Remote Assistance Through Firewalls

Windows® Remote Assistance is a neat little way to share your desktop with another user, or allow them to fix something on your computer, while you watch. However, Remote Assistance does have problems when you and the person you wish to connect to are on different sides of a firewall, or multiple firewalls. (Aside: personally, I think there's other products like NetMeeting or VNC that are easier to use, but that's another story).

The problems you encounter will depend on your network configuration, and which hardware or software firewalls exist. However, if you're reading this page, I assume you are having some problem with Remote Assistance, so it would probably be worth reading more to see if this article can fix your problems. Basically, if you have to use Remote Assistance across a firewall that does Network Address Translation (NAT), and does not support Universal Plug and Plug (UPnP), then you'll probably have problems. Check your router/firewall documentation to see if your product supports NAT and/or UPnP.

First of all, let's make sure you've properly enabled Remote Assistance on your machine. Right-click on My Computer, select the Remote tab, and you should select the checkbox labeled "Remote Assistance".

You can also goto the Start Menu and drill down into the Administrative Tools submenu. Open up the Services viewer. Within Services, make sure that the Universal Plug and Play Device Host, and Remove Desktop Help Session Manager services are started. Did that fix the problem? Ok, stop reading and go home!

If you had already done that, see if you can fix the problem by loosening up some of your security features. Remote Assistance requires computers to communicate using TCP port 3389. If you have a firewall, you may have port 3389 blocked. This port needs to be opened (a.k.a. forwarded) on the side where the Remote Assistance invitation is sent from. In other words, the computer which both users want to see the desktop of. If you use Windows® built-in software firewall, you can open port 3389 by opening the Network Connections viewer (Start Menu -> Settings -> Network Connections -> Local Area Connection). You may be using a network card, or network interface with a name other than "Local Area Connection". Adjust the instructions accordingly. Select the Advanced properties, Windows Firewall Settings, and then the Exceptions tab. There you should be able to enable the Remote Assistance and UPnP Framework services (check both).

If you are not using the built-in software firewall, but instead a hardware firewall, then you likely have a web configuration page on your firewall where you can configure port forwarding. You need to forward port 3389 on your firewall to the machine on your home network that you want to invite a friend to connect to. Instructions differ per firewall product, so I'll leave this exercise to the reader. I will however, add that many antivirus products have script or worm blocking features that will prevent Remote Assistance from working. You may have to disable those features while attempting to setup Remote Assistance (you can always turn them back on later).

If you performed the above steps, and still can't get Remote Assistance to work, then try my solution. First of all, don't use Live Messenger to hookup your Remote Assistance session. I'm not even sure it's possible, if you have the same problem I had, and it's certainly not worth the trouble. Unless you use Live Messenger for instant messaging, don't pollute your computer with its presence! To start the meeting, go to the Start Menu and select Help and Support. From here, you can select "Invite a friend to connect to your computer with Remote Assistance". Then, select "Invite someone to help you". At this point, I'm recommending using email to send the invitation. Type in the email address of the person you wish to invite, and follow the directions. Of note, is that you may need to have your email client open while doing this. If you use Outlook, for example, go to Outlook and make sure the message gets sent by the Help and Support wizard. You may have to accept a security warning or two, depending on your security configuration and/or antivirus software.

Once your recipient receives the invitation, they would normally open the email, and double click on the attachment to accept the invitation. Instead, have them save the attachment (called RcBuddy.MsRcIncident, or something) to their desktop. Then, have them right-click on the attachment, and choose "Open with ...". They should choose to open the file with Wordpad, Notepad, or a similar bare-bones text editor. The will see a file something like

  <?xml version="1.0" encoding="Unicode" ?>
DtStart="1178172557" DtLength="60" PassStub="ez=8XgRXkw0fIr" L="0" />

Where mycomputername would be the hostname of your computer, and might be the IP address of that computer on your home's internal network. The problem is the other IP address that precedes that one ( in this example). This IP address is the likely culprit if your environment isn't properly handling UPnP and NAT. You should have your friend edit that IP address, and change it to whatever the actual IP address of the Internet (WAN) side of your firewall is. This would be either a static or dynamic IP address assigned by your Internet Service Provider. If you have a dynamic IP address, you need to make sure it doesn't change between the time you look it up (usually your router has a web page that shows such information), and the time your friend tries to connect. Usually, your ISP won't actually change your dynamic IP more than once every few days, at most. If you have a static IP address for your home network, even better!

Now, your friend should be able to attempt to open the Remote Assistance invitation (RcBuddy.MsRcIncident) again. If it works now, great! If not, you have some other problem that I'm not smart enough to anticipate. Here's to hoping it's the former :)

powered by Debian

Copyright ©2003-2007 Enscand, Inc.
All Rights Reserved

Modified May 03, 2007