FAQ entry - How to access a linux server's window manager through CPF?

@Comodo Moderators: This entry prepares a FAQ entry. kail has asked me to make a help entry which he’ll then edit and move to the FAQ section. No need to reply to this topic. The original problem is already being discussed in https://forums.comodo.com/help/configure_comodo_firewall_for_x11_access-t13646.0.html

kail ist still trying to reproduce and resolve the original issue. In the meantime we however discovered a secure and performant solution to access a linux desktop through CPF that we want to make available to all users through a FAQ entry.

How to access a remote graphical linux desktop from a windows computer running CPF?

The windows manager (e.g. GNOME/gdm, KDE/kdm, …) of a linux server may be connected to the Windows XP/2000/NT/Vista implementation of an X-Server (e.g. Cygwin, Xming, Exceed, …) running on a remote PC. This allows remote graphical access to a linux server from a PC running MS Windows derivatives.

The MS Windows client logs into the linux server using XDMCP authentication protocol (usually sending a UDP broadcast on port 177). The windows manager running on the linux server then initiates a connection to the client’s X-Windows system over X11 protocol (TCP connect to port 6000 on the client machine).

XDMCP and X11 are however protocols that may only be used in a trusted network as passwords and responses are all sent unencrypted over the network. As the X11 protocol is quite verbose the connection will also require quite some network bandwidth.

see X Window System core protocol - Wikipedia for an in-depth explanation of X11 and XDMCP…

We therefore recommend another more secure and performant solution to graphically access remote linux servers in combination with your Comodo firewall.

You’ll have to meet the following requirements:

  • An SSH Server running on your linux machine
  • Access to the server’s and the client’s firewall
  • Administration/root access to both computers
  • A working network configuration where the client may access the server on a static IP

We’ll use FreeNX to establish the connection between the server and the client.

The following detailed installation instructions are for Ubuntu/Debian distributions but may be easily adapted to other linux distributions:

  1. SSH server installation
  • Install a standard ssh server on your linux machine. For Ubuntu/Debian this
    simply means installing the “openssh-server” package through Synaptic Packet Manager or
    typing “get-apt open-sshserver” on a root prompt.
  1. Linux firewall configuration
  • Configure your linux firewall to allow incoming TCP connections to the port your SSH server listens on (usually port 22). You may limit access to the client’s IP or the local network.

Example: Shorewall configuration

  • On Ubuntu/Debian you may use shorewall to configure your firewall.
  • We assume that you have set up a shorewall standard standalone server configuration. Consult shorewall documentation for details.
  • You may then edit /etc/shorewall/rules and enter the following line:
    SSH/ACCEPT net:X.X.X.X $FW
  • Enter your Windows PC’s static IP-address in place of “X.X.X.X”. If your PC receives a dynamic IP over DHCP rather than a static one, you may simply allow incoming SSH traffic from your DHCP address range.
  • Type “shorewall restart” from a root prompt.

If you do not use shorewall then consult your own firewall configuration tool’s manual to open up the SSH server port for incoming connections.

  1. Install FreeNx on your server:
  • Get Nx free edition server, node and client for Linux from “no machine”'s website: http://www.nomachine.com/select-package.php?os=linux&id=1
  • Install all three of them on your linux machine as described in the installation manual. If you use Ubuntu/Debian you probably just have to get the .deb packages and execute:

sudo dpkg -i nxclient_3.0.0-84_i386.deb
sudo dpkg -i nxnode_3.0.0-88_i386.deb
sudo dpkg -i nxserver_3.0.0-74_i386.deb
Normally this should also start the serve.

  • Type “sudo /usr/NX/bin/nxserver --status” to check that
    your Nx server is started. You should get something like:

NX> 900 Connecting to server …
NX> 110 NX Server is running.
NX> 999 Bye.

If your server is not running, type “sudo /usr/NX/bin/nxserver --start”.

  1. Install FreeNx on your PC
  1. Launch your first Nx connection:
  • Once Nx installed on your PC, you should start the newly created “NX-Connection-Wizard” entry in your start menu.
  • Read the introductory text … Next
  • Enter a name for your Session. The session configuration will be saved under that name later.
  • Enter the linux server’s IP. Leave the port to 22 (if you have not
    changed your SSH server’s standard port).
  • Select your connection speed… Next
  • Set the connection type to “Unix” and select your favourite desktop manager. Choose the size of your desktop window. Do NOT check “Disable encryption of all traffic” … Next
  • Decide whether you want to have a shortcut to the new configuration on your desktop and select “Show the Advanced Configuration dialog” …Finish…Ok
  • In the advanced configuration dialog you might enable forwarding multimedia (=sound) to your PC. In this case you have to select the “Services” tab and check “Enable multimedia support”. Maybe you also want to enables disk shares as an alternative to installing a Samba server on your linux machine. And if your linux server is configured as a font server you can configure it in the “Environment” tab. …Ok
  • Now the Nx clients login window should appear. Enter a valid linux user’s credentials and select the newly created session… Login.
  • Several Comodo pop-up messages will inform you that the Nx client wants to access the server. Enable these connections.
  • Also a window may pop up in which you have to confirm the server’s SSH signature.

If everything works out then you should see your linux desktop start up on your PC within a few seconds.

Thanks Florian, excellent job. :slight_smile:

I’m locking this topic & shifting it to the FAQ section. If you need access to it, then just email me or PM any active Mod.

Fellow Mods: Comments/Edits/Input/Verification/Etc? (they can post even though the topic is locked)

Justin (aka. Mr Ubuntu): I think this is right up your street. I’m having… “technical” problems with Ubuntu at the mo.

Great job Florian, I’m sure this will be very useful to many users :slight_smile:

Kail, I have PM’d you about your issue, this way we don’t clutter this topic :wink:

edit: Yep, thanks Justin. I got the PM & replied. Very small text to save even more space than Justin. ;-)

Didn’t know it was locked and solicited comments. ;D
From RogerP:

IMHO, this is a brilliant write up. Any user with medium experience should be able to get it running in short order. Only comment is that he should add a paragraph to the effect that once it becomes functional, the user should use the certificate feature of OSSH.