Administering Remote Assistance
Abstract
This article explains how to manage Remote Assistance for users in a corporate environment. It is intended for administrators familiar with the Windows 2000 Active Directory™ service and Group Policy.
Acknowledgements
Mike Seamans, Technical Writer, Microsoft Corporation
Alvin Loh, Program Manager, Microsoft Corporation
John Kaiser, Technical Editor, Microsoft Corporation
On This Page
Introduction
Using Remote Assistance Through A Firewall
Using Remote Assistance with NAT Devices
Using Group Policy for Remote Assistance
Blocking Remote Assistance on an Individual Computer
Offering Help via Remote Assistance
Summary
Related Links
Introduction
Remote Assistance enables a trusted person (a friend, support person, or IT administrator) to remotely and actively assist someone with a computer problem. The helper (also called an expert) can view the screen of the user requesting assistance and offer advice. With the permission of the user, the helper can take control of the user's computer and perform tasks remotely.
Remote Assistance requires that both computers are running Windows XP.
Types of Remote Assistance connections
Remote Assistance can be used in the following situations:
Within a local area network (LAN).
Over the Internet.
Between an individual on the Internet and an individual behind a firewall on a LAN. Connections through a firewall require that TCP port 3389 be open.
Securing Remote Assistance
If a user permits it, and it is allowed by Group Policy, a helper can control the user's computer and perform any task that the user can perform, including accessing the network. To address security concerns within your organization, the following settings are available:
At the firewall. You can determine whether a person within your organization can request help outside of the organization by prohibiting or permitting inbound and outbound traffic through port 3389 at the firewall. For more information, see the section in this article, Using Remote Assistance Through a Firewall.
Group Policy. You can set Group Policy to permit or prohibit users from requesting help using Remote Assistance. You can also determine whether users can allow someone to remotely control their computer, or just view it.
In addition, you can set Group Policy to permit or prohibit a helper from offering Remote Assistance without a specific request from the user.
For more information, see the section in this article, Using Group Policy for Remote Assistance.
Individual computer. The administrator of an individual computer can turn off Remote Assistance requests on that computer; this prevents anyone using the computer from sending a Remote Assistance invitation. For more information, see the section in this article, Blocking Remote Assistance on an Individual Computer.
Offering Remote Assistance
Remote Assistance normally begins with a user requesting help, either through e-mail or Windows Messenger. However, a helper can also offer help without first receiving a request from a novice. For more information, see the section in this article, Offering Help via Remote Assistance.
Using Remote Assistance Through A Firewall
Remote Assistance uses the Remote Desktop Protocol (RDP) to establish a connection between a user requesting help and a helper providing it. The RDP uses TCP port 3389 for this connection. To allow users within an organization to request help outside your organization using Remote Assistance, port 3389 must be open at the firewall. To prohibit users from requesting help outside the organization, this port should be closed at the firewall.
Refer to the instructions for administering the firewall for information about opening or closing port 3389.
Notes:
If you close port 3389, you will block all Remote Desktop and Terminal Services through this port. If you want to allow these services but want to limit Remote Assistance requests, use Group Policy.
Microsoft's Internet Connection Firewall, which is designed to be used only with stand-alone computers or computers in a workgroup, does not block Remote Assistance traffic.
Using Remote Assistance with NAT Devices
What is NAT?
Network Address Translation is an Internet Engineering Task Force (IETF) standard used to allow multiple PCs or devices on a private network (using private address ranges such as 10.0.x.x, 192.168.x.x, 172.x.x.x) to share a single, globally routable IPv4 address. A main reason NAT is often deployed is because IPv4—the current generation of the Internet—addresses are getting scarce.
NAT is used in gateway devices that form the boundary between the public Internet and the private LAN. As IP packets from the private LAN traverse the gateway, NAT translates a private IP address and port number to a public IP address and port number, tracking those translations to keep individual sessions intact. Internet Connection Sharing in the Windows XP and Windows Me operating systems, along with many Internet gateway devices use NAT, particularly to connect to broadband networks such via DSL or cable modems. The use of NAT is increasing dramatically as more homes and small businesses network their PCs and share a connection to the Internet.
Remote Assistance and NAT
Remote Assistance supports UPnP to Traverse NAT devices, allowing connections through NAT devices unless both the Novice and Expert are behind a non-UPnP NAT device. At this time, Windows XP Internet Connection Sharing supports UPnP.
Here's how Remote Assistance works with UPnP:
Remote Assistance will detect the Public Internet IP address and TCP Port number on the UPnP NAT device and insert the address into the Remote Assistance ticket.
The Public Internet Address and TCP Port number will be used to connect through the NAT device by the Expert or Novice workstation to establish a Remote Assistance session.
The Remote Assistance connection request will then be forwarded to the client by the NAT device.
Note: Remote Assistance will not connect when the Novice is behind a non-UPnP NAT device when e-mail is used to send the invitation file. When sending an invitation using Windows Messenger, a non-UPnP NAT device will work if one client is behind a NAT device. If both expert and novice computers are behind Non-UPnP NAT devices then the Remote Assistance connection will fail.
There are several NAT Networking companies that are looking into supporting UPnP by the end of this year. Table 1 below shows Remote Assistance connections that work through NAT devices. Note: Windows 2000 ICS does not support UPnP.
Table 1. Remote Assistance connections and NAT devices
Windows XP ICS |
Non-UPnP NAT Device |
UPnP NAT Device |
|
|---|---|---|---|
Connecting via Windows Messenger |
|
|
|
Novice |
Yes |
Yes |
Yes |
Expert |
Yes |
Yes |
Yes |
Both Novice and Expert |
Yes |
No |
Yes |
Connecting via e-mail |
|
|
|
Novice |
Yes |
No |
Yes |
Expert |
Yes |
Yes |
Yes |
Both Novice and Expert |
Yes |
No |
Yes |
Using Group Policy for Remote Assistance
In an Active Directory Windows 2000 Server environment, you can use Group Policy to manage Remote Assistance—setting levels of permissions or blocking its use entirely.
Use the policy Solicited Remote Assistance located in the Group Policy Snap-in (Computer Configuration\Administrative Templates\System\Remote Assistance), as shown in Figure 1 below.
.gif "Figure 1: . Managing Remote Assistance via Group Policy")
Figure 1: . Managing Remote Assistance via Group Policy
Solicited remote assistance is where the user of a computer explicitly requests help from another party, known as a helper.
Preventing Remote Assistance
The policy setting Solicited Remote Assistance is not configured by default, which means individual users will be able to configure solicited remote assistance via the control panel. The default settings via the control panel are: solicited remote assistance is enabled, buddy support is enabled, remote control is enabled, and the maximum ticket time is 30 days.
Therefore, in order to prohibit users from accessing Remote Assistance, you need to disable the policy Solicited Remote Assistance. This will prohibit Remote Assistance for any computer or user subject to the Group Policy Object (GPO) affected by the setting. For example, you may wish to prevent certain groups of users from accessing Remote Assistance. A user who is a member of a given Organizational Unit (OU) subject to this policy setting will not be able to use Remote Assistance.
Managing Remote Assistance
Enabling Solicited Remote Assistance allows you to set permissions that differ from the default settings that are enabled when this policy is not configured. As in the case explained earlier, you may wish to manage how certain groups of users can use Remote Assistance. A user who is a member of a given Organizational Unit (OU) subject to this policy setting will be able to use Remote Assistance, according to the permissions you set.
Note: Sending a help request does not explicitly give the expert permission to connect to the computer and/or control it. When the expert tries to connect, the user will still be given a chance to accept or deny the connection (giving the helper view-only privileges to the user's desktop) and will afterward have to explicitly click a button to give the expert the ability to remotely control the desktop if remote control is enabled.
If the setting is enabled, you can set the following configuration options:
Allow buddy support. Checking this checkbox means that a user can request help from other individual users (such as friends or coworkers, via e-mail or instant messaging.) as well as via an official channel set up by an software or hardware vendor, corporate helpdesk, and so on. Unchecking this box means that a user can only request help through an official channel.
Permit remote control of this computer. This selection allows you to choose whether an expert will be able to remotely control the computer or whether the expert is only allowed to remotely view the user's desktop.
Maximum ticket time. These two settings control the maximum time a user can have a help request remain valid. When the ticket (help request) expires, the user must send another request before an expert can connect to the computer.
Blocking Remote Assistance on an Individual Computer
Users can block Remote Assistance on their own computers by adjusting settings in the control panel.
To block Remote Assistance requests on an individual computer
Open Control Panel, click Performance and Maintenance, and then click System.
On the Remote tab, under Remote Assistance, clear the Allow Remote Assistance invitations to be sent from this computer check box, as shown in Figure 2 below.
.gif "Figure 2: . Blocking Remote Assistance")
Figure 2: . Blocking Remote Assistance
.gif "Figure 2: . Blocking Remote Assistance")
To prevent someone from using Remote Assistance to take control of this computer
Open System in Control Panel.
On the Remote tab, under Remote Assistance, click Advanced.
Clear the Allow this computer to be controlled remotely check box, as shown in Figure 3 below.
.gif "Figure 3: . Preventing access to your computer via Remote Assistance")
Figure 3: . Preventing access to your computer via Remote Assistance
Offering Help via Remote Assistance
Sometimes the best way to help someone fix a problem is to demonstrate a solution. If you are an expert or Helpdesk support professional, you can initiate a Remote Assistance request without an invitation. For example, you may be communicating with a friend about a computer issue and elect to resolve it via Remote Assistance.
After you are connected, you will be able to view the user's computer screen and chat together about what you both see. With that person's permission, you can use your mouse and keyboard to control his or her computer.
Notes:
Firewalls can prevent a Remote Assistance connection. Try using Windows Messenger instead of e-mail to start the connection. If that doesn't work, ask the network administrator to add port 3389 for you.
If Offer Remote Assistance is enabled in the Group Policy editor on a user's computer, a helper can offer Remote Assistance to that user without an explicit invitation. The helper must have been added as a helper on that person's computer in the Group Policy editor, or be a member of the Administrator's group on that computer.
You can improve performance during a Remote Assistance session by reducing the color quality on the user's computer. Use the Color Quality setting on the Settings tab in Display (in Control Panel) to reduce the number of colors his or her screen displays.
To offer Remote Assistance without an invitation
Click Start, and then click Help and Support.
Under Pick a task, click Tools.
Under Tools in the left pane, click Offer Remote Assistance.
Type the name or the IP address of the computer you want to connect to, and then click Connect, as shown in Figure 4 below.
.gif "Figure 4: . Offering Remote Assistance")
Figure 4: . Offering Remote Assistance
To offer Remote Assistance to a user who has not sent an explicit invitation, the Offer Remote Assistance setting in Group Policy must be enabled on the user's computer, as shown in Figure 5 below.
.gif "Figure 5: . Enabling Group Policy to Offer Remote Assistance")
Figure 5: . Enabling Group Policy to Offer Remote Assistance
In addition, you must be either a member of the Administrators group on that computer or listed as a helper under Offer Remote Assistance on that computer, as shown in Figure 6 below.
.gif "Figure 6: . Adjusting the Offering Remote Assistance policy setting")
Figure 6: . Adjusting the Offering Remote Assistance policy setting
To enable Offer Remote Assistance on a computer
Click Start, click Run, type gpedit.msc, and then click OK.
In the left pane of the Group Policy editor, under Computer Configuration, double-click Administrative Templates, double-click System, and then double-click Remote Assistance.
In the right pane, double-click Offer Remote Assistance, and then click Enabled. Once enabled, you can determine whether the helper can view the computer or control it.
Although a helper can offer Remote Assistance without being asked, the user must give permission before the helper can see the user's computer. In addition, the user must give explicit permission before the helper can control the user's computer (if that feature is enabled).
Summary
Managing Remote Assistance may require adjusting settings for port 3389, configuring Group Policy Objects, and other administration tasks.
Administrators can manage Remote Assistance through the following:
Firewall. Administrators can determine whether a person within your organization can request help outside of the organization by prohibiting or permitting inbound and outbound traffic through port 3389 at the firewall.
Group Policy. You can set Group Policy to permit or prohibit users from requesting help using Remote Assistance. You can also determine whether users can allow someone to remotely control their computer, or just view it. In addition, you can set Group Policy to permit or prohibit a helper from offering Remote Assistance without a specific request from the user.
Individual computer. The administrator of an individual computer can turn off Remote Assistance requests on that computer; this prevents anyone using the computer from sending a Remote Assistance invitation.
Related Links
See the following resources for further information:
Managing Windows XP in a Windows 2000 Server Environment at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx.
Step-by-Step Guide to Remote Assistance at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx.
Using Remote Assistance at https://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/remoteassist/intro.mspx
For the latest information about Windows XP, see the Windows XP Web site at https://www.microsoft.com/windowsxp/default.asp.