Accessing a PC behind IP VPN

[Digdis]

Hi,
This might be a bit long but please bear with me:

I have a PC at work on which I need to run some tests from time to time. As some of these tests may fail, or finish ahead of time (when I'm not at work), I would like to be able to connect to my PC from home to check the status of these tests (and maybe run new ones).
Now, the only way to login to my work's network is using IP-VPN; This means that I can connect to the network, but I don't get an IP that enables me to contact to my PC (not even with a ping). This of course prevents me from logging into my PC (say via remote desktop).
Now to my question: Is there an application I can run on my work PC, that will enable PCs on the outside world (like my home PC) to connect to me in an authenticated manner? Say using user & password and/or list of allowed IPs?

D.

 

[kcnychief]

Hi,
This might be a bit long but please bear with me:

I have a PC at work on which I need to run some tests from time to time. As some of these tests may fail, or finish ahead of time (when I'm not at work), I would like to be able to connect to my PC from home to check the status of these tests (and maybe run new ones).
Now, the only way to login to my work's network is using IP-VPN; This means that I can connect to the network, but I don't get an IP that enables me to contact to my PC (not even with a ping). This of course prevents me from logging into my PC (say via remote desktop).
Now to my question: Is there an application I can run on my work PC, that will enable PCs on the outside world (like my home PC) to connect to me in an authenticated manner? Say using user & password and/or list of allowed IPs?

D.

My post is more advice, than a suggestion.

If your network at work is that secure, and you are trying to find ways to exploit it, I would recommend against it. I'm sure that it is setup the way it is supposed to be setup for a reason. If you need access, talk to your Network Administrators, and if they feel you need to have it, they will set it up for you. Otherwise, do something else when you aren't working

Even if you were to find a way, someone who is that on top of things will find out, and won't be good for your job security :speechless:

 

[Digdis]

My post is more advice, than a suggestion.

If your network at work is that secure, and you are trying to find ways to exploit it, I would recommend against it. I'm sure that it is setup the way it is supposed to be setup for a reason. If you need access, talk to your Network Administrators, and if they feel you need to have it, they will set it up for you.

Thanks for the advice. I did talk to my net admin. We are a small company getting our VPN services from our ISP, including this whole "IP-VPN" concept, so there's nothing much he can really do (other than switching ISP or program, which ain't practical). I'm not trying to exploit our network at any way.

Otherwise, do something else when you aren't working

That's the whole point. Otherwise, I would have to go to work.

D.

 

[kcnychief]

Well, your replies would change my solution a little bit. Is your work PC getting a static address, or is the network running DHCP? If it is static, couldn't you memorize, or write down the IP of the node, then once you have VPN'ed in, connect to it? Just because you can't ping doesn't mean you can't connect. If ICMP is blocked on your network (although it's not common) that would prevent you from pinging. Have you tried to connect through the NETBIOS name of the PC?

That is what makes sense to me, since in essence if you VPN in you are authenticated to the network. Is your PC running Windows XP SP2? If that is the case, you would have to configure the computer to accept incoming RDC requests. Also, do you have a domain controller, would this be affecting any settings at all?

No offense at all, but this is such a loaded question and I think it's a little sad that your own Admin can't figure it out. Reason being he would know how everything is setup whereas I would have to keep asking all these questions. I don't mind, and I like to brainstorm, just my opinion....

Let's start with the focal point, is your workstation Static or Dynamic in regards to IP?

 

[Nismo83]

My post is more advice, than a suggestion.

If your network at work is that secure, and you are trying to find ways to exploit it, I would recommend against it. I'm sure that it is setup the way it is supposed to be setup for a reason. If you need access, talk to your Network Administrators, and if they feel you need to have it, they will set it up for you. Otherwise, do something else when you aren't working

Even if you were to find a way, someone who is that on top of things will find out, and won't be good for your job security :speechless:

i seconded that. It is not wise to do that unless you are trying to blow your job off.

"Everything happen for a reason"

 

[Digdis]

Well, your replies would change my solution a little bit. Is your work PC getting a static address, or is the network running DHCP? If it is static, couldn't you memorize, or write down the IP of the node, then once you have VPN'ed in, connect to it? Just because you can't ping doesn't mean you can't connect. If ICMP is blocked on your network (although it's not common) that would prevent you from pinging. Have you tried to connect through the NETBIOS name of the PC?

That is what makes sense to me, since in essence if you VPN in you are authenticated to the network. Is your PC running Windows XP SP2? If that is the case, you would have to configure the computer to accept incoming RDC requests. Also, do you have a domain controller, would this be affecting any settings at all?

No offense at all, but this is such a loaded question and I think it's a little sad that your own Admin can't figure it out. Reason being he would know how everything is setup whereas I would have to keep asking all these questions. I don't mind, and I like to brainstorm, just my opinion....

Let's start with the focal point, is your workstation Static or Dynamic in regards to IP?

Thanks for the help. Here are some details:
My work PC is getting a dynamic IP address. In order to check this, I memorized it. I don't think this is a problem - I don't intend to do this too often, and even if I do - there are ways to figure it out (like some tools that can send your IP address to an email address). The PC runs Win2K. We're planning to upgrade to XP SP2, but in the meantime it remains Win2K. Win2K hasn't got RDP natively installed, so I currently have a VNC server running. I have an RDP installation CD here (which I generally prefer), but didn't install it yet - just wanted to figure out I'd be able to contact my PC first. I didn't try contacting my NETBIOS name - will try it soon enough. Anyway I don't think ICMP is blocked here. Not sure about the domain controller - is this something I can see from my adapter's TCP properties dialog?

Cheers,
D.

 

[kcnychief]

Thanks for the help. Here are some details:
My work PC is getting a dynamic IP address. In order to check this, I memorized it. I don't think this is a problem - I don't intend to do this too often, and even if I do - there are ways to figure it out (like some tools that can send your IP address to an email address). The PC runs Win2K. We're planning to upgrade to XP SP2, but in the meantime it remains Win2K. Win2K hasn't got RDP natively installed, so I currently have a VNC server running. I have an RDP installation CD here (which I generally prefer), but didn't install it yet - just wanted to figure out I'd be able to contact my PC first. I didn't try contacting my NETBIOS name - will try it soon enough. Anyway I don't think ICMP is blocked here. Not sure about the domain controller - is this something I can see from my adapter's TCP properties dialog?

Cheers,
D.

OK, first, if you are having your VPN setup through your ISP and you guys are running WIN2K, we need to discuss budget LOL just kidding, sorry I couldn't resist

First, DHCP would be a slight problem when trying to remote connect. Reason being if your computer reboots, or the lease on the IP expires, there is a chance, while it may be small, that your IP will not be the same. If anything, the 4th octet would change. For example, if you had 192.168.1.100 you could perhaps get 192.168.1.101 or something similar. You would receive the next available address within the pre-defined IP scope.

Not much else to say about your chatter, except the best way to find out if you are logging into a domain controller is how you login. Do you get a CTRL + ALT + DEL screen, do you login locally or through an authentication process. You can also right-click my computer, go to properties. Select the computer name tab. On this tab it will tell you if it is a member of a Domain or a Workgroup. I would be really shocked at this point if you had a domain controller, based on your other budgeting woes. But, if you do, this could control policies that would not allow remote connections unless you are a member of a certain security group. Like I said, loaded question.

 

[Digdis]

OK, first, if you are having your VPN setup through your ISP and you guys are running WIN2K, we need to discuss budget LOL just kidding, sorry I couldn't resist

LOL:laugh: No it's not a budgetary problem. We've been working on Win2K for quite some time, and the move to XP was postponsed mainly due to laziness.

First, DHCP would be a slight problem when trying to remote connect. Reason being if your computer reboots, or the lease on the IP expires, there is a chance, while it may be small, that your IP will not be the same. If anything, the 4th octet would change. For example, if you had 192.168.1.100 you could perhaps get 192.168.1.101 or something similar. You would receive the next available address within the pre-defined IP scope.

As far as I've noticed, my IP never changed (even between reboots). I think the DHCP policy is based on a per MAC address database (or something similar), so I really don't think this would be a problem.

Not much else to say about your chatter, except the best way to find out if you are logging into a domain controller is how you login. Do you get a CTRL + ALT + DEL screen, do you login locally or through an authentication process. You can also right-click my computer, go to properties. Select the computer name tab. On this tab it will tell you if it is a member of a Domain or a Workgroup. I would be really shocked at this point if you had a domain controller, based on your other budgeting woes. But, if you do, this could control policies that would not allow remote connections unless you are a member of a certain security group. Like I said, loaded question.

Surprisingly enough we have a domain controller (now I figured out your question). :nervous: I don't think our company runs such security group policies - how can I check (besides asking our NG IT guy)?

D.

 

[kcnychief]

Actually after I posted that, I realize it could have be a compatibility issue as well. Some of your apps might not have been stress tested on XP yet.

If your DHCP is tied to a MAC Database, that is actually refered to as an IP Reservation, just to clear that up. That works well, and would make remote connections easier.

As far as whatever polices are in effect, you can go to start -> run -> cmd

When at the CMD prompt, type "gpresult" without the quotes. That will tell you the name of the policy enforced, and in result also confirm there are policies being pushed out. Individual settings are impossible for me to help you with, because there are about 500 or so on WIN2K server, and close to 900 on WIN2K3 server. My numbers might be off, but with all those unique settings, only your Admin would have knowledge of how things are configured.

Have you asked him to help you at all with this? Just out of curiosity?

 

[fimchick]

As far as I've noticed, my IP never changed (even between reboots). I think the DHCP policy is based on a per MAC address database (or something similar), so I really don't think this would be a problem.
D.

Or the network admin set the ip lease to expire at much longer periods than the standard (is it 7 days if i'm not mistaken?). For example, on our network we've set it up to expire in 2028, that way every new pc on the network gets a new IP but they stick with it until they release/renew for whatever reason To check this, go to the command prompt and type ipconfig /all
and it will tell you when your pc's ip lease expires.

So basically, even though you have a dhcp address, for all intents and purposes it could be considered static.

 

[Bootsy]

Hi,
At the place where I work I have set up a system where users will connect using the Mobile User VPN software in order to get into the network and then use PC Anywhere to access their local desktops. I realize this is not the case for you, but in the past, we bypassed the firewall and VPN restrictions altogether by using http://www.gotomypc.com, this software does not need to be passed through the VPN because it is a service that periodically sends outbound keepalive packets to a gotomypc server and therefore is not a traditional "inbound" connection.

 

[madmatt]

If and when you upgrade to Windows XP you can use RDP (Remote Desktop Protocol) which you could use the computer name instead (so you wouldn't have to worry about IP addresses). However, you would need VPN access to be able to do this.

 

[Digdis]

Thanks guys for all the help. I'll try all your suggestions when I'm back at work on Monday.

Hi,
At the place where I work I have set up a system where users will connect using the Mobile User VPN software in order to get into the network and then use PC Anywhere to access their local desktops. I realize this is not the case for you, but in the past, we bypassed the firewall and VPN restrictions altogether by using http://www.gotomypc.com, this software does not need to be passed through the VPN because it is a service that periodically sends outbound keepalive packets to a gotomypc server and therefore is not a traditional "inbound" connection.

Bootsy - this seems exactly like the kind of app I was looking for. How would you describe your experience with it? The only thing that bothers me there, is that I need to rely on their site in order to login into my work's PC. Seems like both a security and a reliability problem to me.
Cheers,
D.

 

[Digdis]

OK. Did my research during the weekend, and here are my findings:
First tried the GoToMyPc app. Works well. Only problem is that it's not free -I'm willing to pay, but its charging model is monthly subscription, which is unreasonable for sporadic uses such as mine.
Looked around, and found LogMeIn (logmein.com). Has the same functionality as GoToMyPc, but it's free . Their reasoning behind it BTW is that they do charge for complementary services like file management and file sharing. I also like their security model - user & password are needed to log into the LogMeIn account, and then you need the standard windows authentication to log into your machine. Good enough for me. The remote control has a VNC style (I like RDP better), but it does the job.
The following link compares between apps of this kind: http://www.pcmag.com/article2/0,1759,1812747,00.asp

Thanx everyone for the help.
D.