I’d like to use Windows XP Remote Desktop to view my work computer from home, but our IT guy says that it’s not possible because they don’t assign unique IP addresses to individual computers in our office.
But I thought my computer had to have some kind of unique identifier in order to connect and interact with the Internet? If so, could I use that same configuration (whatever form it might take) to use Remote Desktop anyway?
Thanks,
Koxinga
Your computer does have an unique IP address, for your network. What the IT guy meant was that your computer is not assigned a permanent address. You most likely get an address assigned from a pool, which could change everytime your turn your system on (which is also not entirely accurate, but will work for our purposes.)
There are other problems. Your company’s network uses private IP addresses, which are not accessible from the internet at large. This mediated through some firewall system. Probably the guy was trying to just give you a quick answer without going into details.
BUT, does your company have a VPN solution? Remote desktop is certainly doable with that.
I use a VPN to remote into my network, then I remote into my computer at work using the IP address. My IP is dynamically assigned, but I’ve never had the address change in over two years.
I am not sure about your company’s policies on alternative solutions but LogMeIn (https://secure.logmein.com/home.asp?lang=en) is a perfectly legitimate solution for this with a free version for what you want to do. It works at least as well as remote desktop and allows you to access your work computer from any web connected computer. I work in IT and have used it off and on for a couple of years. The security and company are well respected but some IT departments may get snippy from such a thing so YMMV.
logmein seems to use NAT traversal with a central host to bypass firewalls - it will probably work, but check with your IT department. Don’t just do it - they will get upset and cut you off pretty quickly if you do, and you may find yourself in deep trouble.
The second option is a VPN solution, if the IT department supports it.
The final option is port forwarding, if the IT department is willing to pinhole the firewall. This is probably the least likely option they will consider.
Si
It’s always possible. It’s just a matter of how much know-how you need in order to actually do it. Even if you don’t have a predictable IP address, you can set up an SSH tunnel to an outside computer with port forwarding that lets you get back in via the forwarded port. The question is how much you want to piss off the IT guys by doing something they say you can’t do. 
This would be a major security hole. Ask your IT guy about setting up a specific terminal server in the DMZ for you and others who may have the same requirement. He may have one already set up so he can do remote support. But you need to be very careful and security-conscious here.
But really, what is it you wish to do? Are there alternative solutions? For example, if it’s email / PIM there’s web access for both Outlook / Exchange and Lotus Notes.
Brief answer -
no, YOU can’t, unless you have both the skillset and the authority to configure the network. I’m guessing you don’t.
The network admin boys CAN do it for you. But they would need to have a good reason to permit you to do so.
It might be that such access is against the company security policy, so they won’t allow it.
Says Peter, who just today completed his Cisco network management course. Configuring this sort of thing is one of the last and most difficult things I studied.
Thanks for the suggestions, guys. Shagnasty, ntucker those seem like good suggestions, I’ll experiment with those and a couple of other things. As for what I want to do, I’m tired of sitting in my cube 14 hours a day, and would like to access the entirety of my work computer while sitting beside the pool at the club.
Peter, congratulations! You must feel so special! Good luck in doggedly protecting your authority and guardedly dispensing your run-of-the-mill knowledge, always!
Right. fine. If you know how to configure NAT, and if you have the authority to do so within your company, then go for it. Good luck to you.
This doesn’t require any special powers. I certainly never had permission to reconfigure Microsoft’s NAT when I worked there, and I definitely proved that I could establish a tunnel into my firewalled home network such that machines on my home network could establish an RDP connection to my desktop machine at Microsoft. Of course, this is a blatant violation of their corporate security policies (if my home machines were ever compromised, for example, this turns into a massive hole), so I didn’t leave it this way for fear of being fired…those Microsoft network security cops are on the ball like nobody’s business.
[True story: I installed BitTorrent on my office machine once in order to just fiddle with the technology and see how it worked. Within minutes, my office’s network ports were automatically turned off (as in, no link light) and I soon got a call from the network guys explaining that they detected BitTorrent traffic and I was required to completely wipe the machine it had been on. I uninstalled it and did a System Restore on the machine to roll it back to the previous day’s state, and they called me back and said “Uh-uh. You didn’t wipe it. We can tell.” They’re not messing around.]
That is slightly different.
NAT Networks 101
An internal PC (intIP) connects to the internet via a NAT firewall. It attempts to connect to a remote service (say, https on port 443) via the gateway, and uses a locally defined random port (say 2123). The NAT device takes note of the connection attempt, and reattempts the connection from its external (valid) internet address with a new port id (65531), and remembers the translation from extIP:65531 to intIP:2123. The destination server replies to extIP:65531 and the NAT device passes the packets to intIP:2123. Thus, communication occurs. If no data is passed via a particular port, the NAT device eventually closes it and the translation table is dropped.
Applications like Skype and LetMeIn use NAT traversal, and rely on an external mediator. The flow is thus. Client1 with int1IP connects via NAT to the mediator medIP, thus setting up int1IP+port—medIP+port translation via NAT1+port. Another client does the same with it’s NAT (NAT2+port). When client1 and client2 want to talk directly, they handshake via the mediator, and exchange NATIP+port information. Then they tweak the existing connection information without changing the NAT1+port/NAT2+port settings, and start to communicate directly with each other. Since services like Skype and p2p that use NAT traversal are usually high bandwidth, IT departments (who pay for the internet connection) dislike them intensely, and many places restrict or block connections to the mediators of such services (if they are well known).
So, creating a tunnel out from inside the network is easy, if the destination IP or service is not blocked, because that is how NAT is supposed to work. Without this established outgoing connection, creating a connection in is impossible without a forwarding rule on the NAT/firewall that says that a connection to a specific port should be passed to intIP-port. Changing these rules is a job for the network people.
And for the OP - something is very wrong if you are expected to be working 14 hours a day. There are labour laws to prevent that sort of abuse of employees (at least in civilized countries). That’s all I can say.
Si
Not for management. 
Abusing employees is what I do.
You might manage other employees, but you are an employee of the corporation too. The corporation should not get a pass on employee abuse because they tagged Manager to your job description and gave you responsibility over other people.
Stop drinking the kool-aid.
I’ll stop ranting now.
Anyhow, if you are management, you can tell the IT guys to solve your problem of needing to access your PC remotely.
That’s how managers do their job, isn’t it - shifting the problem on to the person who didn’t get out of the way fast enough?
Si
:rolleyes: Um, thanks for the lesson, but I’m well aware of how NAT works. Is there some reason you think what I propose (using an outgoing connection to host a tunnel with a listener on the outside) won’t work? Because it will.
Not everyone does understand NAT. I had to explain some NAT/firewall concepts to my Father-in-law, who taught my 3rd year uni Comms course and who writes programming languages for personal interest. I just wanted to provide some background for those not familiar with NAT concepts.
I didn’t say it wouldn’t work - indeed, it does (assuming that the firewall allows the connections). But if you don’t have a static listener on the outside, you need to use a NAT traversal system as described, or get some firewall rules set up.
Si
What I’ve described is a rudimentary homebrew NAT traversal system.