If you’ve ever tried to help a novice user troubleshoot a Windows problem over the phone, you know how frustrating the entire process can be. It’s usually difficult for an inexperienced user to accurately communicate detailed configuration information, especially if the problem involves technically challenging areas such as hardware drivers or network protocols. Because you’re not looking over the user’s shoulder, you can’t see error messages or informational dialog boxes, so you have to rely on the user to read this crucial information back to you. Even when you successfully pin down the problem and find a solution, you have to walk the user through a repair process that can be daunting.
Do you really know what remote vendors and privileged users are doing on your servers?
ObserveIT acts like a security camera on your servers!
Record & replay every remote user action as if you are looking over their shoulders.
Supports all session protocols: RDP, Citrix, VMware, SSH and more.
With Windows XP, on the other hand, you can eliminate most of those headaches using a new support tool called Remote Assistance. This feature, available in both Windows XP Professional and Home Edition and on Windows Server 2003, lets you open a direct connection between two machines over the Internet or over a local area network. Even if you’re hundreds or thousands of miles away, you can watch as the user demonstrates the problem and take control of the screen to make repairs quickly and accurately. You can investigate Control Panel settings, run diagnostic tools, install updates, and even edit the registry of the problem-plagued PC. Repairs that might have taken hours the old-fashioned way can be accomplished in a few minutes using this tool.
What's the difference between Remote Assistance and Remote Desktop?
Behind the scenes, Remote Assistance uses Windows XP/2003 Terminal Services to share a desktop and other resources between two PCs. Although this is the same underlying code used in the Remote Desktop feature, Remote Assistance is fundamentally different in two ways. First, in a Remote Assistance session, both users must be present at their respective PCs and must agree to establish the connection. Second, you can use Remote Assistance to connect to a PC running Windows XP Home Edition, whereas incoming Remote Desktop connections can only be enabled on Windows XP Professional or Windows Server 2003.
Remote Assistance is designed for informal, peer-to-peer use by Windows users without an extensive technical background. Although the user interface hides most of its complexities, a basic understanding of how Remote Assistance connections work can help you make reliable connections without compromising the security of either computer.
How Remote Assistance Works
The two parties in a Remote Assistance session are called the novice and the expert. To use Remote Assistance, both parties must be using Windows XP Professional or Windows Server 2003, both must have active Internet connections or be on the same local area network, and neither can be blocked by firewalls.
Creating a complete Remote Assistance session is a three-step process:
- The novice sends a Remote Assistance invitation, typically using Windows Messenger or e-mail.
- The expert accepts the invitation, opening a terminal window that displays the desktop of the novice’s machine.
- The expert can view the desktop in a read-only window and exchange messages with the novice using text or voice chat. Before the expert can work with objects on the remote PC, the novice must enable the Allow Expert Interaction option.
At the heart of each Remote Assistance connection is a small text file called an RA ticket. (More formally, its type is Microsoft Remote Assistance Incident and its extension is .msrcincident.) This file uses XML fields to define the parameters of a Remote Assistance connection. When you use Windows Messenger to manage the connection, the RA ticket is never visible. When a novice sends a Remote Assistance request via e-mail, however, the RA ticket rides along as an attachment to the message. The expert has to double-click this file to launch the Remote Assistance session.
Remote Assistance works by creating a direct connection between two computers using the TCP/IP protocol. For this connection to be successful, both computers involved must be able to communicate using their respective IP addresses.
Sending a Remote Assistance Invitation
By default, Windows XP requires that a user request assistance before a Remote Assistance connection is made. From the Help And Support Center home page, click Invite A Friend To Connect To Your Computer With Remote Assistance. (You can also reach this page from the Remote Assistance shortcut on the All Programs menu.)
Click Invite Someone To Help You. The Remote Assistance pane offers three methods to send an invitation for assistance.
- Windows Messenger - If you’re currently signed on to Windows Messenger, a list of available contacts appears in the Remote Assistance pane. Choose a name and click Invite This Person. Because each user is authenticated through a .NET Passport, there’s no need to provide a separate password for this request. The expert sees the request directly in the Messenger window and can click a link to launch the connection.
If you need to send a Remote Assistance invitation (or help someone else send an invitation to you), Windows Messenger is by far the quickest and easiest option. You get immediate confirmation that the invitation has been received and accepted, and the Messenger window handles the connection details without requiring any file attachments. Skip the extra steps in the Help And Support Center, and send the invitation directly from Messenger by choosing Tools, Ask For Remote Assistance.
- E-mail - To send an invitation via e-mail, enter an e-mail address or click the Address Book icon to select a name from the Windows Address Book; then click Invite This Person. You can enter the text you want to appear in the body of the message, as shown here, and then click Continue to set an expiration time and password. Click the Send Invitation button when you’ve filled in all the details.
- Save Invitation as a File (Advanced) - This option is for use when another connection type is impossible or impractical. As with the e-mail option, you can define an expiration time and password. After saving the file locally, you’re responsible for transferring it to the remote assistant, typically by attaching it to an e-mail message or saving it on a floppy disk or a shared network location.
Sending a Remote Assistance Invitation
- Open Help and Support Center by clicking Start, and then clicking Help and Support. Under Ask for Assistance click Invite a friend to connect to your computer with Remote Assistance.
- The Remote Assistance page is displayed. Click Invite someone to help you.
- There are three available options for sending the Remote Assistance invitation: Windows Messenger, e-mail, or saving the invitation as a file. Choose one of the three options, and then follow the directions. With the e-mail or Save as Invitation methods, the Novice will be given the opportunity to protect the session with a password. The Novice must also select a time period when the invitation will automatically expire. The Novice can expire any invitation at any time by clicking the View invitation status link on the Remote Assistance page that is referred to in Step 3.
- When the Expert receives the invitation, the Expert is prompted for the password which the Novice set. After supplying this password, the Expert can initiate the Remote Assistance session.
- After the Expert initiates the session, the Novice's computer verifies the password that the Expert entered.
- The Novice's computer also checks to make sure that the invitation that the Expert used is a valid invitation and that the invitation is still open.
- If the invitation is open and the password is correct, the Novice receives a notification stating that the Expert wants to start the session now and the Novice is prompted to start the Remote Assistance session.
- If the Novice chooses to start the session, the Remote Assistance Novice chat dialog box will open on the Novice's computer and the Remote Assistance Expert console opens on the Expert's computer. At this point, the Expert can see everything on the Novice computer, in real time.
- The Expert can request to take control of the Novices computer at this point by clicking the Take Control button on the Expert console. This sends a message to the Novice's computer notifying the Novice that the Expert is requesting to take control of the computer. The message provides the following three methods by which the Novice can stop the Experts control of their computer:
- Press the ESC key.
- Hold down the CTRL key, and then press the C key.
- Click the Stop Control button next to the Novice's chat window.
- If the Novice chooses to give control of the computer to the Expert, the Novice and the Expert share control of the keyboard and the mouse. It is best if the Novice does not move the mouse or type when the Expert has control because the session responds to both users inputs, which causes the mouse to behave erratically. If the Novice stops control, the Remote Assistance session continues and the Expert can still see the Novice's desktop.
Working in a Remote Assistance Session
After the expert launches the connection request and the novice grants permission, a two-pane Remote Assistance window opens on the expert’s machine. The left pane is used for text chat; the pane on the right displays the novice’s desktop. As the expert, you’ll use the toolbar at the top of the Remote Assistance window. (The novice has similar options available on a toolbar whose format is slightly different.)
For obvious security reasons, clicking the Take Control button sends a request to the novice, who has to grant permission before you can actually begin working with the remote desktop. At any time, the novice can cut off your ability to control the session by tapping the Esc key, or you can click the Release Control button on the Remote Assistance toolbar.
Regardless of your expert credentials, your actions in a Remote Assistance session are governed by the privileges assigned to the novice user’s account. When connecting to a machine belonging to a user with a limited account, for instance, you might be unable to edit the registry or make necessary configuration changes unless you can supply an administrator’s password (using the Run As dialog box).
Remote Assistance is a powerful tool. In the wrong hands, it’s also potentially dangerous, because it allows a remote user to install software and tamper with a system configuration. In a worst-case scenario, someone could trick an unsuspecting novice into allowing access to his or her machine, and then plant a Trojan application or gain access to sensitive files.
Set a short expiration time on Remote Assistance invitations sent via e-mail. A time of 1 hour should be sufficient for most requests. (Note that the invitation must be accepted within the specified time; you don’t need to specify enough time to complete the Remote Assistance session.) An expired RA ticket file is worthless to a potential hacker.
- Assign a strong password to Remote Assistance invitations. Because e-mail is fundamentally insecure, never send a Remote Assistance invitation without password-protecting it first. This option is selected by default when you create an invitation. Communicate the password by telephone or in a separate e-mail message; don’t include it with the RA ticket.
- Manually expire invitations when they’re no longer needed. To do so, open the Remote Assistance page in the Help And Support Center and then choose the View Invitation Status link. The resulting window shows all recently issued invitations and allows you to resend, delete, or change the expiration date of an invitation.
- Disable Remote Assistance on any machine where its possible benefits are outweighed by potential security risks. To completely disable Remote Assistance on a given machine, open System in Control Panel, click the Remote tab, and then clear the Allow Remote Assistance Invitations To Be Sent From This Computer check box. If that step is too drastic, you can limit Remote Assistance capabilities so that an expert cannot take control of the remote machine. Click the Advanced button on the Remote tab and then clear the Allow This Computer To Be Controlled Remotely check box.
In some cases, you may want to create a long-term Remote Assistance invitation. If you’re the expert for a friend or family member, for instance, there’s no need to create a new invitation each time the novice gets stuck. Instead, have that person create an invitation and save it as a file. From the novice’s machine, open the Help And Support Center, select the Save Invitation As A File option, and specify the maximum expiration time of 99 days. Store the invitation in a convenient place on your system, and use it each time you get a call for help. Note that this option will not work if the novice has a dial-up Internet account whose IP address changes with each new connection; it’s most effective when the novice has a cable modem or other always-on connection with a fixed IP address.
Improving Remote Assistance Performance
You might shudder at the thought of accessing another desktop over a dial-up connection. Surprisingly, the performance can be quite usable. You wouldn’t want to use this sort of connection for everyday work, but for troubleshooting, it’s good enough. You can maximize Remote Assistance performance over a dial-up link by observing these precautions.
- Try to connect at 56 Kbps, if possible.
- Reduce the visual complexity of the novice machine as much as possible: Reduce the display resolution to 800x600 and use only as many colors as is absolutely necessary. (Remote Assistance automatically disables wallpaper and other nonessential graphics.)
- Turn off desktop animations and other sophisticated visual effects, and avoid opening windows that contain complex graphics unless absolutely necessary.
- Close any unnecessary applications on the novice machine. Don’t move the mouse on the novice machine, if possible, when the expert is in control of the screen.
Remote Assistance Problems
Double-clicking an RA ticket results in an error message - If you’re experiencing problems with a Remote Assistance connection and you’re using an RA ticket file (not Windows Messenger), make sure the ticket file is pointing to the correct IP address. If you received the invitation via e-mail, save the rcBuddy.MsRcIncident file and open it using Notepad or another text editor.
Look at the RCTICKET field, which follows this format:
Check the IP address value to be certain it points to the current IP address of the novice’s machine and, if necessary, edit it. But don’t tamper with the encrypted connection info data.
Public IP addresses
A Remote Assistance connection is relatively easy when both parties have public IP addresses provided by an Internet service provider (ISP). In that scenario, the computers connect directly, sending and receiving data on TCP port 3389. Routers along the Internet connection between the two computers are able to recognize the addresses of the two computers and send the respective packets to their correct destination.
Note: Internet Connection Firewall in Windows XP automatically opens this port when you request a Remote Assistance connection.
Remote Assistance connections are also straightforward and typically trouble-free on a private network such as a workgroup in a home or small office. In that case, each machine can communicate directly with the other without having to pass through any routers.
Use a VPN if possible
On a corporate network, the preferred way to work around firewalls is to establish a virtual private network (VPN) connection. This allows all traffic to pass through the firewall and eliminates the need to create possible security holes by opening specific ports.
Private IP addresses
What happens if one or both sides of the connection are using private IP addresses assigned through Network Address Translation (NAT)? That’s when Remote Assistance gets complicated. Because these addresses are reserved for exclusive use on private networks, they cannot be routed over the Internet. Instead, a software or hardware-based NAT device handles the grunt work of passing data between the single public IP address it uses to communicate with the Internet and the private IP addresses on the local network. How it performs that job determines whether the Remote Assistance connection will succeed or fail. The exact outcome depends on how the computer acquired the private IP address:
- Internet Connection Sharing - When you use Internet Connection Sharing (ICS) from Windows XP or Windows Me, the ICS server hands out private IP addresses to all other computers on the network. The ICS server listens for Remote Assistance traffic on TCP port 5001 and forwards it to port 3389, allowing the connection to succeed on its end, regardless of whether the computer in question is playing the role of novice or expert. If computers on both ends of the connection are using any combination of public IP addresses and private addresses supplied by ICS, the Remote Assistance session should work perfectly.
- UPnP-compatible hardware router or residential gateway - If the source of the private IP address is a hardware router or residential gateway, the connection will be successful if the router supports the Universal Plug and Play (UPnP) standard. Most routers manufactured in 2001 or earlier do not support UPnP, although a firmware upgrade may add this capability.
- Non-UPnP-compatible hardware router or residential gateway - If both computers are behind NAT devices that are not UPnP compatible, it is not possible to complete a Remote Assistance connection. If only one computer is using a private IP address whose source is a hardware router or residential gateway that is not UPnP compatible, making a successful connection is often possible, although it requires jumping through some hoops. In this configuration, your best bet is to use Windows Messenger to create the Remote Assistance connection. The novice initiates the connection to the expert on a random port; the expert then uses this port to initiate a connection back to the novice.
Configuring Remote Assistance with NAT connections
The trickiest connection of all involves a novice who is behind a non-UPnP NAT device, such as a router or residential gateway on a cable or DSL connection, and who is unable or unwilling to use Windows Messenger. In that case, you may be able to make a Remote Assistance connection work by editing the RA ticket file. Find the address of the NAT device (the public IP address it uses to connect to the Internet) and the private address of the novice’s computer; then follow these steps:
- On the NAT device attached to the novice’s network, open port 3389. Traffic on this port must be able to reach the novice machine before it can complete the Remote Assistance connection.
- Open the Help And Support Center and create a Remote Assistance invitation, saving it as a file on your desktop or another convenient location. This ticket file includes a pointer to your private IP address; if you send this ticket to an expert who is not on the same private network as you, it will fail because his computer will not be able to find a route to your IP address.
- Open Notepad or another text editor and edit the RCTICKET field, adding the external IP address of the NAT device before the internal IP address. For instance, if your NAT device uses an external IP address of 188.8.131.52 and your private address is 192.168.1.105 and your machine name is Groucho, this field should read as follows:
RCTICKET="65538,1,184.108.40.206:3389; 192.168.1.105:3389;groucho:3389,encrypted connection info
- Send the RA ticket file to the expert. When he or she double-clicks this file, the information you added will allow it to work its way over the Internet to your NAT device and then into your computer on port 3389.