While working on a project to create tutorials, I needed a way to watch how a user stepped through the process of using an application without being on-site.

VNC turned out to be a viable solution. I could remotely connect and view all the steps, while conversing about the process over the phone.

The trouble was there were firewalls at both ends. It would have been easy to just open the port normally used for VNC connectivity (5900) in the firewall, but it's definitely not secure.

Using VNC while tunneling over SSH was a quick and more secure way to accomplish the process/application watching goal.

Several steps are required to make it work.

Ideally, all inbound ports are closed on an Internet facing firewall. That will go a long way to keeping out the bad guys. Of course, any other remote access is then limited as well.

Opening up port 22 on the distant IPCop firewall works well for the purpose of tutorial generation and is easily accomplished using the IPCop Web-based GUI. A similar process is used if the user machine is behind a dedicated firewall appliance. The idea is to port forward the SSH traffic from the Internet to the VNC-equipped user desktop machine.

Port 22 on the user's Linux desktop also needs to be available for logging in via SSH. When the session is finished, the firewall's SSH port can then again be closed to inbound traffic.

Specialized remote access techniques should be considered, like port-knocking or using hardened firewall devices when a more permanent or bulletproof connection is needed.

Next: Server There, Watch Here »