Microsoft Windows XP Networking Inside Out
.pdf
5: Advanced Networking
Part 5: Advanced Networking
tip If you are worried about anonymous access to your remote session, don’t be. Anonymous access only allows Web browsing access. Remote Desktop will still require a valid user name and password to operate the computer remotely.
16 Chapter
Configuring the Remote Client for Web Access
Once the remote computer is configured to allow Web access to Remote Desktop, you can use your client computer to connect. Keep these important points in mind:
●You might not be able to trust all the clients you want to connect from. If you go to an Internet café, an unscrupulous owner might have installed software that monitors your keystrokes and could capture your remote computer’s name and your user name and password.
●You must be using Internet Explorer 4 or later.
●If you are connecting over the Internet to the remote computer, use the computer’s public DNS name or IP address to connect. See “Using Remote Desktop over the Internet/Firewall,” page 477, for more information.
●If you are connecting through a remote access or VPN server, first make the network connection, and then use the name or IP address of the remote computer to complete the connection.
488
5: Advanced Networking
Chapter 16: Remote Desktop and Remote Assistance
To connect to the remote computer using Internet Explorer, open Internet Explorer and type the default address, which is http://server/tsweb. Again, if you are connecting over the Internet, use the public DNS name or IP address to connect, as in http:// ipaddress/tsweb. If you’re able to access both port 80 (HTTP) and port 3389 (RDP) from your remote location, you’ll see a Remote Desktop Web Connection screen, as shown in Figure 16-8.
Figure 16-8. You can connect to the remote computer through IIS.
To connect, enter the remote computer’s name and choose between full screen and a variety of resolutions. Keep in mind that lower resolutions reduce the amount of
bandwidth consumed and will help speed up the connection. Also, full screen will take up the entire computer screen. Other options give you a resizable window. When you first connect, you’ll probably see a Security Warning (depending on your Internet Explorer configuration). Remote Desktop installs an ActiveX control on your computer, so just click Yes in response to the Security Warning (if you do not, Remote Desktop will not work). You’ll see the standard Remote Desktop logon dialog box. Enter your user name and password and click OK. The Remote Desktop session opens in Internet Explorer, as shown in Figure 16-9 on the next page, or in full screen mode, depending on your selection.
Chapter 16
489
5: Advanced Networking
Part 5: Advanced Networking
Figure 16-9. The Remote Desktop session works exactly the same in Internet Explorer as it does when using the Remote Desktop Connection software.
16 Chapter
Choosing Remote Desktop Options
Remote Desktop can be used for many purposes and can connect very different computers over networks of varying bandwidth. To address these multiple variables, Remote Desktop offers a rich selection of customization options, which are discussed next.
Optimizing Remote Desktop Performance
If you are accessing a remote computer over a LAN or intranet, the performance of Remote Desktop will be quite responsive. However, if you are running Remote Desktop over a heavily used network connection or via a dial-up connection, you might find its performance to be somewhat slow. There are a few actions you can take to help reduce the amount of bandwidth consumed by Remote Desktop, thereby increasing its performance. Follow these steps:
1On the client computer, open Remote Desktop Connection.
2In the Remote Desktop Connection dialog box, click the Options button, and then select the Experience tab.
3In the Choose Your Connection Speed To Optimize Performance box, select the connection type you’re about to use to contact the remote computer. As shown in Figure 16-10, when Modem is selected as the connection type, only the Themes and Bitmap Caching features are transmitted over the remote connection. These default settings typically provide the best
490
5: Advanced Networking
Chapter 16: Remote Desktop and Remote Assistance
performance for modem users. However, the default settings provided to you are just suggestions. You can change any of these settings by selecting or clearing the check boxes as desired. You might need to experiment with these settings to find the ones that work best for you. You should usually leave Bitmap Caching enabled because it helps speed up your connection by saving images in your local cache so that they can be reused during the session instead of having to be downloaded repeatedly. But if you’re using a very fast connection and want to watch video over the Remote Desktop connection, you should clear this option.
Figure 16-10. You can speed up the performance of Remote Desktop by adjusting the options on the Experience tab.
note The remote computer might also have policy settings that enforce certain Experience settings. See “Remote Desktop and Group Policy,” page 494, to learn more.
Managing the Remote Desktop Display
The Display tab, shown in Figure 16-11 on the next page, allows you to modify the display options for the window containing the remote session. The supported resolutions range from 640×480 to Full Screen. You can also specify the color depth to use for the connection as well as decide whether or not to display the connection bar when in full screen mode. The connection bar is displayed at the top of your display. It displays the name or address of the computer hosting the remote session and lets you minimize the remote desktop, maximize it to full screen, place it in a window that you can size on your local computer, or close it entirely (which terminates the session).
Chapter 16
491
5: Advanced Networking
Part 5: Advanced Networking
Figure 16-11. Use the Display tab to adjust the desktop size and color depth of the remote session.
Configuring Local Resources
16 Chapter
The Local Resources tab, shown in Figure 16-12, allows the configuration of some of the newer features available with Remote Desktop. Three categories of options exist: Sound, Keyboard, and Local Devices. The Sound option allows you to specify how sounds emanating from the remote computer will be handled. There are three options:
●Leave At Remote Computer. With this setting enabled, any sounds from the remote computer play at the location of the remote computer. (This can be useful when controlling media jukeboxes remotely.)
Figure 16-12. Choose the Local Resources tab to configure sounds, keyboard commands, and devices.
492
5: Advanced Networking
Chapter 16: Remote Desktop and Remote Assistance
●Do Not Play. This option silences sound at the remote computer as well as on your local computer. After all, if no one is at the remote computer (or maybe more importantly if someone is in the vicinity), there is usually no reason to play sounds generated by your remote session.
●Bring To This Computer. This option plays the sounds you generate at the remote computer on your local computer, so you have the full experience of running the remote computer. For example, you could use this option to play music or other media stored on the remote computer at your client location. Keep in mind, however, that transmitting sound also consumes more bandwidth.
The Keyboard section lets you decide which computer will respond to certain Windows keys that you press on the client computer. These Windows key combinations include Alt+Tab, the Windows key, and Ctrl+Alt+Del. You can choose to have these keys control the remote computer instead of your local machine when the Remote Desktop window has the focus, or you can have the keys always control your local computer. You can also choose to have the Windows key combinations control the remote computer only if the remote session is running in full screen mode. If you choose not to apply the Windows key combinations to the remote session, Remote Desktop assigns the following alternate set of special keys to control the remote computer:
● Alt+Page Up. Switches between currently running applications (equivalent
|
to Alt+Tab on the client computer). |
|
|
● Alt+Page Down. Switches between applications in the reverse order |
16 |
||
|
(equivalent to Alt+Shift+Tab). |
Chapter |
|
● |
Alt+Insert. Switches between applications in the order they were started |
||
|
|||
(equivalent to Alt+Esc).
● Alt+Home. Displays the Start menu (equivalent to Ctrl+Esc).
● Ctrl+Alt+Break. Switches the Remote Desktop client between running as a window and running in full screen mode.
● Ctrl+Alt+End. Displays the Windows Security dialog box (equivalent to Ctrl+Alt+Del).
● Alt+Del. Displays the current application’s Windows menu.
● Ctrl+Alt+Keypad Minus. Places a snapshot of the active window within the client on the remote clipboard (just as if you’d pressed Alt+PrintScrn on the remote computer).
● Ctrl+Alt+Keypad Plus. Places a snapshot of the entire remote window on the remote clipboard (just as if you’d pressed Shift+PrintScrn on the remote computer).
493
5: Advanced Networking
Part 5: Advanced Networking
16 Chapter
The Local Devices section lets you map the client computer’s disk drives, printers, serial ports, and smart card devices to the Remote Desktop host. For example, if you’re connected to your work computer from your home computer and need to print a document located on your work computer at your home, you can select the Printers option, and the document will print on your home printer. You might also want to access information stored on disk drives in your local computer while in the Remote Desktop session. Selecting Disk Drives makes your local disk drives appear in the My Computer window of the remote computer so that you can access them.
Remote Desktop and Group Policy
There are many ways to use Remote Desktop, and Group Policy can be a useful tool in controlling that usage. Imagine that you own a small company with a network of 10 Windows XP Professional computers. One of the computers stores company documents. Because several of your users also have laptop computers, you decide to use
Remote Desktop to enable the laptop users to connect to the Windows XP Professional computer so that company files and documents can be edited, read, created, and used in any way necessary. The problem, however, is that you want to control bandwidth, and you want user sessions to be disconnected after they are idle for a certain period of time. You can’t do this directly within Remote Desktop, but you can if you use Local Group Policy.
Local Group Policy gives you a way to enforce certain settings on users who log on to the local computer. This includes everything from desktop settings to Internet Explorer settings. You can also use Local Group Policy to set Remote Desktop policies as well. This collection of settings includes such items as performance settings, user management settings, and even folder redirection.
To use Local Group Policy to manage Remote Desktop sessions, follow these steps:
1Log on to the host computer locally using an account with administrative privileges.
2From the Start menu, choose Run and type gpedit.msc. Click OK.
3When the Group Policy console appears, expand Computer Configuration, Administrative Templates, Windows Components, and click Terminal Services. The Remote Desktop (Terminal Services) policies you can administer appear in the right pane, as shown in Figure 16-13.
To configure a policy, simply double-click it and choose to enable (or disable) it. Enter any additional information as required by the policy.
If the computer resides in a domain, the policy can be applied at a domain level, to individual organizational units (OUs), or to individual computers, allowing you to control either all computers or subsets of them. If the computer is running in a workgroup, however, Local Group Policy must be configured on each computer.
494
5: Advanced Networking
Chapter 16: Remote Desktop and Remote Assistance
Figure 16-13. Group Policy provides policy options for Terminal Services.
Making the Most of Remote Desktop
The availability of Remote Desktop with Windows XP Professional facilitates a class of remote working and management options that have not been easy to implement before. By using Windows XP Professional at home and at the office, users can access
resources from both the home and business networks. This is a boon to telecommuters because Remote Desktop allows the client computer to access the remote resources. Because the drives and resources of the local computer can be mapped to the remote computer, the client user can access the resources of both computers and move data across the two machines as needed. Applications can be run remotely on more powerful work computers, and the results can be viewed and printed at the same physical location as the client computer. This flexibility opens a new world of easy remote networking and access.
Chapter 16
newfeature!
Exploring Remote Assistance
Remote Assistance is a new feature in Windows XP Professional and Windows XP Home Edition that enables users to help each other over the Internet. With this tool, one user who is termed the expert can view the desktop of another user known as the novice. When properly authorized by the novice, the expert user can engage in remote troubleshooting of the novice user’s system. For a Remote Assistance session to succeed,
495
5: Advanced Networking
Part 5: Advanced Networking
16 Chapter
both users must be connected to the same network (typically, the Internet or a corporate network) and be using Windows XP. Remote Assistance is easy to use and configure, and can be helpful in many situations including the following:
●It can be used on a company network where help desk personnel connect to remote computers and provide assistance.
●It can be used by individuals who need help from other individuals.
●It can be used as a tool for collaboration.
note Remote Assistance is only available in Windows XP Professional and Windows XP Home Edition, whether you are in the role of expert or novice.
Remote Assistance works by sending Remote Assistance invitations. The novice computer uses Microsoft Windows Messenger or e-mail (or a file that can be saved to removable media, copied via file sharing, or attached to an e-mail message) to send a Remote Assistance invitation to another user. Once the expert user accepts the invitation, a window opens showing the desktop of the novice. The expert can see the novice’s desktop and exchange messages with the novice. If the novice wants the expert to actually fix the computer, the novice can give the expert control of the computer. From this point, the expert can manage the novice’s computer remotely. The invitations that are sent use an RA ticket, which is a text file containing Extensible Markup Language (XML) fields. The RA ticket establishes a terminal session with the novice user’s computer so that the expert can view it. This is established through TCP/IP addresses when the two computers are connected to the Internet. Using the established IP addresses, the two computers communicate with each other directly using TCP port 3389. These details are hidden from the users because Remote Assistance is designed to be an easy to use help application.
Using Remote Assistance Through Firewalls
Firewalls are likely to be the single biggest impediment to making a successful Remote Assistance connection. The firewall packaged with Windows XP, ICF, is designed to allow Remote Assistance connections if either the requestor (novice) or respondent (expert) is using ICF. When a request is made, ICF automatically opens port 3389 to allow the Remote Assistance traffic. Firewalls from other vendors, either hardwareor softwarebased, must be configured to allow incoming and or outgoing connections on port 3389 if Remote Assistance requests are to be sent or accepted.
Universal Plug and Play (UPnP)–Compliant
Network Address Translation (NAT) Devices
Remote Assistance is designed to work with all UPnP NAT capable devices. UPnP NAT allows a Windows XP client behind the device using UPnP NAT to request that a Remote Assistance client be allowed an incoming connection on port 3389. Although the use of
496
5: Advanced Networking
Chapter 16: Remote Desktop and Remote Assistance
UPnP NAT is not yet widespread, it is particularly useful in that neither user needs to make any manual configuration changes to use Remote Assistance with a NAT firewall.
tip If you use Windows XP’s Internet Connection Sharing (ICS) feature to provide NAT functionality, it won’t interfere with Remote Assistance because ICS acts as a UPnPcompliant NAT. You might still have to cope with firewalls along the route, however.
Network Address Translation
Network address translation, a common method for connecting private networks to the Internet, presents a potential roadblock to Remote Assistance. All users accessing the Internet through a NAT device use the single, publicly accessible IP address on the external side of the NAT device. Any Internet host replying to a request from the private network or any user or process attempting entry to the private network must come through this gateway address. Remote Assistance is not the only example of incoming services that have to contend with NAT. Incoming VPN, File Transfer Protocol (FTP), and Web (HTTP) server requests must also come in through the NAT device’s external IP address. Any external viewer sees all outgoing traffic from the NAT device as originating from the external IP address of the NAT device. No information about the internal hosts that are actually initiating the requests is revealed. It is this masking process that has the potential to interfere with Remote Assistance requests.
If only one of the participants in a Remote Assistance session is behind a NAT device, then there is not a problem. However, if both users are situated behind their own NAT devices on different private networks, the Remote Assistance session will not be established. It is this impasse that is overcome by the UPnP NAT devices mentioned earlier.
Proxy Servers
Proxy servers are used for a variety of reasons. They can be used to cache commonly accessed Internet content so that when a user on a private LAN requests a resource, the proxy server can provide the requested materials from its cache of stored materials rather than actually going to the Internet to retrieve the resource. This allows a proxy server to make the most out of limited Internet connections that might otherwise be over utilized and ineffective. Proxy servers can also be used as a security and policy enforcement tool. Proxy servers can be used to track the Internet activity of the users required to use them as gateways to other networks. Because many proxy servers log incoming and outgoing activity, potential security breaches can be analyzed when they are detected.
If a proxy server is in use between the novice and the expert in a Remote Assistance session, and if the expert is behind a proxy server, such as Microsoft Proxy Server 2.0, the expert must have the proxy server client installed. This client allows the expert to pass through the proxy as the client would when Web browsing. If, however, the novice system lies behind the proxy server, packet filtering will have to be configured on the proxy server to allow inbound connections on port 3389 to the novice system.
Chapter 16
497