SHARING Vanda, Fotolia

COVER STORY Remote Access with VNC

Remote GUI access with VNC SHARING vanda, Fotolia

Once you only needed a command line to access remote computers, but today’s networks sometimes require a graphical connection. The VNC protocol provides a practical cross-platform screen sharing solution. We’ll

take a close look at VNC and show you some leading no-cost VNC applications. BY JAMES MOHR

work in a data center with hundreds With the X protocol, the local machine of updates. Therefore, a number of dif- of machines spread over two build- is responsible for managing the display ferent compression techniques have I ings. Usually we can perform the and windows. VNC uses the Remote been developed to further reduce the necessary management functions for the Frame Buffer (RFB) protocol, transmit- amount of information being transferred. Linux and Unix systems using ssh; how- ting mouse and keyboard events from Because it interacts directly with the ever, in a number of cases, a tool we the client to the server, then sending frame buffer, the RFB protocol – and need may not have a command-line in- screen updates back to the client. thus VNC – is platform independent. A terface, or the remote system may be The simplest method for updating the Windows machine can connect to Linux running some version of Windows that screen is to send the raw pixel data in just as well as it can connect to another requires access to the GUI. scanline order (left to right, top to bot- Windows machine. VNC can essentially Virtual Network Computing (VNC) is tom). Once the initial screen is drawn, work with any windowing system and is a popular alternative for sharing screens rather than refreshing the entire screen therefore ideal for both Windows and on heterogeneous networks. VNC beha- when something has changed, the VNC X11, as well as Macintosh systems. vior is slightly different from the X Win- protocol uses a simple primitive to place dowing system. One difference is that a rectangle of data at a particular loca- Getting Connected VNC shares the entire desktop. A user on tion. This way, only the areas that Like the Windows remote desktop client, one machine can see the current desktop change need updating. the VNC server stores all of the connec- of a user on another and control the Because more information is sent tion and session information. Therefore, mouse and keyboard of the remote sys- across the network than with X11, VNC you can disconnect a client while at one tem. This feature is useful for a range of is obviously slower; however, in the tests location, then reconnect later at a differ- activities, such as accessing a work com- I conducted, VNC did not cause any sig- ent location and start from where you puter from home, working with students nificant performance problems. left off. An X11 client typically cannot in a training environment, providing Even with limiting the data sent in this detach itself from the server and then re- tech support, or annoying your son fashion, it can still cause bandwidth connect itself (although there are some while he’s playing video games. problems on slow connections with a lot X11 apps that allow this).

22 ISSUE 85 DECEMBER 2007 Remote Access with VNC COVER STORY

The controlling application or client is sure that both the server and client A couple of the VNC products I re- often called the “viewer” since it is used know which port to use. viewed also include the vncconfig to “view” the remote machine. This program, which provides two different name has a farther-reaching implication, What Goes Into VNC functions. The first function is to display as you can actually configure the server Packages typically come with five pro- or set Xvnc parameters for a running to be “read only” or “view only.” That grams, but the VNC server and viewer server. The second function is to help is, you can see the display, but you can- sometimes come in separate packages. with clipboard transfer to and from the not make any changes. We have used Although the behavior is generally the VNC viewer. this at work for remote monitoring of ap- same, you will find slight differences in Many Linux distributions provide a plications where we were not allowed to the various VNC alternatives. VNC server by default and it is usually change anything, just report when some- Packages typically appear as RPM and configured as “Remote Administration,” thing happened. tgz-files for Linux, or as self-extracting or something similar, although you can In a support environment, the techni- .exe or .zip files on Windows. Source use it for other things as well. In many cian can see the steps the user takes code is available for the open source ver- cases, all you can do within the respec- without being able to make changes. In sions, including Windows. tive administration GUI is to activate/ other cases, you can configure VNC to The vncserver script is what is typi- de-activate it and perhaps change the show a single display on multiple ma- cally run to start the VNC server. This firewall settings. chines, such as a training environment file can be in various directories such as Although the same programs exist on when the instructor is demonstrating /usr/bin, /usr/X11/bin, or /usr/local/bin, Windows, I found that the name for the something to a large number of students. depending on the product and how it server application differed from product Keep in mind that VNC needs to up- was installed (RPM or compiled). The to product. For example, TightVNC date the local display every time you script is simply a wrapper script to start named the server program WinVNC.exe. make a change such as moving or resiz- the Xvnc program, which is the actual Provided the necessary DLLs are accessi- ing a window. Not only does the win- server. This script accepts far few op- ble, you can start the server without dow itself need to get redrawn, the back- tions than Xvnc supports, but for the having to actually install it. ground behind the window needs to get most part, the options vncserver accepts Like Linux, the Windows VNC server updated as well. are sufficient. The client or viewer is can also be configured as a service that If you have a complex background, it provided by the vncviewer program. is started automatically when the system naturally takes longer to update. Also, Two support programs are also deliv- boots, but this usually means having to the higher the resolution, the more data ered. The vncpasswd program allows actually install the product. The prod- needs to be transmitted, which thus ef- you to set the password for the current ucts I looked at allow you to either dump fects the performance. user. Passwords must be six characters the respective programs into a directory long; the program will fail if the pass- and start them from there, or you can Xvnc word is shorter. If the read-only pass- actually install the programs, which cre- Some VNC versions provide not only word is too short, the primary password ates menus and desktop icons. VNC services, but X11 as well. Xvnc, the will be saved. Note also that, in most I ran into firewall problems with a actual server application on Linux, offers cases, only the first eight characters are couple of the Linux distributions I X11 and VNC, supporting multiple con- significant and the rest are ignored. tested. The ports used by VNC are typi- current X11 sessions on the same remote By default, the file $HOME/.vnc/ cally not open by default, so check out machine and includes connecting to ex- passwd is used, but you could specify a the firewall configuration if you are hav- isting X11 sessions as well as creating different file. For example, a system ad- ing trouble connecting. new, independent sessions. This means ministrator who wants to create a pass- I also ran into another problem with that what Xvnc is displaying on the cli- word file for a specific user (i.e., to reset Fedora 6, which offers a copy of ent is not necessarily the same as what a password) can specify the password RealVNC 4.1.2 that is well integrated is running on the server’s display. on the command-line, like this: into the system. The VNC server is set Like X11, VNC creates virtual displays or “screens” to each connection, but this vncpasswd filename is not the same as the virtual desktops you get with KDE. By default, VNC uses If, for example, the user’s home direc- ports 5900 through 5906, with each port tory is on a shared filesystem (i.e., corresponding to one of these screens, SAMBA or NFS) and you would like so you end up with screens :0 to :6. Note to make sure the VNC password file is the colon in front of the screen number, local, you can specify the -t option to which is the same way displays are num- vncpasswd, which will cause the appli- bered with X11. Depending on the prod- cation to write passwords into /tmp/ uct, there is a built-in HTTP server to $USER-vnc/passwd. which you can connect using ports 5800- The vncconnect program is used to 5806. In either case, you can use other connect a VNC server to a VNC viewer Figure 1: The Linux Viewer configuration ports, but you naturally need to make on a specific machine. options.

DECEMBER 2007 ISSUE 85 23 COVER STORY Remote Access with VNC

On Linux, by default, the xstartup code and many current products are script simply sets up the basic environ- open source, some are not. ment then starts an xterm (console) and the TWM windows manager. TWM is Documentation fairly simple by today’s standards. Al- Documentation is sparse and typically though I don’t necessarily recommend limited to man pages, which are about TWM as a day-to-day desktop, it suffices the same across the various products. for remote administration. Although products typically provide the As you can see in Figures 1 and 2, the same programs, their behavior may dif- Windows client GUI provides many fer. Sometimes the difference is minor, more options than the Linux GUI, even but there can be a few more significant with the same product. However, as you differences. would expect from Linux, the equivalent I installed the products on both Win- options are available as command-line dows and different Linux distributions, arguments. and I tried a number of different combi- Figure 2: The Windows Viewer configuration The Linux client can simply be started nations of servers and viewers. Although options. by running vncviewer from the com- the behavior differed slightly between mand line. Depending on your distribu- products, I did not run into any prob- up by default as a service that you can tion, you might have a graphical starter lems connecting the client of one prod- configure and start using the service program for the viewer, such as KDE’s uct to the server of another. configuration application. Also, the de- KRDC (Figure 3). I have a 100MB local network and I fault configuration file is stored as /etc/ If you run the viewer without any op- noticed no delays when doing something sysconfig/vncservers. tions, you are prompted to input a host- that updated a large area of the screen, When I tried to start from the admin name or IP address. However, the host- such as opening up the Windows Start GUI, nothing appeared to happen. From name or IP address and display number menu or starting a new file browser. It the command-line, I got the typical can also be given as arguments. didn’t matter whether the change was “Failed” message, but it wasn’t until I Each of the servers I looked at come initiated on the real Windows XP ma- poked around the init-script that I found with a built-in HTTP server, which al- chine or through the VNC viewer – there that a couple of changes were necessary lows you to connect using a Java-com- was no noticeable delay. However, when in the vncservers file to actually start patible web browser. Although this web I tried World of Warcraft running on my VNC. The tool was also configured with option is useful in principle, the speed of son’s Windows machine, the delays the -localhost option, which meant that the screen updates was noticeably made it impossible to play. it would only allow “loopback” connec- slower with all of the combinations I tions, such as when using SSH tunnel- tried, and the quality of the graphics was TightVNC ing. After addressing these issues, I not very good. Plus, I could actually TightVNC [1] calls itself an “enhanced �� could connect from my local machine to watch the windows being redrawn in the version of VNC” and claims to include “a the server. web browser, whereas with the stand- lot of new features, improvements, opti- alone viewer, the same application ap- mizations, and bug fixes,” most of which Running VNC peared immediately. Still, the web option require you to dig through the various The first step is getting the server run- allows access from places that otherwise change logs. �� ning, which you can run as any user by would not support VNC. Initially, I tried to install the RPM- simply starting the vncserver script. The package for version 1.3.9. Unfortunately, first time you start the server, you’ll be Free VNC Products I couldn’t install it because the RPM- prompted to input a password for the I decided to examine a few of VNC prod- package required a newer version of the �� connection. ucts that were available for free. Note glibc (although the required version was The vncserver script then creates the that, in this case, “free” does not mean not listed on the TightVNC download �� necessary configuration files, including just open source any applications that should start auto- products. RealVNC, �� matically, are contained in the respective for example, provides �� $HOME/.vnc directory. a free version along �� After prompting for the password, or if with two commercial �� one already exists, the VNC server dis- versions. Keep in �� plays the basic information about the mind that VNC is the connection and which file it is using to protocol by which start any applications. By default, appli- the client and server �� cations are started by $HOME/.vnc/ communicate, and �� xstartup. The first time you start the not the program it- �� browser, the viewer will typically create self. Although the �� an xstartup file for you. original VNC source Figure 3: The KDE Remote Desktop Client. ��

24 ISSUE 85 DECEMBER 2007 Remote Access with VNC COVER STORY

page). Then I tried to compile it myself, after installing the driver, at least one is the heir to the original VNC legacy. but unfortunately, the documentation program froze completely even without RealVNC is currently available in three was missing a couple of steps. connecting any VNC client. variants: free, personal, and enterprise. After jumping through a few hoops, I Once I removed the driver, the pro- For my tests, I used the 4.1.2 free ver- got it compiled; however, I still could not gram worked fine, so there are some ob- sion, which seems to be a watered-down start the server correctly and my posts to vious issues with how some applications version of the available open source the TightVNC mailing list remained un- react to this driver. products. For example, the vncserver answered. One nice thing was that the server can script does not support a password file Because the TightVNC project is change the desktop to a solid color anywhere other than the default location hosted by SourceForge, previous ver- rather than transmitting the wallpaper $HOME/.vnc/passwd. sions can be downloaded from there. or background. You can also disable any Additionally, in contrast to other prod- The next most-recent version on Source- cute XP user-interface effects. These ucts, RealVNC’s vncpasswd does not ask Forge is 1.2.9, but this was installed by features increase the efficiency of screen you for a view-only password. In fact, default on my SUSE 10 system, so I did updates by reducing the information that the RealVNC version does not appear to not go through the trouble of download- needs to be sent. support any of the options the other ing it. This version worked fine. Note Further increases are achieved by so- products do. that the Windows version of 1.3.9 in- called “tight” encoding with optional Another annoyance is that RealVNC stalled with no problems. JPEG compression. Per the TightVNC does not prompt you for a password if documentation, this encoding is opti- the password has not yet been set. DFMirage mized for “slow and medium-speed con- RealVNC does, however, give you a hint TightVNC provides the DFMirage mirror nections,” but it was unclear what con- to use the vncpasswd program, which display driver, which runs on Windows nection speeds these really are. will prompt your for a view-only pass- 2000, Windows XP, and above. Like word. The annoyance gets worse be- TightVNC, the driver is free and provides RealVNC cause it displays a usage message that an even more efficient way of updating Because the RealVNC company was es- indicates you can specify a password file the screen information. Even without the tablished by developers of the original or the -t option; however, neither is sup- driver, I had noticed no delays; however, VNC, one could argue that RealVNC [2] ported by the vncserver script. If you run ��

�� COVER STORY Remote Access with VNC

tation there is One feature is the Mirror Video Driver, specifically talks which connects the frame buffer mem- about Fedora Core ory directly to the VNC server, which in- and not much creases the video performance of VNC else. However, I and also reduces CPU usage. was eventually Another feature of UltraVNC is sup- able to coax the port for three different types of authenti- packages into let- cation. The first type is standard VNC ting themselves authentication, where the passwords are be installed. stored on the VNC server. MS-Logon I Overall, authentication can take advantage of MetaVNC also users, domains, and groups from the seemed to be the Windows machine running the VNC slowest, regardless server. MS-Logon II allows the user ac- of whether it was count to be in a different domain than the client or the computer account (cross-domain viewer (or both). authentication). Figure 4: The TightVNC Viewer connected to Windows XP. Although UltraVNC also includes an embedded MetaVNC to Text Chat client and file transfer. vncpasswd with the -t option and then MetaVNC was still acceptable, when try to start the server, it fails again, tell- connecting a RealVNC or TightVNC Conclusions ing you to set the password. viewer to a MetaVNC server, screen re- Despite some initial frustrations, I found In addition to the features supported draws were noticeably slower. This that TightVNC provided the best pack- by the free version, the personal version seemed somewhat odd since MetaVNC age and most accessible information. also supports 2048-bit RSA Server Au- is “based” on TightVNC, unless The free version of RealVNC left too thentication, 128-bit AES Session En- MetaVNC adds features that actually much out, and I have little or no need cryption, and File Transfer, among other slow things down. for any of the extras in the commercial things, but it does not support Linux or Although the project was registered on versions (with perhaps the exception of other UNIX variants. SourceForge, there was almost no activ- the file transfer). The enterprise version of RealVNC re- ity in the SourceForge forums and I Although MetaVNC does have a few quires a separate license for Windows found no mailing list to which I could more features than TightVNC, the lack and Linux servers, and it also supports subscribe. There is a wiki on the of useful documentation makes me shy Mac OS X. One addition is the “Direct MetaVNC website, but it seems to be away from it, particularly in a business platform native authentication,” which primarily of interest to developers. environment. Without Linux support, means you do not need to create an MetaVNC has almost all the same fea- UltraVNC died in the starting gate. Busi- extra password file for each user in order tures and behavior as TightVNC. There ness environments vary, so you may to connect to the server. Instead, the tool were several new options in the Win- need to make some different choices. ■ uses the operating system’s own authen- dows client, but I didn’t find much at all tication methods, thus requiring only a in the documentation about what these INFO single password. On Windows servers, options did. [1] TightVNC: http:// www. tightvnc. com/ this means you can authenticate using Not to be deterred by a lack of docu- [2] RealVNC: http:// www. realvnc. com/ either NT-Domain or Active Directory mentation, I googled a little and found a credentials. nifty little feature called the Meta Win- [3] MetaVNC: http:// metavnc. sourceforge. net/ On Linux/ UNIX, authentication is dow Manager. The Meta Window Man- done via NIS/ NIS+. Since the system ager merges your local Windows Start [4] UltraVNC (Windows Server): http:// www. uvnc. com/ index. html can now differentiate between users, this menu with the Start menu of the remote mechanisms also means that you can machine, and you can even configure ex- create separate environments for differ- actly how the menus are displayed. The James Mohr is re- ent users. local and remote task bars can also be sponsible for the mixed, plus applications on either side monitoring of several datacenters for MetaVNC are interspersed when you switch be- a business solu- In terms of both the scope of the product tween them using Alt+Tab. tions provider in and the available information, MetaVNC Coburg, Germany. [3] seemed to be the thinnest. I installed UltraVNC In addition to run- MetaVNC viewer 0.6.5, which is based The UltraVNC [4] is currently only avail- ning the Linux Tutorial web site http:// www. linux-tutorial. info,

on TightVNC Viewer version 1.3.9. In- able for Windows, but it may still be THEAUTHOR stalling the server on Windows went worth taking a brief look at because it James is the author of several books fine, but I had problems with the Linux provides several features that other VNC and dozens of articles on a wide version and what little online documen- products do not have. range of topics.

26 ISSUE 85 DECEMBER 2007