In Windows Server 2003 Help, there is a wizard-driven section for Remote Assistance, the first page of which is shown in Figure 2-6.
Figure 2-6 The Remote Assitance invitation screen in the Help and Support Center
The wizard-driven connection allows for a request to be sent either through a Microsoft .NET Passport account, through sending a saved file, or through a non-Passport e-mail account, along with allowing you to make a request using Windows Messenger. For a successful request through e-mail, both computers must be using a Messaging Appli cation Programming Interface (MAPI)-compliant e-mail client.
To use the Windows Messenger service for your Remote Assistance connection, you must have the assistant’s Windows Messenger user name in your contact list, and make
the request from a Windows Messenger client. Windows Messenger will display their status as online or offline. Remote Assistance can only be requested directly when your assistant is online. Remote Assistant requires that both computers are running Windows XP or a product in the Windows Server 2003 family.
Note The indicator of online status in the Remote Assistance help window is not dynamic; you must therefore refresh the screen to see an accurate status update.
After receiving a request for Remote Assistance, the helper (expert) can remotely connect to the computer and view the screen directly to fix the problem. When you initiate a request for help, the Remote Assistance client sends an encrypted ticket based on Extensible Markup Language (XML) to the helper, who is prompted to accept the invitation.
Security Alert Remote Assistance, if enabled, allows for connection to a computer under relaxed security conditions. Make certain that you provide access only to trusted authorities for Remote Assistance sessions.
Using Remote Assistance
A user can request assistance from another Windows Messenger user by placing the request through the Help and Support Center application or directly through Windows Messenger. Both applications use the same mechanisms for determining if the expert is online, and then making a request for assistance. Figure 2-7 illustrates making a request for Remote Assistance using Windows Messenger.
Lesson 4 Using Remote Assistance 2-21
The Windows Messenger window opens, and the user selects the expert’s Windows Messenger account. The expert receives the invitation as an Instant Message. When the expert clicks Accept, the Remote Assistance session is initiated. The requesting user confirms the session by clicking Yes.
When the remote connection is established, the Remote Assistance session begins on the expert’s computer. The expert and user can share desktop control, file transfer capabilities, and a chat window through which they work together to solve the user’s problem.
Security Alert If the user chooses to send an e-mail or file request for Remote Assis tance, a password will be required as a shared secret for the Remote Assistance session. The user should set a strong password, and let the expert know what the password is in a separate communication such as a telephone call or secure e-mail.
Offering Remote Assistance to a User
Remote Assistance is especially useful if you want to initiate troubleshooting on a user’s computer. To do this, you must enable the Offer Remote Assistance Local Group Policy setting on the target (user’s) local computer:
1. On the user’s computer, click Start, Run, and then type gpedit.msc. The local Group Policy editor appears, enabling you to adjust policies that affect the local machine.
Note A Domain Group Policy may prevent you from adjusting this policy.
2. Under the Computer Configuration node, expand Administrative Templates, then System, and then click Remote Assistance.
3. Double-click Offer Remote Assistance and then select Enabled.
4. Next, click Show, then specify the individual users that will be allowed to offer assistance by assigning helpers within the context of this policy. These “helper” additions to the list should be in the form of domain\username, and must be a member of the local administrators group on the local computer.
Initializing Remote Assistance
You can now initiate Remote Assistance from your computer, to a users computer, pro viding that the credentials that you supply match those of a helper defined in the target computer’s local Group Policy:
1. Open the Help And Support Center, click Tools, and then click Help And Support Center Tools. Next click Offer Remote Assistance. Figure 2-8 illustrates the Help And Support Center Tools interface.
Figure 2-8 The Help And Support Center Tools
2. In the dialog box, type the name or IP address of the target computer, and then click Connect. (If prompted that several users are logged on, choose a user ses sion.) Then click Start Remote Assistance.
The user receives a pop-up box showing that the help-desk person is initiating a Remote Assistance session.
3. The user accepts, and Remote Assistance can proceed.
Security Alert There are several issues to consider when managing and administering Remote Assistance in the corporate environment or large organization. You can specify an open environment in which employees can receive Remote Assistance from outside the cor porate firewall, or you can restrict Remote Assistance by means of Group Policy and specify various levels of permissions such as only allowing Remote Assistance from within the corpo rate firewall. Connections from outside the firewall require port 3389 to be open.
!
Lesson 4 Using Remote Assistance 2-23
Firewall Constraints to Remote Assistance
Remote Assistance runs on top of Terminal Services technology, which means it must use the same port used by Terminal Services: port 3389. Remote Assistance will not work when outbound traffic from port 3389 is blocked. In addition, there are several other firewall-related concerns, particularly in relation to Network Address Trans lation (NAT).
■ Remote Assistance supports Universal Plug and Play (UPnP) to Traverse Network Address Translation devices. This is helpful on smaller, home office networks, as Windows XP Internet Connection Sharing (ICS) supports UPnP. However, Windows 2000 ICS does not support UPnP.
Exam Tip Watch for questions that use Windows 2000 ICS for remote assistance from a big, corporate help desk to a small satellite office. Because Windows 2000 ICS does not sup- port UPnP, Remote Assistance problems will abound.
■ Remote Assistance will detect the Internet IP address and TCP port number on the UPnP NAT device and insert the address into the Remote Assistance encrypted ticket. The Internet IP address and TCP port number will be used to connect through the NAT device by the helper or requester workstation to establish a Remote Assistance session. The Remote Assistance connection request will then be forwarded to the client by the NAT device.
■ Remote Assistance will not connect when the requester is behind a non-UPnP NAT device when e-mail is used to send the invitation file. When sending an invitation using Windows Messenger, a non-UPnP NAT device will work if one client is behind a NAT device. If both the helper and requester computers are behind non- UPnP NAT devices, the Remote Assistance connection will fail.
If you are using a software-based personal firewall or NAT in a home environment, you can use Remote Assistance with no special configurations. However, if you are using a hardware-based firewall in a home environment, the same restrictions apply: you must open port 3389 to use Remote Assistance.