranoid, **on my next
visit**, I'd turn on ARD, open TCP ports 5900 & 3283 in the Mac OS X
firewall, and map the ports in the personal firewall/router, if one
is present. Note: ARD also uses the the corresponding UDP ports (5900
& 3283), but Panther Client never blocks these unless you play with
ipfw manually.

        Alternatively, you could use ipfw commands via ssh to open
the ARD ports, but this is no easier than ssh tunneling, and less
secure.

http://docs.info.apple.com/article.html?artnum=106439

--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>

At 10:14 AM -0700 2004/09/30, Bob Peterson wrote:
>How can I use VNC for easy support? Mind you, some of these p eople are
>behind firewalls and routers. As I recall, Housecall was made possible
>through the use of a Netopia server that mediated the sessions.

        What I want is someone to wrap up a nice package that I can install
remotely from the command line and start it up/turn it off that way. That
way I can just get my folks to turn on the "allow remote login" button and
do all the work myself without having to talk them through things. Ideally
it would also do some sort of "ssh tunneling" so that I only have to figure
out how to get the ssh ports properly configured on their routers, etc.

        dyndns.org and other dynamical dns systems are useful in getting
their IP address, but that isn't too hard to get them to read off of their
screen over the phone.

        Currently I have an issue I want to address on my parent's system
that I just do not want to try to address through talking on the phone. We
installed "myPhoto" to allow them to publish their iPhoto stuff off of
their local machine via broadband. myPhoto creates a php website with all
their iPhoto stuff, very cool. Anyway, when I installed it last summer for
them, I thought it was all working fine, and that I managed to open the
correct holes in their router for web stuff to get out to the world. But I
guess I didn't test it properly, because while it is accessible locally, it
isn't from outside their little network. To change the router settings to
make it work, I need to be on the local network for my browser to access
the router's web interface. Thus if I could do this all via the command
line, I would be good to go, but as it is, I am waiting for them to visit
and bring the router with them and I'll try to set it up here and let them
bring it back there to turn on...

--On Friday, October 1, 2004 7:16 PM -0700 "Wilcox, Curtis"
<cwilcoxesm.rochester.edu> wrote:

> The only other option I can think of to get around a firewall/NAT is for
> you to run a VPN server.

There are a couple of good, cheap options available these days. One option
is to join the two networks together, semi-permanently, with a VPN router.
This sounds expensive but it's only a few bucks more than standard
router/firewall device (which is highly-recommended for any home network
anyway). I use a D-Link DI-804HV. I paid abou $80 for it (a non-VPN model
runs about $50.)

<http://www.dlink.com/products/?pid=59>

You can buy two of those and connect them together. The manual is pretty
good on how to do this (note even "pretty good" for VPN can sometimes be
very obtuse.) If you do this, you don't have to worry about computer
software. Additionally you can share all the devices on your network, not
just the devices on the destination computer (note that iTunes music
sharing won't work across a VPN connection because computers on the other
end still appear on a different network.

I'm not trying to join two locations together full-time, I just want to be
able to connect my laptop to my internal server (it has all my mail and
music on it) from anywhere in the world. So I bought one VPN router for
home and use the built-in Mac OS X software to connect to it. Due to the
difficult nature of VPN I don't use the Mac command line tools to do this,
instead I use a front-end to those tools to build the connections.

The software I use is Equinux VPN's Tracker (I use version 2, version 3 is
available now). It's pretty expensive at $90 (for the personal edition)
but has quite a few features and a decent interface. One feature I really
like is the ability to adjust the security model, this allowed me to make
VPN connections with my standard account without having to be an admin
level account or authenticate as an admin first.

<http://www.equinux.com/us/products/vpntracker/index.html>

Other software I tested is free from aftp548.com called VaporSec. It's an
AppleScript Studio front-end to Mac OS X's VPN tools. It hasn't been
updated in a year, but when I last tested it worked fine (I had to be an
admin user to run it though.)

<http://www.afp548.com/Software/VaporSec/index.html>

Kevin

At 7:16 PM -0700 2004/10/01, Johann Beda wrote:
>At 10:14 AM -0700 2004/09/30, Bob Peterson wrote:
>>How can I use VNC for easy support? Mind you, some of these p eople are
>>behind firewalls and routers. As I recall, Housecall was made possible
>>through the use of a Netopia server that mediated the sessions.
>
> What I want is someone to wrap up a nice package that I can install
>remotely from the command line and start it up/turn it off that way. That
>way I can just get my folks to turn on the "allow remote login" button and
>do all the work myself without having to talk them through things. Ideally
>it would also do some sort of "ssh tunneling" so that I only have to figure
>out how to get the ssh ports properly configured on their routers, etc.
>
> dyndns.org and other dynamical dns systems are useful in getting
>their IP address, but that isn't too hard to get them to read off of their
>screen over the phone.

        This depends on who you're asking. It's also nice for getting
to home systems when people are at work...

> Currently I have an issue I want to address on my parent's system
>that I just do not want to try to address through talking on the phone. We
>installed "myPhoto" to allow them to publish their iPhoto stuff off of
>their local machine via broadband. myPhoto creates a php website with all
>their iPhoto stuff, very cool. Anyway, when I installed it last summer for
>them, I thought it was all working fine, and that I managed to open the
>correct holes in their router for web stuff to get out to the world. But I
>guess I didn't test it properly, because while it is accessible locally, it
>isn't from outside their little network. To change the router settings to
>make it work, I need to be on the local network for my browser to access
>the router's web interface. Thus if I could do this all via the command
>line, I would be good to go, but as it is, I am waiting for them to visit
>and bring the router with them and I'll try to set it up here and let them
>bring it back there to turn on...

        If you have ssh access, it's really not difficult to install,
configure, and start OSXvnc (via ssh tunnel) -- assuming you are
clear on the individual bits. You can use the "open" command to mount
the .dmg.

        Sounds like a nice third-party opportunity to package it all
up, but I'm not holding my breath. ARD can create customized client
installers, so if you bought it you'd be about halfway there. You can
start & configure ARD 2 via its included kickstart command, with ssh
access.

        The issue of configuring the router for inbound connections
is intractable, though, as there are lots of different brands &
configuration interfaces. This is why peer-to-peer networks,
including VoIP, chat, network games, & Housecall, frequently offer a
central service with external hosts to mediate (outbound, thus
allowed) connections.

                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>

At 10:30 PM -0400 2004/10/02, Chris Pepper wrote:
> If you have ssh access, it's really not difficult to install,
>configure, and start OSXvnc (via ssh tunnel) -- assuming you are
>clear on the individual bits. You can use the "open" command to mount
>the .dmg.

        Your message prompted me to experiment a bit. I managed to sftp the
.dmg file over to the remote machine, and used "hdiutil" to mount the image
(a hint on macosxhints.com mentions that one needs to use both "hdiutil
unmount" and "hdiutil detach" both with the -force options to reliably
unmount an image). I used "ditto" to dopy the .app bundle with the
-rsrcFork flag to make the copy, though I think that CpMac might have done
as well.

        I haven't used VNC for a while, so I still have to play around with
some local installations to figure out exactly how to set it up correctly
and get it working.

> The issue of configuring the router for inbound connections
>is intractable, though, as there are lots of different brands &
>configuration interfaces.

        That was why your nice ssh/tunneling command finally got me to
start messing with it again. I have already got the ssh ports properly
forwarded by the routers at each end, so putting the VNC through that seems
like the obvious way to go, and of course it provides nicer security. Maybe
the ssh/tunneling could be put right into the VNC server and/or client? Not
hat I have the time or ability to mess around with the source code...

At 06:40 -0700 UTC, on 2004/10/04, Kevin van Haaren wrote:
> One option
> is to join the two networks together, semi-permanently, with a VPN router.
> This sounds expensive but it's only a few bucks more than standard
> router/firewall device (which is highly-recommended for any home network
> anyway). I use a D-Link DI-804HV. I paid abou $80 for it (a non-VPN model
> runs about $50.)
>
> <http://www.dlink.com/products/?pid=59>

Any experience how this compares to a Snapgear? See
<http://www.cyberguard.com/snapgear/products.html>. Obviously the Snapgear is
more expensive :) That makes this D-Link very attractive. But what about
capabilities, security, ease of use, quality of documentation, robustness of
the Web-based UI...?

--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>

At 06:40 -0700 UTC, on 2004/10/04, Johann Beda wrote:
> I managed to sftp the
> .dmg file over to the remote machine, and used "hdiutil" to mount the image
> (a hint on macosxhints.com mentions that one needs to use both "hdiutil
> unmount" and "hdiutil detach" both with the -force options to reliably
> unmount an image).

Yes, I ran into that too. If you do just either one, subsequent attempts to
mount the image fail. My solution was to use umount:

$ umount /Volumes/[name of the volume]

(Note that although man umount lists a -f ("force") option, it doesn't seem
necessary here.)

--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>

At 6:48 AM -0700 2004/10/05, Sander Tekelenburg wrote:
>At 06:40 -0700 UTC, on 2004/10/04, Johann Beda wrote:
>> I managed to sftp the
>> .dmg file over to the remote machine, and used "hdiutil" to mount the image
>> (a hint on macosxhints.com mentions that one needs to use both "hdiutil
>> unmount" and "hdiutil detach" both with the -force options to reliably
>> unmount an image).
>
>Yes, I ran into that too. If you do just either one, subsequent attempts to
>mount the image fail. My solution was to use umount:
>
>$ umount /Volumes/[name of the volume]
>
>(Note that although man umount lists a -f ("force") option, it doesn't seem
>necessary here.)

        I just use "open myimage.dmg", which lets the Finder figure
out how to handle it. Once that's done, you can a) unmount it via the
Finder once connected via ARD/VNC, b) ignore the left-over volume
entirely, or c) tell the user to drag it to the Trash.

                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
Rockefeller University: <http://www.rockefeller.edu/>

On 10/5/04 at 6:48 AM, tekelenbeuronet.nl (Sander Tekelenburg) wrote:

> At 06:40 -0700 UTC, on 2004/10/04, Kevin van Haaren wrote:
> > One option is to join the two networks together, semi-permanently,
> > with a VPN router. This sounds expensive but it's only a few bucks
> > more than standard router/firewall device (which is
> > highly-recommended for any home network anyway). I use a D-Link
> > DI-804HV. I paid abou $80 for it (a non-VPN model runs about $50.)
> >
> > <http://www.dlink.com/products/?pid=59>
>
> Any experience how this compares to a Snapgear? See
> <http://www.cyberguard.com/snapgear/products.html>. Obviously the
> Snapgear is more expensive :) That makes this D-Link very attractive.
> But what about capabilities, security, ease of use, quality of
> documentation, robustness of the Web-based UI...?

I'd be interested in hearing that as well; our company is looking at the
possibility of setting up a satellite office for the clerical/accounting
people a few blocks away, and something like these is what I was looking
at for tying the two locations together.

Travis Butler
tbutlermac.com

As a consultant, I tried various VNC's to remotely control Macs but couldn't get any to work. However, KDX from http://www.haxialsoftware.com/ is fairly easy for my clients to use. They install the KDX Server that I email them, launch it, and then they tell me what their IP address is.

At my end, the KDX Client then logs in to their server and voila, I can take over the remote Mac. It does require one port to be open: 10600. Although I haven't tried it, it has an option for audio transmissions as well. I prefer the phone though.

KDX's GUI is more like a X-Windows application but there are identical looking version for non-Mac platforms too. I haven't explored all the features it has but there are plenty. Here's an excerpt from the website:

KDX is a powerful multi-OS "BBS"-style (Bulletin Board System) encrypted internet communications system that provides voice chat (Internet Telephone), text chat, messaging, news, file and folder transfer, remote access, trackers and more. It uses strong encryption to protect your communications for security and privacy. It is very useful for groups that need to collaborate on a project via the Internet. It is also very useful for remote administration of a computer. KDX uses a client/server architecture (NOT peer-to-peer).

--On Tuesday, October 5, 2004 6:48 AM -0700 Sander Tekelenburg
<tekelenbeuronet.nl> wrote:

> At 06:40 -0700 UTC, on 2004/10/04, Kevin van Haaren wrote:
>> One option
>> is to join the two networks together, semi-permanently, with a VPN
>> router. This sounds expensive but it's only a few bucks more than
>> standard router/firewall device (which is highly-recommended for any
>> home network anyway). I use a D-Link DI-804HV. I paid abou $80 for it
>> (a non-VPN model runs about $50.)
>>
>> <http://www.dlink.com/products/?pid=59>
>
> Any experience how this compares to a Snapgear? See
> <http://www.cyberguard.com/snapgear/products.html>. Obviously the
> Snapgear is more expensive :) That makes this D-Link very attractive. But
> what about capabilities, security, ease of use, quality of documentation,
> robustness of the Web-based UI...?

I have not used a snapgear so I can only do a superficial comparison. On
the surface they look pretty much the same (other than price.) The
snapgear does support 50 IPSec VPN tunnels vs. the D-Link's 40, but if you
need that many tunnels than I'd probably get a higher-end device anyway.
D-Link only supports one tunnel to a dynamic IP address, snapgear appears
to allow all their tunnels to have dynamic IP addresses. Important if you
have multiple laptop users that roam around (I believe D-Link's tunnels
might work with a dynamic dns entry, but haven't tried it.)

Both have com ports for analog modem support, the snapgear can
auto-failover to the analog com port. The D-Link doesn't seem to have this
capability.

Both support L2TP, PPTP and IPSec VPNs.

Snapgear offers several add-ons for extra fees:
   * extended 4 year warranty ($40)
   * annual support ($99)
   * Simple 5 user content filtering ($49/year)
   * enhanced 5 user content filtering/loggin ($99/year)

D-Link's manual is pretty thin (you can download it from their web site.)
But the online help on the device itself is fairly decent (as long as you
aren't looking for a lot of information about basic IPSec.)

Snapgear offers an online demo of their interface (which is a great idea!).
Their demo is for a high-end device, so I'm not sure how comparable it is
to the lower end devices. Snapgear's interface is better, I went through
just the IPSec configuration to see how it worked. It's a wizard based
taking you through the various steps to setup a tunnel.

D-Link's interface is more fragmented and you have to figure out the
various components that need to be setup first. Since D-Link doesn't have
a live demo of their interface up, I posted screenshots of the IPSec setup
for a dynamic IP address IPSec tunnel.

<http://homepage.mac.com/kvanhaaren/PhotoAlbum1.html>

(full-size images available by going into the slide show and clicking the
image. Sorry but I had to take the shots on my XP box, so they have funny
window borders.)

On the whole I'd say you probably get what you're paying for. Snapgear
seems to have more enterprise oriented features, while D-Link looks to be
the bare bones edition. If I were setting up a business for somebody I'd
probably recommend the Snapgear, while for home the D-Link is adequate for
me.

Kevin