It’s clear that over the last few years more and more of our customers have added home computing and networking to their electronic lifestyle. As custom electronic integrators, we have developed increasingly sophisticated solutions that tie the home network into the printing, file sharing, audio/video and control systems of the home. As a result, the need to provide rapid technical assistance when there is a home network issue becomes increasingly important as more and more of the home’s electronic infrastructure relies on the passing of TCP/IP data packets for proper performance.
Rather than send a service technician to your client’s home each time there is a networking technical issue you can rely on the remote desktop tools built into Windows XP to help you solve your clients problems. An added benefit of these software tools is that your client can also access their home network remotely to transfer files, check e-mail, even turn on or off the home’s thermostat if it’s connected to the home network.
Let’s review how to best use a Virtual Network Connection and Remote Desktop to accomplish these remote access tasks.
First, it’s important to understand the local and wide area network considerations of what we are trying to accomplish. When a request is made from outside the home network to enter the home network it must originate from someone who is allowed to enter as opposed to a hacker trying to gain unauthorized entrance into the home network. Also, the remote user must have access to the IP address of the host home network computer to establish a connection. The challenge is that most home networks have a router installed between the home’s networked computers, and the cable or DSL modem that provides broadband connectivity to the Internet.
These routers have built-in firewalls to prevent unauthorized access into the home network. Secondarily, they “hide” the addresses of the home network computers behind the public address of the router by using a service called network address translation (NAT). The last challenge that the remote user faces is that the public IP address of the router will often change since most broadband service providers only provide dynamic public addresses to their customers. So how do we pass through these “roadblocks” in a secure and reliable manner to provide remote desktop access and support?
We start by establishing a Virtual Private Connection (VPN) between the remote client and the remote host computer at home. This is an encrypted connection that allows the remote client to behave as a virtual network node on the home network. To establish this connection one of the computers on the home network must be setup to accept a VPN incoming call (you can do this with a Windows XP Network Connection Wizard) and the remote computer has to be set up to make a VPN connection (also done with a Windows XP wizard). On the home computer that will accept the incoming connection you can specify which usernames are allowed to make this connection and what their login and password must be to be allowed on the home network.
The next step is to open a port on the router’s home firewall that will allow the Virtual Private Network connection to take place. Windows VPN sessions require that port 1723 be open to establish TCP communication. To accomplish this task you must open port 1723 on the firewall and assign this open port to the private IP address of the home computer that is hosting the incoming VPN connection. While this sounds complicated, it is only a matter of a couple of mouse clicks and keystroke entries in your router’s configuration setup page to complete this task.
The last step of setting up the VPN can be the most challenging. The public network address of the router connected to the client’s home network can change without any notification to the remote user. It becomes a hit or miss game of trying to remotely connect to a constantly moving address target. One solution that resolves this problem would be to lock down the router’s address to a public, static IP address (this can be done but usually requires the homeowner pay an Internet Service Provider an additional monthly fee for this luxury). Without a static IP address, however, the homeowner can still subscribe to a DDNS service to resolve their router’s dynamic public address to a fixed registered address that can be reliably used to establish a VPN connection. (More information on DDNS services can be found in my August 2003 article on DDNS services.)
Once we’ve accomplished the task of setting up a VPN connection and have successfully connected as an authorized node on the home network we can invoke Windows XP Remote Desktop services to control any client computer in the home configured to accept a Remote Desktop request. Note that the home client computer has to give permission for this to connection to occur. This is accomplished when remote access permission is enabled on the client computer and an authorized user list is specified (with the appropriate login and password information). Remote Desktop permission can only be enabled on a computer running Windows XP Professional (not XP Home). Therefore, if you as the integrator or your client want to access a given home computer remotely you should make sure that computer is running (or has been upgraded to) Windows XP Pro.
At this point you will have successfully entered the private home network to provide remote troubleshooting or to gain access to a home network’s content and services. Remember to get this far you had to know the exact login and passwords of both the VPN and Remote Desktop connections. This provides a level of safety and security to the homeowner knowing that only persons authorized with this information can enter their network. These logins and passwords must be safeguarded just as one safeguards the keys to their home. Just as when a house key is lost a door lock should be changed to maintain household security, so should login and password information be changed if that information is lost or stolen.
A properly setup remote desktop connection can dramatically increase the value and functionality of the home network for the homeowner. For example, anywhere that a laptop can connect to the Internet (at one of the ever increasing wireless hot spots around the country) one can be a node on the home network and gain access to all of its content and services. Remote access services are a great way for your client to enhance the value of their home network and an opportunity for the savvy integrator to add valuable remote troubleshooting services at a fraction of the cost of sending an engineer onsite.
Gordon van Zuiden (gordon@cybermanor.com) is president of cyberManor, in Los Gatos, California.