Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 3)

by [Published on 5 July 2007 / Last Updated on 5 July 2007]

A WindowsNetworking.com exclusive! The three articles in this series represent an entire chapter of the Windows Vista Resource Kit, excerpted with permission from Microsoft Press.

If you would like to read the first two parts in this article series please go to:

Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 1)
Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 2)

Managing Remote Assistance Using Group Policy

In an enterprise environment, Remote Assistance can be managed using Group Policy. The policy settings for Remote Assistance are all machine settings and are found in the following policy location:

Computer Configuration\Administrative Templates\System\Remote Assistance

When these policy settings are written to the registry on targeted computers, they are stored under the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\Terminal Services


Get the Windows Vista Resource Kit today!

Remote Assistance policy settings are summarized in Table 23-4.

Policy

Description

Solicited Remote Assistance

Enabling this policy allows users of targeted computers to use Solicited RA to request assistance using e-mail, file transfer, or instant messaging. Disabling this policy prevents users from using Solicited RA. The default setting is Not Configured, which allows users to change their Remote Assistance settings using the Remote tab of the System CPL in Control Panel.

If the policy is Enabled, you can further configure whether Helpers can be prevented from sharing control of the User's computer, the maximum ticket lifetime, and the method used for sending invitations my e-mail. (Windows Vista does not support the MAILTO method-select SMAPI instead if the targeted computers are running Windows Vista.) Ticket lifetime applies only to RA invitations sent by e-mail or file transfer. The default ticket lifetime when Group Policy is not being used is 6 hours.

If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Solicited RA to work.

In an unmanaged environment, this setting can also be configured using the Remote tab of the System CPL in Control Panel.

This policy is also supported on Windows XP Professional and Windows Server 2003.

Offer Remote Assistance

Enabling this policy allows designated Helpers to use Offer RA to offer assistance to users of targeted computers. Disabling this policy or leaving it Not Configured prevents Offer RA from being used to offer assistance to users of targeted computers. 

If the policy is Enabled, you can further configure whether Helpers can view or control the Users' computers, and you must specify a list of Helpers who are allowed to Offer RA to the users of the targeted computers. Helpers can be either users or groups and must be specified in the form domain_name\username or domain_name\groupname.

If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Offer RA to work.

This policy is also supported on Windows XP Professional and Windows Server 2003. See the Explain tab of this policy setting for more details.

Allow Only Vista Or Later Connections

The default Vista invitation file includes a XP-specific node for backward compatibility. This node is not encrypted and allows XP machines to connect to the Vista machine that created the ticket. Enabling this policy causes all RA invitations generated by users of targeted computers to not include the XP node, thereby providing an additional level of security and privacy. Disabling this policy or leaving it Not Configured leaves information such as IP address and port number unencrypted in RA invitations This policy setting only applies to RA invitations sent using e-mail or file transfer, and has no effect on using instant messaging to solicit assistance or on using Offer RA to offer assistance.

In an unmanaged environment, this setting can also be configured by clicking Advanced from the Remote tab of the System Properties dialog.

This policy is supported only on Windows Vista and later platforms.

Customize Warning Messages

Enabling this policy causes a specified warning to be displayed on targeted computers when a Helper wants to enter Screen Sharing State or Control Sharing State during an RA session. Disabling this policy or leaving it Not Configured causes the default warning to be displayed in each instance.

If the policy is Enabled, you can further specify the warning message to be displayed in each instance. 

This policy is supported only on Windows Vista and later platforms.

Turn On Session Logging

Enabling this policy causes RA session activity to be logged on the targeted computers. For more information, see the section titled "Remote Assistance Logging" earlier in this chapter. Disabling this policy causes RA auditing to be disabled on the targeted computers. The default setting is Not Configured, in which case RA auditing is automatically turned on.

This policy is supported only on Windows Vista and later platforms.

Turn On Bandwidth Optimization

Enabling this policy causes the specified level of bandwidth optimization to be used to enhance the RA experience over low-bandwidth network connections . Disabling this policy or leaving it Not Configured allows the system defaults to be used.  

If the policy is Enabled, you must specify the level of bandwidth optimization you want to use from the following options:

·        No Optimization

·        No Full Window Drag

·        Turn Off Background

·        Full Optimization (Use 8-Bit Color)

If No Optimization is selected, the User's computer will use the Windows Basic theme with full background, and during a shared control session the Helper will be able to drag full windows across the User's screen. Additional optimization turns off effects to allow a more responsive experience for the Helper.

This policy is supported only on Windows Vista and later platforms.

Table 23-4 Group Policy Settings for Remote Assistance

NOTE: In Windows XP, members of the Domain Admins group were implicitly granted Helper privileges even if they were not added to the Helpers list of the Offer Remote Assistance policy setting. This is no longer the case in Vista, where the Domain Admins group must now be explicitly added to the Helpers list to grant them Helper privileges for Offer RA. 

Configuring Remote Assistance in Unmanaged Environments

Users of unmanaged computers can enable and configure Remote Assistance using the Remote tab of the System CPL in Control Panel (Figure 23-4). Enabling or disabling Remote Assistance and configuring its settings this way requires local administrator credentials on the computer, so a UAC prompt will appear when the user tries to do this.

Figure 23-4: Configuring RA from the Remote tab of the System CPL in Control Panel.

Note that settings changes made this way will affect all users on the system. The per-machine registry settings for Remote Assistance are found under the following key:

HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance

In managed environments, when the following Group Policy setting is Enabled, the Control Panel settings for configuring Remote Assistance become unavailable (are grayed out).

Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance

NOTE: Group Policy settings always prevail over locally configured settings when they overlap.

Additional Registry Settings for Configuring Remote Assistance

Additional behavior for Remote Assistance can be configured by modifying certain registry settings. Specifically, per-user registry settings for Remote Assistance are found under the following key:

HKCU\Sofware\Microsoft\Remote Assistance

These settings are changeable when in the Waiting To Connect mode or when in the connected mode from the Settings button.

CAUTION: If Group Policy is used to manage Remote Assistance settings and any configured policy settings overlap these registry settings, the policy settings prevail.

Direct From The Source: Troubleshooting Remote Assistance

by John Thekkethala, Program Manager for Remote Assistance and the Remote Assistance team at Microsoft

The following are some tips for troubleshooting Remote Assistance in Windows Vista:

  1. When I attempt to create an invitation with email or save-to-file, I see a warning message that says that the Windows Firewall is currently blocking Remote Assistance.

    The Remote Assistance Firewall exception will change depending upon your network location (private, public or domain). If you are at home, your network location type should be set to "private" since this enables the Remote Assistance firewall exception automatically. If your network location is set to "public", then the Remote Assistance firewall exception is not enabled automatically for security purposes. It will need to be enabled by an Administrator.

    If you are connected to a managed network (for example when you are within a corporate domain) the network location is categorized as "domain" and the Remote Assistance exception not enabled automatically. It is expected to be configured by Group Policy by your System Administrator.
  2. I cannot use RA to connect from my home computer to a work computer.

    RA uses Teredo (IPv6) to traverse NATs. However Teredo cannot be used to traverse a corporate edge firewall. Since you do not have a globally reachable IPv4 address within the corpnet, RA cannot make a connection to you from outside the corpnet.
  3. If I disable the Windows Firewall I cannot make an RA connection in certain cases. This is counter-intuitive since I expect connectivity to be less restrictive with the firewall disabled. 

    In Vista the Windows firewall is IPv6 aware. The RA exception in the Windows Firewall enables Teredo for edge traversal. If the Windows Firewall is disabled, the ability to use Teredo for NAT traversal is also disabled. The Windows Firewall must be running with the RA exception enabled for RA to be able to traverse NATs using Teredo.
  4. I cannot use RA to connect from my work to my home computer.

    Your corporate firewall may be configured to block outbound peer-to-peer connections. In a managed environment (domain-joined computers) which is typically found in a corporate network, the RA exception does not enable Teredo (edge traversal) since corporate firewalls typically block outbound UDP traffic. NAT traversal using Teredo is disabled by default in this scenario. If the person you are trying to help is behind a UPnP NAT or directly connected to the Internet then you should be able to make a connection. Check with your network administrator to see if outbound peer-to-peer connections through the corporate firewall can be enabled,
  5. When I move my laptop (or change my home network location) from a "private" to "public" location I am not able to connect to certain computers.

    If you have a laptop that moves between work and home, the properties of the RA firewall exception in the Windows Firewall will change depending on whether your network location is classified as "private", "public" or "domain". In a private location, the RA exception is enabled by default and if you are using a UPnP NAT the RA exception will allow communications with the UPnP NAT to enable RA connections that make use of UPnP. In a public network the RA exception is not enabled by default and will need to be enabled using Administrator credentials. In addition the default "public" profile does not permit UPnP communication for security purposes, thereby restricting RA connectivity in certain cases.
  6.  I am on a low bandwidth connection and the person helping me is experiencing slow screen refreshes.

    Set the Bandwidth usage under Settings to "Low" to reduce the bandwidth used during a Remote Assistance connection. Keep in mind that display quality decreases as bandwidth usage is limited.
  7. Why can't I connect to XP machines that are behind a NAT as easily as I can connect to Vista machines?

    RA in XP does not support Teredo for NAT traversal. Consequently a Vista-to-XP RA connection attempt may fail in cases where both computers are behind non-UPnP NATs.
  8. How does RA make a connection?

    When the RA invitation is created, the User's computer will set itself as a listener on all of its IP addresses (IPv4 and IPv6) including its Teredo address. All these listeners are waiting for a connection from the Helper's computer. The address and port information associated with these different listeners is relayed to the Helper's computer using the RA invitation (which gets transported by Messenger when Messenger is used to launch RA). The Helper's computer then tries to connect concurrently on all the address/port pairs in the invitation. The first successful connection that is made is used for the RA session and the rest of the connection attempts are terminated.
  9. How do I troubleshoot a connection failure between two home-based Vista machines that are behind NATs?

    Refer to the RA Connectivity information in Tables 23-5 and 23-6 to verify that the network configuration you have is supported for RA connectivity. Then do the following:
    • Confirm that the Windows firewall on the computer of the person that is being helped is running and configured for RA.
      • The Windows firewall is IPv6 compatible and must be running to enable NAT traversal using Teredo.
      • The network location of the computer must set to "private" or "public" since Teredo is not enabled in "domain" or "managed" settings.
      • The Remote Assistance exception in the firewall must be enabled to allow RA connections.
    • Check that there is no edge firewall (e.g. NAT with a firewall that blocks dynamic ports or outbound UDP traffic) between User and Helper since it may block peer-to-peer apps like RA.
    • Confirm that the User and Helper are not behind a symmetric NAT and that Teredo is able to get to the "qualified" state on both machines. To determine this, do the following:

      1.      First, initiate Teredo by forcing RA into the "waiting to connect" state. You can do this by typing msra.exe /saveasfile myinvitation mypassword at a command prompt.  

      2.      Then, check to see if Teredo can be activated on both machines and goes into the "qualified" state.  Open an elevated command prompt window and type netsh interface show teredo state at the command prompt. The output should show Teredo in the "qualified" state.  If Teredo does not go to the "qualified" state on both machines, then an RA connection may not be possible between these two computers. Teredo will not go into the qualified state if one of these 2 conditions exists:

      • A global Teredo server could not be reached at teredo.ipv6.microsoft.com.
      • The computer is behind a symmetric NAT. To verify this, look at the output of netsh interface show teredo state and check the output on the "NAT :" line which specifies NAT type.

  10. When I am helping someone who is a Standard user, I cannot run a program that needs Administrator privileges even though I have Administrator privileges to the user's computer.

    RA allows a User to share control of their computer with a remote Helper. If the User is a Standard user, the remote Helper is given the same privileges as the Standard user. If the Helper attempts to launch a program that requires Administrator credentials, these credentials must be entered locally (on the Secure Desktop) by the User and cannot be entered remotely by Helper. This is required in order to prevent a security loophole where Admin programs launched by a remote helper could be hijacked by the local User by simply terminating the RA session.

 

 

Expert on XP

 

 

Directly Connected

Behind UPnP NAT

Behind non UPnP NAT

Behind corporate Edge Firewall**

Novice on XP

Directly Connected

Yes

Yes

Yes

Yes

Behind UPnP NAT

Yes

Yes

Yes

Yes

Behind non UPnP NAT

Yes using Msgr Only

Yes using Msgr Only

No

No

Behind corporate Edge Firewall**

Yes using Msgr Only

Yes using Msgr Only

No

Yes - if both are behind same firewall

No - if both are behind different firewalls

Novice on Vista

Directly Connected

Yes

Yes

Yes

Yes

Behind UPnP NAT

Yes

Yes

Yes

Yes

Behind non UPnP NAT

Yes using Msgr Only

Yes using Msgr Only

No

No

Behind corporate Edge Firewall**

Yes using Msgr Only

Yes using Msgr Only

No

Yes - if both are behind same firewall

No - if both are behind different firewalls

Table 23-5 RA connectivity for Expert on Windows XP

* Teredo connectivity is not available if either computer is behind a "symmetric NAT"

** Edge Firewall must permit outbound connection (e.g. using the Microsoft ISA Firewall Client)

Expert on Vista

Directly Connected

Behind UPnP NAT

Behind non UPnP NAT

Behind corporate Edge Firewall**

Novice on XP

 

Directly Connected

Yes

Yes

Yes

Yes

Behind UPnP NAT

Yes

Yes

Yes

Yes

Behind non UPnP NAT

Yes using Msgr Only

Yes using Msgr Only

No

No

Behind corporate Edge Firewall**

Yes using Msgr Only

Yes using Msgr Only

No

Yes - if both are behind same firewall

No - if both are behind different firewalls

Novice on Vista

Directly Connected

Yes

Yes

Yes

Yes

Behind UPnP NAT

Yes

Yes

Yes

Yes

Behind non UPnP NAT

Yes using Teredo*

Yes using Teredo*

Yes using Teredo*

None

Behind corporate Edge Firewall**

No

No

No

Yes - if both are behind same firewall

No - if both are behind different firewalls

Table 23-6: RA connectivity for Expert on Windows Vista

* Teredo connectivity is not available if either computer is behind a "symmetric NAT"

** Edge Firewall must permit outbound connection (e.g. using the Microsoft ISA Firewall Client)

Summary

Remote Assistance has been enhanced in Windows Vista to provide better performance, improved usability, NAT-traversal flexibility, and increased security. Best practices for implementing Remote Assistance in an enterprise environment include:

  • Use Group Policy to enable users of targeted computers in a domain or OU to receive offers of RA from Help Desk personnel.
  • Use Group Policy to enable the RA exception in the Windows Firewall.
  • Use Group Policy to deploy scripts to enable users to run the msra.exe executable if you want to customize how they launch RA sessions-for example, to upload an invitation to a network share monitored by support personnel.
  • If all of your support computers are running Vista, use Group Policy to encrypt RA tickets to hide sensitive information such as users' IP addresses and computer names.
  • If corporate policy requires RA records for auditing purposes, use Group Policy to enable RA logging on your company's desktop computers and run scripts to periodically move both Helper and User RA logs to a safe storage.
  • To meet corporate privacy and security requirements, use Group Policy to customize the text message that users see before they allow the Helper view their screens or share control.

Additional Resources

The following resources contain additional information and tools related to this chapter.

Related Information

If you would like to read the first two parts in this article series please go to:

Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 1)
Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 2)

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Advertisement

Featured Links