Packaging Zebedee and VNC with Delphi

Zebedee Secure Tunnel

VNC Remote Screen Viewer

Plan

• Aim• VNC• Zebedee• Delphi Wrap Application• Hardware Firewalls• Software Firewalls• Database Access Via Zebedee• Look at some Code

Primary Aim

• To run “PC support” over the internet safely.• Two free products

– Real VNC (Free Version)• Allows remote screen control over TCP/IP

• http://www.realvnc.com/products/enterprise/4.1/ – Zebedee

• Secure TCP Tunnel software• http://www.winton.org.uk/zebedee/

• Delphi application used as a coordinator.• Starts and confirms servers• Provides simple tools

Free VNC

• Used alone– No Encryption– Could be Picked up by anyone on the Internet with a VNC

Viewer by calling port 5900• Password Authentication Only

• Suggested configuration with Zebedee– Encrypted.– Accepts only local (127.0.0.1) calls.– Port 5900 should be blocked at firewalls– Only activated when required – Remove service mode

• Possible improvements– Warn when service mode is present– Change port used from 5900

Internet

Zebedee

• An encrypted tunnel with compression• Can provide authentication• Can enable reverse call• Only Zebedee port need be exposed through firewall

zbd zbd

VNC alone

Zebedee Tunnel

Zebedee

• Out of the box– Sample Configuration files including one for VNC

• Typically “Execute” client or server configuration file• No Filtering of permitted calls • No Authentication

– Establish call by redirecting calling application to local Zebedee client port.

• Suggested Configuration– Coded in the server and client configuration files.– Can be extended in the command line .– Make use of Zebedee public private key Authentication– Carefully manage server filters to limit permitted calls– Change port numbers– Use Reverse mode

Putting it all Together• Wrapper programs attempt to ease the installation of the remote

service and trouble shoot both before and after connection is established.– Confirms connection to net and discovers network side IP address of

machine– Confirms VNC and Zebedee executables are installed

• If not install them from delivery files– Starts programs and confirms servers are operating

• Basic status diagnostics– Facilitates viewing of configuration and log files– Anything else we think might be useful

• Single Inno Setup Install of all required files from URL– http://www.innovasolutions.com.au/test/RmtSprt.html– I think we need to deliver 3rd party installs as is

• including undesirable configuration files

Hardware Firewall

Best form of Firewall

192.168.0.23-26 192.168.0.1 34.23.26.2 168.3.23.88

PCs are connected to safe local area network.They can share files etc., contact LAN servers and do not need firewall software

Controls access from Internet with clear rules

Corporate Fws, typically running on dedicated boxes, will also control outgoing calls

InternetProtected LAN

Hardware Firewalls

• The simple router based firewall generally requires no rules for a customer call home implementation.

• At the Support Center the incoming ports have to be forwarded to the specific server– Could use broadcast I think– Should use specific server

• Generally requires fixed IP address on the LAN

Software Firewall

• A software program which intercepts calls to the IP stack to impose its rules.

• Essential when connected to a public LAN or dial up. – Otherwise I am not a fan of these firewalls

• They are a major cause of network problems• They are generally configured via an uninformed

click

• They can manage installed software trying to initiating calls.

Software Firewalls

• Firewall rules must be configured on a per connection basis

InternetDeny incomingCall anywhere(If Authorised)

IntranetIntranetShare DirectoriesShare Directories

Share PrintersShare PrintersShare DatabasesShare Databases

EthernetEthernet Hotel EthernetHotel Ethernet

Dial UpDial Up

CaféCaféWirelessWirelessWirelessWireless

Database Via Zebedee

• Configuration file at server needs to allow access to the Db Server Port Number– target MyDbServer:3050

• Configuration file at client end needs to forward a specified port to the Db Server– tunnel 1020:192.168.0.76:3050

• MyDbServer fails here on version 2.4.1 as resolved locally

• The database client needs to be directed to that client port– Firebird can be specified by port no

• Localhost/1020– Interbase needs an entry in services

• Localhost/gds_zebedee• Add gds_zebedee to C:\WINDOWS\system32\drivers\etc\Services

Look at Delphi CodeProcess Control

Starting ProcessFZebedeeProc := LaunchProcessAndReturnHandle(Cmd, FZebedeeTmpFile);>>>>>>> if StdOut > 0 then {where StdOut = FZebedeeTmpFile.Handle - Inheritable} begin SI.hStdOutput := StdOut; SI.hStdError := StdOut; end; if not CreateProcess(nil, PChar(Cmd), nil, nil, True, CreateFlag, nil, nil, SI, PI) then raise ……….. CloseHandle(PI.hThread); Proc := PI.hProcess;

Terminating Process TerminateProcess(FZebedeeProc, 8); >>>>>> ExitProcess????? CloseHandle(FZebedeeProc); FZebedeeProc := 0; FreeAndNil(FZebedeeTmpFile);

Look at Delphi CodeViewing Config and Log Files

function ViewFileInNotePad(const ALogFileName: string): Boolean;function ViewFileInNotePad(const ALogFileName: string): Boolean;varvar SystemRootDir: string;SystemRootDir: string; NotePad: string;NotePad: string;beginbegin Result := false;Result := false;

if FileExists(ALogFileName) thenif FileExists(ALogFileName) then beginbegin SystemRootDir := GetEnvironmentVariable('SystemRoot');SystemRootDir := GetEnvironmentVariable('SystemRoot'); NotePad := ConcatToFullFileName(SystemRootDir, '\system32\notepad.exe');NotePad := ConcatToFullFileName(SystemRootDir, '\system32\notepad.exe'); Result := CreateProcessAndWait(NotePad + ' "' +Result := CreateProcessAndWait(NotePad + ' "' + ALogFileName + '"', 0, SW_Normal, '', '') > 0;ALogFileName + '"', 0, SW_Normal, '', '') > 0; end;end;end;end;

Look at Delphi CodeDos Commands

Example Do IPConfigExample Do IPConfig

ACmd:=‘IPConfig’; ACmd:=‘IPConfig’;

TmpFile := TTemporyFile.Create;TmpFile := TTemporyFile.Create; trytry Return:= CreateProcessAndWait(ACmd, 30000, SW_SHOW,Return:= CreateProcessAndWait(ACmd, 30000, SW_SHOW, '', '', true, 0, TmpFile.Handle);'', '', true, 0, TmpFile.Handle); if Return=0 thenif Return=0 then ViewFileInNotePad(TmpFile.Filename)ViewFileInNotePad(TmpFile.Filename) elseelse raise Exception.Create('Command <' + ACmd + '> Failed::‘raise Exception.Create('Command <' + ACmd + '> Failed::‘ + WindowsErrorString(0));+ WindowsErrorString(0)); Sleep(1000); Sleep(1000); finallyfinally TmpFile.Free;TmpFile.Free; end;end;

Look at Delphi CodeQuery or Probe A Port

In A ThreadIn A Thread

>>>>FSocket.Open; {Where FSocket is a TClientSocket}FSocket.Open; {Where FSocket is a TClientSocket}if FSocket.Active {Connected} thenif FSocket.Active {Connected} then BeginBegin if not (FSocket.Socket.SendText(FQuery) = Length(FQuery)) thenif not (FSocket.Socket.SendText(FQuery) = Length(FQuery)) then FError := 'Could not Send All Data';FError := 'Could not Send All Data'; if FSocket.Active {Connected} and not FProbe thenif FSocket.Active {Connected} and not FProbe then FResponse := FSocket.Socket.ReceiveTextFResponse := FSocket.Socket.ReceiveText endend elseelse FError := 'Failed to Connect to ' + FHost + '::' + IntToStr(FSocket.Port) ;FError := 'Failed to Connect to ' + FHost + '::' + IntToStr(FSocket.Port) ;FIpWait.SetEvent;FIpWait.SetEvent;Suspend;Suspend;<<<<FSocket.Close;FSocket.Close;

Thank You