If you've ever tried to help a novice user
troubleshoot a Windows problem over the phone, you know how frustrating
the entire process can be. It's usually difficult for an inexperienced
user to accurately communicate detailed configuration information,
especially if the problem involves technically challenging areas, such
as hardware drivers or network protocols. Because you're not looking
over the user's shoulder, you can't see error messages or informational
dialog boxes, so you have to rely on the user to read this crucial
information back to you. Even when you successfully pin down the problem
and find a solution, you have to walk the user through a potentially
daunting repair process. And if the registry needs editing—well, good
luck.
With Windows 7, on the
other hand, you can eliminate most of those headaches using a cool
support tool called Windows Remote Assistance. This feature, available
in all versions of Windows 7 (as well as Windows Vista, Windows XP,
Windows Server 2003, and Windows Server 2008), lets you open a direct
connection between two machines over the internet or over a local area
network. Even if you're hundreds or thousands of miles away, you can
watch as the user demonstrates the problem and take control of the
screen to make repairs quickly and accurately. You can investigate
Control Panel settings, run diagnostic tools, install updates, and even
edit the registry of the problem-plagued PC. Repairs that might have
taken hours the old-fashioned way can be accomplished in a few minutes
using this tool.
Remote Assistance is
designed for informal, peer-to-peer use by Windows users without an
extensive technical background. Although the user interface hides most of its
complexities, a basic understanding of how Remote Assistance connections work
can help you make reliable connections without compromising the security
of either computer.
1. How Remote
Assistance Works
The two parties in a
Remote Assistance session are called the novice
and the expert.
(On some screens and in some documentation, the expert is referred to
as the helper.)
To use Remote Assistance, both parties must be using a Windows version
that includes Remote Assistance (Windows 7, Windows Vista, Windows XP,
Windows Server 2003, or Windows Server 2008), both must have an active
internet connection or be on the same local area network, and neither
can be blocked by a firewall.
The connection
between novice and expert can be established in a variety of ways. If
both parties are using Windows 7, a new Easy Connect feature is the
simplest approach; a simple password exchange is all that's required.
Alternatively, the novice can send a Remote Assistance invitation, using
an instant messenger program or e-mail. The expert then accepts the
invitation and enters an agreed-upon password. Finally, the novice
approves the expert's acceptance.
After the connection has
been established, a terminal window on the expert's computer displays
the desktop of the
novice's machine. The expert views the desktop in a read-only window
and exchanges messages with the novice using text chat. If the expert
wants to work with objects on the novice's computer, he or she can
request control.
In a slight variation
of this process, the expert can initiate the Remote Assistance session,
perhaps in response to a telephone plea for help from the novice. We
describe both connection processes in detail in the sections that
follow.
At the heart of each
Remote Assistance connection is a small text file called an RA ticket.
(More formally, its type is Windows Remote Assistance Invitation and its
extension is .msrcincident.) This file uses encrypted data in XML
fields to define the parameters of a Remote Assistance connection. When
you use Windows Live Messenger to manage the connection, the RA ticket
is never visible. (In fact, Messenger uses a connection string that
includes only part of the RA ticket information—just enough to establish
connection.) When a novice sends a Remote Assistance request via
e-mail, however, the RA ticket rides along as an attachment to the
message. The expert has to double-click this file to launch the Remote
Assistance session.
|
Remote Assistance in Windows 7 uses some of the same
underlying technology as Remote Desktop Connection, a program that
allows you to connect to your computer from a remote location and use it
as if you were sitting right in front of it. Here are some of the key
differences that set these programs apart:
In a Remote
Assistance session, both users must be present at their respective
computers and must agree to establish the connection. Remote Desktop
Connection can be initiated from one computer without the assent of
someone at the remote target computer. With Remote Assistance, you can connect to a
computer running any edition of Windows 7. The target (host) computer
for a Remote Desktop Connection session must be running the
Professional, Enterprise, or Ultimate edition. (You can initiate the
connection from any Windows 7 edition. You can even initiate the
connection from a web browser, which is not possible with Remote
Assistance.) Remote
Assistance provides a shared view into an existing session (that is,
the users at each end see the same screen and can share control),
whereas Remote Desktop Connection starts a new session on the remote
computer. The remote session takes over completely, and the local user
loses interactive access, seeing instead a logon screen with a label
indicating the user account that is logged on from a remote location. In a Remote Assistance session,
the remote user has the same rights and privileges as the local user.
With Remote Desktop Connection, remote users can do whatever their
account credentials allow them to do. Remote Assistance connections can be established over the
internet, even when each computer is behind a different router that uses
NAT. With Remote
Desktop Connection, the target computer must be on the same network
(including a virtual private network, or VPN) and it cannot be behind a
NAT router.
These two programs,
of course, are intended to serve very different needs. But their
similarities sometimes make it possible to use one in place of the
other.
|
Without the use of a relay
server, Remote Assistance is able to reach computers behind nearly any
NAT router. It simultaneously attempts several types of connections
until it finds one that works:
IPv4 address This type of connection is used when both
computers can be directly addressed using IPv4, such as on a local area
network or when both computers have public IP addresses.
IPv6 address This type of connection is used when both
computers are on an IPv6 network.
UPnP NAT address This type of connection is used to connect
through a UPnP router, which provides NAT
traversal.
NAT
traversal via Teredo And this type of connection is used when all
the other methods fail. After using a public Teredo server to determine NAT port mapping and to
initiate communication, this connection then encapsulates IPv6 data in
IPv4 packets, enabling it to tunnel through an IPv4 network.
|
Teredo can't make a
connection
If you can't make a
connection and you're certain that a firewall isn't blocking the connection, be sure
that UPnP is enabled on your router. (See the instructions for your
router for details. If you no longer have the manual, check the
manufacturer's website.) Teredo doesn't work with routers that use
symmetric NAT. To find out if you have an incompatible router, at a
command prompt type netsh interface teredo show state. (This can be
abbreviated as netsh intter sho st.) If the Type line shows Symmetric or
Port Restricted, your best bet is UPnP.
|
With the Windows XP version of Remote Assistance,
connecting two systems behind NAT routers was difficult at best. Trying
to explain to an inexperienced user who's already flustered because of
computer problems all the complex configuration steps needed to bypass
NAT made Remote
Assistance impractical for most such setups. NAT is a great system for
extending the limited number of available IP addresses and for securing
computers on a small network. But it is the bane of users trying to make
peer-to-peer connections,
whether for voice, video, gaming—or Remote Assistance. Now, the only
obstacle to end-to-end connections for Remote Assistance on computers
running Windows Vista or Windows 7 is a firewall.
Windows Firewall
has an exception defined for Remote Assistance. (An exception is a
group of rules that enable an application to communicate through the
firewall.) By default, the exception is enabled only for private
networks, such as a workgroup in a home or small office. The exception
is disabled for public networks (such as an internet cafe or public
Wi-Fi hotspot) and for domain networks. If you try to make a Remote
Assistance connection when the exception is disabled, you'll see a
message like the one shown in Figure 1.
To correct the problem,
click Repair. The troubleshooter will figure out what's wrong and then
present a Try These Repairs As An Administrator link. Click that link,
give the troubleshooter a moment or two to carry out the necessary
repair, and you should be good to go. If the troubleshooter for any
reason doesn't perform as expected, open Windows Firewall. In the left
pane, click Allow A Program Or Feature Through Windows Firewall. Then
click Change Settings (requires administrator privileges), select Remote
Assistance, and click OK.
The specific rules that
make up the Remote Assistance exception vary depending on the profile
type. For example, UPnP connections are enabled only in the private and
domain profiles—not in the profile for public networks. Teredo
connections are enabled only in the private and public profiles to
prevent its use on corporate domains. The domain profile contains
additional rules that enable help-desk personnel to offer assistance
using Distributed Component Object Model (DCOM). You might want to
examine the rules that define the Remote Assistance exception, whether
it's to satisfy your innate curiosity or to configure comparable rules
for a third-party firewall. To do so, follow these steps:
Open
Windows Firewall With Advanced Security.
In
the console tree, select Inbound Rules or Outbound Rules.
In
the actions pane, click Filter By Group, Filter By Remote Assistance.
In the details pane,
double-click a rule to review its specifics.
