Tunnels and Redirectors TUNNELS AND REDIRECTORS...1 Overview... 1 Security Details... 2 Permissions... 2 Starting a Tunnel... 3 Starting a Redirector... 5 HTTP Connect... 8 HTTPS Connect... 10 LabVNC... 12 Remote Desktop... 15 Remote Desktop Auto... 16 Secure Shell... 17 Telnet... 18 UltraVNC... 20 Using Dual Monitors with UltraVNC... 23 VNC... 23 Lights-Out Management... 23 Proxies... 24 HTTP Proxies... 24 Socks Proxy Server... 24 Telnet, Mail, News... 24 Selecting a Default Redirector... 24 Adding/Editing Redirectors... 25 Tunnel Configuration... 25 Tunnel Properties... 27 Auditing and Reporting... 28 Audit... 28 Reporting... 28 Troubleshooting Tunnels... 30 Router/Firewall Configuration... 32 Cisco... 32 Untangle... 32 Linksys... 32 SonicWall... 34 Watchguard... 34 Document Revision History... 35 Overview Tunnels allow you to create a direct connection from the Control Center to an agent computer. This is established with a UDP tunnel connection. Once this tunnel connection is running, redirectors can be established across this tunnel. Multiple redirectors can run at the same time on a single tunnel, connecting to different destinations. The tunnel supports redirectors that route TCP and UDP traffic in any direction and these connections can support SOCKS proxy internally. Tunnels maximum MTU has been set at 1450 to ensure the ability to cross the various Internet routers. If a tunnel is created without selecting a specific redirector, it will just sit there and wait for future redirectors. The tunnel connection can be started independently of a redirector or it can be started with a redirector. Redirectors will use an existing tunnel if one has been created or it will create a new one. If the tunnel is started by itself, it will remain running after the redirector has been closed and then close after three minutes if 9.50.169.TunnelsRedirectors 1
Tunnels and Redirectors there are no active redirectors. If the tunnel was started because a redirector was used, then when the redirector is closed, the tunnel will remain running for three minutes after the last connection has closed, unless you manually close it. With upgrades to the 2011.2 release, old custom redirectors would be imported into the new tunnels and listed under Imported. Some may needed to be edited via the Redirectors tab in the Dashboard > Config > Configurations. For more information, please refer to the Redirected Applications documentation. NOTE If the primary tunnel mode fails, the tunnel start control will pass a separate relay server address to use. IMPORTANT: Your router must do consistent( predictive ) NAT or all packets with a source port of 40000-41000 that are UDP must NOT have their source ports altered when NATTING them in the firewall. Security Details TCP Tunnels are TripleDES encrypted. UDP Tunnels are AES 256-bit encrypted. Permissions Permissions must be granted by client, to use tunnels. Access can be limited so technicians do not have access to redirectors; however, access cannot be limited to one or more redirectors. At this time, it s all or nothing. 1. From the Control Center navigation tree, expand Clients > client. 2. Click on the Permissions tab. Figure 1: Client Permissions 9.50.169.TunnelsRedirectors 2
Permissions must be given to the user classes that you want to have access to create tunnels and to use the redirectors. 3. Select the user class from the User Classes list. If the user class that you want to give tunnel permissions to is not listed, right-click and select the appropriate user class or create a new user class. 4. Once selected, select Allow Redirector/Remote Control and Allow Peer-to- Peer Tunnels for unrestricted access to tunnels and all redirectors. Otherwise, select the desired access level based on the following: At this time, all redirectors are accessible if given the Allow Redirector/Remote Control permissions and cannot be limited by one or more redirectors. If the Allow Redirector/Remote Control option is disabled, the button and menus will be removed for that user class. If disabled, the members of that user class will use TCP to VNC. The Allow Peer-to-Peer Tunnel permission allows the technician to create a tunnel to the computer. If disabled, the redirectors will use a TCP channel and advanced redirectors will not be available. 5. Repeat the above steps for each user class that needs access. 6. Click Save. Starting a Tunnel You can start a tunnel without selecting a specific redirector. Once the tunnel is created, it will just sit there. However, tunnels will close automatically after three minutes if there are no active redirectors. The default can be changed in the VNC/Ticket Priority tab of the Dashboard > Config. 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then Tunnel Only. 9.50.169.TunnelsRedirectors 3
Tunnels and Redirectors Figure 2: Tunnel Only You will be prompted to enter a reason for the redirected session. Figure 3: Explain Remote Control 3. Enter the appropriate reason and click OK. The Tunnel Start command will be issued to the computer. Once the command has been issued a Tunnel indicator will display below the menu bar as shown by the following example. 9.50.169.TunnelsRedirectors 4
Figure 4: Starting Tunnel NOTE: The number of tunnels you can run at one time is based on your bandwidth between you and the remote agent. The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. Once the tunnel is connected, it will just sit there for up to three minutes until you select a redirector. Normal connection time, if the computer is in FasTalk mode already is less than 15 seconds. NOTE: If the tunnel fails to connect via UDP, it will automatically connect via TCP (port 70) and use the redirector server. If you are on a machine where you know tunnels do not work, you can bypass the tunnels using the [Control] key when you click on the redirector. 4. To close the tunnel, just simply click on the Close box on the Tunnel indicator. Starting a Redirector Redirectors can be run from the navigation tree or from the Computer Management screen by selecting an option from the Redirectors menu at the bottom of the screen. Please note that a different list of redirectors will display based on the type of computer. For example, Mac and mobile agents will have the VNC option. The following steps will walk you through running a redirector from the navigation tree. TIP: Hold down the [Shift] key while selecting a redirector will allow you to connect to a computer that does not have an agent installed on the same network. 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then the desired redirector. NOTE: Redirectors can also be used for network devices. From the Control Center, expand Clients > client > location > Network. Right-click on the network device, select Network Redirectors and then the desired redirector. 9.50.169.TunnelsRedirectors 5
Tunnels and Redirectors Figure 5: Network Redirectors You will be prompted to enter a reason for the redirected session. TIP: The default reason can be changed by entering a new value for the CCVNCReason property. To disable the prompt, set the CCVNCASK property to False. For more information on these properties, refer to the Tunnel Properties section of this document. Figure 6: Explain Remote Control 3. Enter the appropriate reason and click OK. The Tunnel Start command will be issued to the computer. Once the command has been issued a tunnel indicator will display below the menu bar as shown by the following example. 9.50.169.TunnelsRedirectors 6
Figure 7: Starting Tunnel TIP: Click on the tunnel indicator to open the Computer Management window for that computer or [Ctrl-click] on the tunnel indicator to get additional tunnel information (e.g., server, port, remote port, local port, MTU, UPNP, timeout, and tunnel version). This allows you to see what is occurring in the firewall. If router does not work with tunnels, you will see Using Relay Connection to Remote instead of Using Direct Connection to Remote. Figure 8: Sample Tunnel Information The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. Once the tunnel is connected, the redirected program will run on the Control Center computer and connect to the tunnel. Depending on the chosen redirector, this will determine what you see next. Refer to the following sections in this document for each type of redirector for additional information. 9.50.169.TunnelsRedirectors 7
Tunnels and Redirectors When you close the redirector, the tunnel will remain open for up to three minutes, unless you manually close it. HTTP Connect HTTP Connect will run a local web browser that is redirected to the remote agent. All requests will appear as though they originate from the remote agent. The browser s initial web page will be of the remote agent or device s IP address. Navigate to any page by typing a new address. Additionally, this local web browser also supports https. To use HTTP Connect, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then HTTP Connect. Figure 9: Network Redirectors HTTP Connect You will be prompted to enter the reason for the redirected session. 9.50.169.TunnelsRedirectors 8
Figure 10: Explain Remote Control 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 30 seconds for the tunnel to be connected. Figure 11: Tunnel Control Once the tunnel is connected, a web browser window will display. 9.50.169.TunnelsRedirectors 9
Tunnels and Redirectors Figure 12: Redirected Web Browser 4. From the computer s web browser, you can diagnose Internet problems, make changes to the router configuration or other troubleshooting that requires the Internet. HTTPS Connect HTTPS Connect will run a local web browser that is redirected to the remote agent. All requests will appear as though they originate from the remote agent. The browser s initial web page will be of the remote agent or device s IP Address accessed via HTTPS. Navigate to any page by entering a new address. To use HTTPS Connect, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then HTTPS Connect. 9.50.169.TunnelsRedirectors 10
Figure 13: Network Redirectors HTTPS Connect You will be prompted to enter the reason for the redirected session. Figure 14: Explain Remote Control 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. 9.50.169.TunnelsRedirectors 11
Tunnels and Redirectors Figure 15: Tunnel Control Once the tunnel is connected, a web browser window will display. Figure 16: Redirected Web Browser LabVNC 4. From the computer s web browser, you can diagnose Internet problems; make changes to the router configuration or other troubleshooting simply by entering the remote address of the device that can only be accessed from inside the remote network. LabVNC is LabTech s built-in VNC feature. This allows you to remote control into a target computer and interact with it. LabVNC can be used to VNC into Linux or Windows machines. LabVNC is not compatible with other VNC installations on the target machine and may fail to connect. A remote desktop connection that is left open will be closed and logged off automatically. LabVNC will need to be run again to complete the connection. To use LabVNC, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 9.50.169.TunnelsRedirectors 12
2. Right-click on the computer you want to connect to and select Network Redirectors and then LabVNC. TIP: You can also VNC directly to the user s session without opening up a Computer screen or selecting the LabVNC option by selecting Logged-in Users > specific logged-in user > LabVNC. This option will display each user that is currently logged into the computer. Figure 17: Network Redirectors LabVNC TIP: To refresh the list of logged-in users, click Refresh (just above the navigation tree) in the Control Center. You will be prompted to enter the reason for the redirected session. Figure 18: Explain Remote Control 9.50.169.TunnelsRedirectors 13
Tunnels and Redirectors 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. Figure 19: Tunnel Control Once connected, the remote desktop will display and you will have full control over the computer. A chat window will display in the lower right-hand corner to allow you to communicate with the user at the computer. Figure 20: LabVNC 4. At the end of the session the remote user or the technician can end the session by clicking on the Disconnect Technician Now button. When the VNC session ends, you will receive a Connection Closed message. Click OK to close. 5. The tunnel will remain open to make another connection or it will automatically close after the three minutes. 9.50.169.TunnelsRedirectors 14
Remote Desktop NOTE: The Management Port field located on the Network tab of the Computer Management screen is used for RDP redirectors as the port for Terminal Services. The RDP port is normally using port 3389. If set to 0, LabTech will use port 3389. Otherwise, enter the port to use. To use Remote Desktop, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then Remote Desktop. Figure 21: Network Redirectors Remote Desktop You will be prompted to enter the reason for the redirected session. Figure 22: Explain Remote Control 9.50.169.TunnelsRedirectors 15
Tunnels and Redirectors 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. Figure 23: Tunnel Control Once connected, you will be prompted to enter the credentials to access the target agent computer. Figure 24: Remote Desktop 4. Enter the password for the target computer and press [Enter]. You will have full control over the computer. 5. At the end of the session, close the window. Remote Desktop Auto Remote Desktop Auto is the same as Remote Desktop but attempts to RDP into the machine using the Administrator login for the location. 9.50.169.TunnelsRedirectors 16
Secure Shell NOTE: The Management Port field located on the Network tab of the Computer Management screen is used for RDP redirectors as the port for Terminal Services. The RDP port is normally using port 3389. If set to 0, LabTech will use port 3389. Otherwise, enter the port to use. Secure Shell is used with many UNIX computers and network devices. SSH provides a telnet-like connection to control devices via the command line. NOTE: The target computer must have an SHH server to use this option. To use Secure Shell, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then Secure Shell. Figure 25: Network Redirectors Secure Shell You will be prompted to enter the reason for the redirected session. 9.50.169.TunnelsRedirectors 17
Tunnels and Redirectors Figure 26: Explain Remote Control 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. 4. Once connected, a PuTTY window will open. Figure 27: PuTTY SSH Command Line 5. At the end of the session, close the PuTTY window. Telnet Telnet provides a command-line interface to a remote agent. To use Telnet, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then Telnet. 9.50.169.TunnelsRedirectors 18
Figure 28: Network Redirectors Telnet You will be prompted to enter the reason for the redirected session. Figure 29: Explain Remote Control 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. 4. Once connected, a PuTTY window will open. 9.50.169.TunnelsRedirectors 19
Tunnels and Redirectors Figure 30: PuTTY Telnet Command Line 5. At the end of the session, close the PuTTY window. UltraVNC UltraVNC is another method to remote control into a target computer and interact with it instead of using LabVNC. To use UltraVNC, follow the instructions below: 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Network Redirectors and then UltraVNC. 9.50.169.TunnelsRedirectors 20
Figure 31: Network Redirectors UltraVNC You will be prompted to enter the reason for the redirected session. Figure 32: Explain Remote Control 3. Enter the appropriate reason for the redirected session and click OK. The Tunnel Start command will be issued to the target agent computer and a tunnel indicator will appear just below the menu bar as shown by the following example. NOTE: The system will wait for up to 500 seconds for the command to be received and then it will wait up to 70 seconds for the tunnel to be connected. 9.50.169.TunnelsRedirectors 21
Tunnels and Redirectors Figure 33: Tunnel Control Once connected, the remote desktop will display and you will have full control over the computer. Figure 34: UltraVNC 4. At the end of the session the remote user can right-click on the UltraVNC icon on the taskbar and select Close VNC Connections or the technician can click on the Close Connection icon to end the session. Figure 35: UltraVNC icon 9.50.169.TunnelsRedirectors 22
Figure 36: UltraVNC Close Connection Icon 5. The tunnel will remain open to make another connection or it will automatically close after the three minutes. Using Dual Monitors with UltraVNC UltraVNC will connect to and display both monitors regardless of the left or right position of the primary monitor. It the computer has dual monitors, click the Switch Monitor button and then scroll over to the see the second monitor. Figure 37: Using Dual Monitors VNC The VNC option is used the same way as LabVNC and UltraVNC but is used to VNC into Macs. Lights-Out Management All of these redirectors are the same as defined elsewhere except the originating computer is the probe. The tunnel is established to the probe and then the probe creates the connection to the target. The target is the computer or device you selected to send this command. Generic HTTP: HTTP connect to port 80. Remote Desktop: RDP connect to port 3389. Secure Shell: SSH connect to port 22. vpro HTTP: HTTP connect to port 16992. 9.50.169.TunnelsRedirectors 23
Tunnels and Redirectors Proxies NOTE: The Management IP field is used in all Lights Out Management redirectors as the address to connect to (e.g., HP ilo enabled computers typically have another IP address that is used to connect to for Lights Out Management). This IP address would be entered into the Management IP field. Otherwise, it uses the local IP address if it is blank. This field is located on the Network tab of the Computer Management screen. HTTP Proxies This starts a web browser using the remote computer as the originator. The default page of this web browser is www.google.com. Socks Proxy Server This redirector creates a SOCKS server (standards based proxy) on the Control Center computer that originates all requests from the remote agent. This server is listening on port 1080 and it will appear that it is not doing anything. It is the user s responsibility to run another program and set that program s proxy settings to this socks server s address. This redirector will not automatically close. You must close the tunnel when complete. Telnet, Mail, News All of the Telnet, Mail, News options use PuTTY to connect to the remote agent to these services using the following ports: IMAP: 143 NNTP: 119 POP3: 110 Rlogin: 513 SMTP: 25 Submission: 587 Selecting a Default Redirector Each computer can have a specific redirector program set as the default. To set the default, open a computer from the navigation tree and right-click on the UltraVNC button and select Default Redirector and then the desired default redirector. If the default redirector has been set, then a check will appear next to the selected default. NOTE: The global redirector can be set in the Dashboard > Config > Control Center: Default Redirector field. The global setting defaults to UltraVNC. To run the default redirector, 1. From the Control Center navigation tree, expand Clients > client > location. 2. Right-click on the computer you want to connect to and select Default Redirector or it can be run from the Computer Management screen as shown by the following. 9.50.169.TunnelsRedirectors 24
Figure 38: Computer Management Screen Default Redirector Adding/Editing Redirectors In the 2011.2 release, the ability to add/edit redirectors through the Redirected Apps tab had been removed. Redirected Apps had to be edited in the database directly. With the 2012 release, the Redirected Apps tab has been reinstated and you can now add/edit from this tab. Refer to the Redirected Apps documentation for more information. Tunnel Configuration In 2012, many of the tunnel properties have been moved to Tunnel Configuration in the Dashboard (Dashboard > Config > VNC/Ticket Priority). IMPORTANT: These settings should not be changed unless directed to do so by LabTech Support. Table 1: Tunnel Configuration Option Public Mediator Tunnel Start Port Description The mediator to use. Default value is stun.labtechsoftware.com. If you change from the default, click Save Tunnel Config to save any changes. This will default to your redirector address if you are not using port 70,8000,8080 as the redirector port. Used to fix the port(s) the tunnels use at both the agent and Control Center sides. For the Control Center, set to x (where x=port) and it will use that port. Default value is 40000. For agents, set SOFTWARE\LabTech\Service\TunnelPort=x (where x=port). Would need to be allowed OUTBOUND/INBOUND at the firewall. 9.50.169.TunnelsRedirectors 25
Tunnels and Redirectors Tunnel Port Count Tunnel MTU Tunnel Inactivity Tunnel Encryption Tunnel UPNP Agent Connect Test Tunnels Disable Tunnel Threading Fast TCP Mode Example: You can control the source port LabTech uses for all tunnels. Set Tunnel Start Port to 40000, where 40000 is the starting port to use and then set Tunnel Port Count to 1000, where 1000 is the amount of ports to share. If you change from the default, click Save Tunnel Config to save any changes. Remember to use the source port in the firewall rules and not the destination port as this will be completely random. Used to utilize random range of ports for the tunnels. Default value is 1000. For the Control Center, set to x (where x=the range of ports). For example, if set to 1000, the system will pick a random port from the value in TunnelStartPort thru (TunnelStartPort+TunnelPortCount). If you change from the default, click Save Tunnel Config to save any changes. For agents, set SOFTWARE\LabTech\Service\TunnelStartPort=x (where x=the range of ports). Would need to be allowed OUTBOUND/INBOUND at the firewall. Maximum MTU. Ensures the ability to cross the various Internet routers. Default value is 1400. If you change from the default, click Save Tunnel Config to save any changes. Tunnels will close after this amount of inactivity if there are no active redirectors. Default value is 180 seconds. If you change from the default value, click Save Tunnel Config to save any changes. Encrypts the data. Disabling will speed up a tunnel but leaves the data vulnerable. Thi s is NOT recommended. Enabled by default. If you change from the default value, click Save Tunnel Config to save any changes. Tells the router to open the port they re listening on and close when complete. Disabling is only recommended if you are having issues with bad routers. Enabled by default. If you change from the default value, click Save Tunnel Config to save any changes. Disabled by default. Can be enabled with no ill effect. It tests the tunnel from the agent to see if data can actually pass through before it says it is connected. This can help get tunnels established when they connect but don t work. Select this to turn off all tunnels and default to the [Control] click to use TCP redirector. If you change from the default value, click Save Tunnel Config to save any changes. Disabled by default. Threading turns off threading internally in the tunnel. Disabling may make the tunnel more stable but will be slower. Enabled by default. If you change from the default value, click Save Tunnel Config to save any changes. It is recommended to not change these settings unless directed to do so by LabTech Support. Disabled by default. If you are always using the TCP redirector, because your router will not support the tunnels, this option will speed up the connection by 10-15 seconds. 9.50.169.TunnelsRedirectors 26
Tunnel Properties For a complete list of Properties, refer to the Properties documentation. Table 2: Tunnel Properties Property Default Description CCVNCAsk True Set to 'False' (no quotes) to disable the 'reason for connecting' prompt CCVNCReason Requested by the user Default remote connection reason. Set to a space to make the user always type something. DisableTunnels False Set this to true to turn off all tunnels and default to the [Control] click to use TCP redirector. PublicMediator Stun.Labtechsoftware.com The mediator to use, this will default to your redirector address if you are not using port 70,8000,8080 as the redirector port. TunnelPort 40000 Used to fix the port(s) the tunnels use at both the agent and Control Center sides. For the Control Center, set to x (where x=port) and it will use that port. For agents, set SOFTWARE\LabTech\Service\TunnelPor t=x (where x=port). Would need to be allowed OUTBOUND/INBOUND at the firewall. Example: You can control the source port LabTech uses for all tunnels. Set the property TunnelPort =40000 where 40000 is the starting port to use and then set TunnelRandom=1000 where 1000 is the amount of ports to share. Restart the Control Center to make the setting take effect. Remember to use the source port in the firewall rules and not the destination port as this will be completely random TunnelRandom 1000 Used to utilize random range of ports for the tunnels. For the Control Center, set to x (where x=the range of ports). For example, if set to 100, the system will pick a random port from the value in TunnelPort thru (TunnelPort+TunnelRandom). For agents, set SOFTWARE\LabTech\Service\TunnelPor t=x (where x=the range of ports). Would need to be allowed OUTBOUND/INBOUND at the firewall. 9.50.169.TunnelsRedirectors 27
Tunnels and Redirectors Auditing and Reporting Audit All redirector sessions, not the tunnels but the individual sessions like LabVNC or RDP, are logged with the start times, the duration of the connection, users who initiated the session, the reason for the session and the target IP address. To access the audit, select Dashboard > Management > Auditing from the Control Center. Figure 39: Auditing Auditing is performed by checking the user s auditing level and comparing that to the Action Level on the Auditing screen. If the user s auditing level is equal to or lower than the action level that is set, LabTech will audit the action. For example, the Action Tunnel Connect, by default has an auditing Level of 1. Any user that has an audit level of 1 or greater will have Tunnel Connect audited. The Auditing screen will show you basic audit information, such as the date and time the action was performed and the reason for the action. For more in-depth information, refer to the Remote Control report. NOTE: Each action s auditing level can be changed by right-clicking on the action and selecting a different number. Reporting The Remote Control report can be run based on a variety of criteria. It can be limited to client, location, computer, user, IP address and the reason for the connection. This report will provide you with the start times, duration of the connection, the user who initiated the session, the reason for the session and the target IP address. For more detailed information, refer to the Remote Control Report documentation. 1. From the Control Center, expand Admin > Reports > LabTech Reports. 2. Double-click on Remote Control. 9.50.169.TunnelsRedirectors 28
Figure 40: Report Manager 3. Click on the Print Preview button to preview the report. If you wish to print without previewing the report, click on the Print button. To email the report as a PDF attachment, click the Email Report button and complete the email form, as necessary. Otherwise, to schedule the report to run for a later or recurring date and time, click on the Schedule button. 9.50.169.TunnelsRedirectors 29
Tunnels and Redirectors Figure 41: Sample Remote Control Report NOTE: From the Print Preview screen, you can print, email, or save as a Word, Excel or PDF document by using the icons in the upper left-hand corner. Troubleshooting Tunnels Listed below are some troubleshooting tips in the event tunnels are not functioning: 9.50.169.TunnelsRedirectors 30
All tunnels use a standard UDP Hole punching technology to get connected to each other. This is the same technology that VOIP phones use. You may need to turn on VOIP functions in the routers. The LabTech server needs port 70TCP open (inbound rules). The LabTech server needs ports 70-75UDP open (or the redirector port +5 on UDP). These are inbound rules. Make sure the dlls are fully initialized. If this is a fresh Control Center or agent installation, restart the agent service or rerun the Control Center installation as administrator. If the connection of the tunnel cannot be made, you need to verify what end is at fault. First, test and see if you can connect anywhere. If you can connect to something outside of the network that you are on, then the problem is with the remote router. If you can connect to a computer in the network that your Control Center belongs to, it is a firewall issue. If you can connect to another computer at the remote location, then it s the remote computer s firewall. Router configuration is usually the only thing that will fix a tunnel that will not start. Some routers will NEVER allow connection. As a backup connection, relay connections are available (only five at a time) that will route all traffic though the LabTech server. They are a little slower but provide a backup connection to get by when routers need to be configured. The tunnels support UPNP, so enabling this on routers will get past many problem situations. Routers typically need to use predictable NAT. Almost all lower end units do this by default. Some higher end units use symmetric NAT and this is not compatible; however, most of these routers have a setting to allow VOIP phones and once this is turned on, the tunnel will work. Always look at the router configuration and look for Predictive NAT or VOIP settings and turn them on to see if this fixes the issue. Sonicwall has a VOIP setting that must be enabled for the tunnels to work. Turn off SIP Transformations, Helpers and Proxies. 9.50.169.TunnelsRedirectors 31
Tunnels and Redirectors Router/Firewall Configuration Cisco Figure 42: Cisco In your Cisco configuration, make two rules to allow ports 40000-41000. Untangle NOTE: Version 8.0.2 is needed to be considered acceptable. 1. From the Untangle webgui console, click on the Config tab. Figure 43: Untangle WebGUI Console 2. Click Networking from the left navigation pane. 3. Click on Advanced, then General. 4. Deselect the Enable SIP Helper checkbox, if selected. Linksys 9.50.169.TunnelsRedirectors 32
Figure 44: Linksys If the tunnel is working but does not flow data select Disable for Firewall in your Linksys configuration. 9.50.169.TunnelsRedirectors 33
Tunnels and Redirectors SonicWall Figure 45: SonicWall 1. In your SonicWall configuration, go to VoIP > Settings. 2. Select the Enable Consistent NAT checkbox. 3. Click Accept. Watchguard Some IDS systems will consider the tunneling mechanism to be an attacker due to its nature of finding a way out of the agent. To avoid this detection, make sure the routers/firewalls allow source ports 40000-41000 UDP. Additionally, you can select Network > Default Threat Protection > Default Packet Handling. From here, you can change the way the Watchguard handles these actions. Increase the Block Port Space Probes to 35 and your tunnels should start working. 9.50.169.TunnelsRedirectors 34
Figure 46: Watchguard Default Packet Handling Document Revision History Date Notes 07/28/2011 New -2011.2 10/10/2011 Added table information for updating custom redirectors. 10/12/2011 Added router configuration information to troubleshooting. 10/13/2011 Added additional router configurations. 10/24/2011 Added Adding New Redirectors section. 11/01/2011 Added information for IDS systems. 12/01/2011 Added security information and UltraVNC, VNC to the list of redirectors. 01/25/2012 Updated for 2012 release. Added tunnel configuration and additional troubleshooting information. 9.50.169.TunnelsRedirectors 35