If you’ve ever tried to help a novice user troubleshoot a Windows problem over the phone, you know how frustrating the entire process can be. It’s usually difficult for an inexperienced user to accurately communicate detailed configuration information, especially if the problem involves technically challenging areas such as hardware drivers or network protocols. Because you’re not looking over the user’s shoulder, you can’t see error messages or informational dialog boxes, so you have to rely on the user to read this crucial information back to you. Even when you successfully pin down the problem and find a solution, you have to walk the user through a repair process that can be daunting.
With Windows XP, on the other hand, you can eliminate most of those headaches using a new support tool called Remote Assistance. This feature, available in both Windows XP Professional and Home Edition and on Windows Server 2003, lets you open a direct connection between two machines over the Internet or over a local area network. Even if you’re hundreds or thousands of miles away, you can watch as the user demonstrates the problem and take control of the screen to make repairs quickly and accurately. You can investigate Control Panel settings, run diagnostic tools, install updates, and even edit the registry of the problem-plagued PC. Repairs that might have taken hours the old-fashioned way can be accomplished in a few minutes using this tool.
Behind the scenes, Remote Assistance uses Windows XP/2003 Terminal Services to share a desktop and other resources between two PCs. Although this is the same underlying code used in the Remote Desktop feature, Remote Assistance is fundamentally different in two ways. First, in a Remote Assistance session, both users must be present at their respective PCs and must agree to establish the connection. Second, you can use Remote Assistance to connect to a PC running Windows XP Home Edition, whereas incoming Remote Desktop connections can only be enabled on Windows XP Professional or Windows Server 2003.
Remote Assistance is designed for informal, peer-to-peer use by Windows users without an extensive technical background. Although the user interface hides most of its complexities, a basic understanding of how Remote Assistance connections work can help you make reliable connections without compromising the security of either computer.
The two parties in a Remote Assistance session are called the novice and the expert. To use Remote Assistance, both parties must be using Windows XP Professional or Windows Server 2003, both must have active Internet connections or be on the same local area network, and neither can be blocked by firewalls.
Creating a complete Remote Assistance session is a three-step process:
At the heart of each Remote Assistance connection is a small text file called an RA ticket. (More formally, its type is Microsoft Remote Assistance Incident and its extension is .msrcincident.) This file uses XML fields to define the parameters of a Remote Assistance connection. When you use Windows Messenger to manage the connection, the RA ticket is never visible. When a novice sends a Remote Assistance request via e-mail, however, the RA ticket rides along as an attachment to the message. The expert has to double-click this file to launch the Remote Assistance session.
Remote Assistance works by creating a direct connection between two computers using the TCP/IP protocol. For this connection to be successful, both computers involved must be able to communicate using their respective IP addresses.
By default, Windows XP requires that a user request assistance before a Remote Assistance connection is made. From the Help And Support Center home page, click Invite A Friend To Connect To Your Computer With Remote Assistance. (You can also reach this page from the Remote Assistance shortcut on the All Programs menu.)
Click Invite Someone To Help You. The Remote Assistance pane offers three methods to send an invitation for assistance.
If you need to send a Remote Assistance invitation (or help someone else send an invitation to you), Windows Messenger is by far the quickest and easiest option. You get immediate confirmation that the invitation has been received and accepted, and the Messenger window handles the connection details without requiring any file attachments. Skip the extra steps in the Help And Support Center, and send the invitation directly from Messenger by choosing Tools, Ask For Remote Assistance.
After the expert launches the connection request and the novice grants permission, a two-pane Remote Assistance window opens on the expert’s machine. The left pane is used for text chat; the pane on the right displays the novice’s desktop. As the expert, you’ll use the toolbar at the top of the Remote Assistance window. (The novice has similar options available on a toolbar whose format is slightly different.)
For obvious security reasons, clicking the Take Control button sends a request to the novice, who has to grant permission before you can actually begin working with the remote desktop. At any time, the novice can cut off your ability to control the session by tapping the Esc key, or you can click the Release Control button on the Remote Assistance toolbar.
Regardless of your expert credentials, your actions in a Remote Assistance session are governed by the privileges assigned to the novice user’s account. When connecting to a machine belonging to a user with a limited account, for instance, you might be unable to edit the registry or make necessary configuration changes unless you can supply an administrator’s password (using the Run As dialog box).
Remote Assistance is a powerful tool. In the wrong hands, it’s also potentially dangerous, because it allows a remote user to install software and tamper with a system configuration. In a worst-case scenario, someone could trick an unsuspecting novice into allowing access to his or her machine, and then plant a Trojan application or gain access to sensitive files.
Four essential security precautions can slam the door on security breaches:
Set a short expiration time on Remote Assistance invitations sent via e-mail. A time of 1 hour should be sufficient for most requests. (Note that the invitation must be accepted within the specified time; you don’t need to specify enough time to complete the Remote Assistance session.) An expired RA ticket file is worthless to a potential hacker.
In some cases, you may want to create a long-term Remote Assistance invitation. If you’re the expert for a friend or family member, for instance, there’s no need to create a new invitation each time the novice gets stuck. Instead, have that person create an invitation and save it as a file. From the novice’s machine, open the Help And Support Center, select the Save Invitation As A File option, and specify the maximum expiration time of 99 days. Store the invitation in a convenient place on your system, and use it each time you get a call for help. Note that this option will not work if the novice has a dial-up Internet account whose IP address changes with each new connection; it’s most effective when the novice has a cable modem or other always-on connection with a fixed IP address.
You might shudder at the thought of accessing another desktop over a dial-up connection. Surprisingly, the performance can be quite usable. You wouldn’t want to use this sort of connection for everyday work, but for troubleshooting, it’s good enough. You can maximize Remote Assistance performance over a dial-up link by observing these precautions.
Double-clicking an RA ticket results in an error message – If you’re experiencing problems with a Remote Assistance connection and you’re using an RA ticket file (not Windows Messenger), make sure the ticket file is pointing to the correct IP address. If you received the invitation via e-mail, save the rcBuddy.MsRcIncident file and open it using Notepad or another text editor.
Look at the RCTICKET field, which follows this format:
Check the IP address value to be certain it points to the current IP address of the novice’s machine and, if necessary, edit it. But don’t tamper with the encrypted connection info data.
A Remote Assistance connection is relatively easy when both parties have public IP addresses provided by an Internet service provider (ISP). In that scenario, the computers connect directly, sending and receiving data on TCP port 3389. Routers along the Internet connection between the two computers are able to recognize the addresses of the two computers and send the respective packets to their correct destination.
Note: Internet Connection Firewall in Windows XP automatically opens this port when you request a Remote Assistance connection.
Remote Assistance connections are also straightforward and typically trouble-free on a private network such as a workgroup in a home or small office. In that case, each machine can communicate directly with the other without having to pass through any routers.
On a corporate network, the preferred way to work around firewalls is to establish a virtual private network (VPN) connection. This allows all traffic to pass through the firewall and eliminates the need to create possible security holes by opening specific ports.
What happens if one or both sides of the connection are using private IP addresses assigned through Network Address Translation (NAT)? That’s when Remote Assistance gets complicated. Because these addresses are reserved for exclusive use on private networks, they cannot be routed over the Internet. Instead, a software or hardware-based NAT device handles the grunt work of passing data between the single public IP address it uses to communicate with the Internet and the private IP addresses on the local network. How it performs that job determines whether the Remote Assistance connection will succeed or fail. The exact outcome depends on how the computer acquired the private IP address:
The trickiest connection of all involves a novice who is behind a non-UPnP NAT device, such as a router or residential gateway on a cable or DSL connection, and who is unable or unwilling to use Windows Messenger. In that case, you may be able to make a Remote Assistance connection work by editing the RA ticket file. Find the address of the NAT device (the public IP address it uses to connect to the Internet) and the private address of the novice’s computer; then follow these steps:
RCTICKET="65538,1,184.108.40.206:3389; 192.168.1.105:3389;groucho:3389,encrypted connection info