Proxies allow one to reach servers that are otherwise unreachable. In SSVNC, the proxy acts as a relay of the encrypted VNC packets.
SSVNC supports Web proxies, SOCKS proxies, and the UltraVNC repeater proxy. In SSH mode, a similar thing can be achieved by going through a Gateway machine.
SSVNC can chain together up to 3 Proxies to get to very difficult to reach VNC servers. A typical example of 2 Proxies would be to use a company's Web proxy to get out of the company's firewall, and then use the UltraVNC repeater or Apache SSL portal to go inside another firewall (another company or your home) to reach VNC server(s) running on machines there. In SSVNC one specifies chained proxies by separating them by commas:
Proxy/Gateway: http://webproxy.west:8080,repeater://23.45.67.89+ID:1234
Here is the text about Proxies from the SSVNC Help panel:
Proxies/Gateways:
If an intermediate proxy is needed to make the SSL connection
(e.g. web gateway out of a firewall) enter it in the "Proxy/Gateway"
entry box:
VNC Host-Display: host:number
Proxy/Gateway: proxy-host:port
e.g.:
VNC Host-Display: far-away.east:0
Proxy/Gateway: myproxy.west:8080
If the "double proxy" case is required (e.g. coming out of a web
proxied firewall environment and then INTO a 2nd proxy to ultimately
reach the VNC server), separate them via a comma, e.g.:
VNC Host-Display: far-away:0
Proxy/Gateway: myproxy.west:8080,myhome.net:443
So it goes: viewer -> myproxy.west -> myhome.net -> far-away (VNC)
The proxies are assumed to be Web proxies. To use SOCKS proxies:
VNC Host-Display: far-away.east:0
Proxy/Gateway: socks://mysocks.west:1080
Use socks5:// to force the SOCKS5 proxy protocol (e.g. for ssh -D).
You can prefix web proxies with http:// but it doesn't matter since
that is the default.
Note that Web proxies are often configured to ONLY allow outgoing
connections to ports 443 (HTTPS) and 563 (SNEWS), so you might
have run the VNC server (or router port redirector) on those ports.
SOCKS proxies usually have no restrictions on port number.
You can chain up to 3 proxies (any combination of http:// and
socks://) by separating them with commas (i.e. first,second,third).
See the ss_vncviewer description and x11vnc FAQ for info on proxies:
http://www.karlrunge.com/x11vnc/#ss_vncviewer
http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy
SSH Proxies/Gateways:
Proxy/Gateway also applies to SSH mode, it is a usually a gateway SSH
machine to log into via ssh that is not the workstation running the
VNC server. However, Web and SOCKS proxies can also be used (see below).
For example if a company had a central login server: "ssh.company.com"
(accessible from the internet) and the internal workstation name was
"joes-pc", one could put in for the
VNC Host:Display: joes-pc:0
Proxy/Gateway: ssh.company.com
It is OK if the hostname "joes-pc" only resolves inside the firewall.
The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L
redir and is not encrypted (but viewer -> ssh.company.com is encrypted).
To SSH encrypt BOTH legs, try the "double SSH gateway" method using
the "comma" notation:
VNC Host:Display: localhost:0
Proxy/Gateway: ssh.company.com,joes-pc
this requires an SSH server running on joes-pc. So an initial SSH
login is done to ssh.company.com, then a 2nd SSH is performed (through
port a redirection of the first) to login straight to joes-pc where
the VNC server is running.
Use username@host (e.g. joe@joes-pc jsmith@ssh.company.com) if the
user names differ between the various machines. On Windows you MUST
supply the usernames.
To use a non-standard ssh port (i.e. a port other than 22) you need to
use the Proxy/Gateways as well. E.g. something like this for port 2222:
VNC Host:Display: localhost:0
Proxy/Gateway: joe@far-away.east:2222
The username@ is not needed if it is the same as on the client. This
will also work going to a different internal machine, e.g. "joes-pc:0"
instead of "localhost:0", as in the first example.
A Web or SOCKS proxy can also be used with SSH. Use this if you are
inside a firewall that prohibits direct connections to remote SSH servers.
VNC Host:Display: joe@far-away.east:0
Proxy/Gateway: http://myproxy.west:8080
or for SOCKS:
VNC Host:Display: joe@far-away.east:0
Proxy/Gateway: socks://mysocks.west:1080
use socks5://... to force the SOCKS5 version.
You can chain up to 3 proxies (any combination of http:// and
socks://) by separating them with commas (i.e. first,second,third).
For a non-standard SSH port and a Web or SOCKS proxy try:
VNC Host:Display: localhost:0
Proxy/Gateway: http://myproxy.west:8080,joe@far-away.east:2222
Even the "double SSH gateway" method (2 SSH encrypted legs) described
above works with an initial Web or SOCKS proxy, e.g.:
VNC Host:Display: localhost:0
Proxy/Gateway: http://mysocks.west:1080,ssh.company.com,joes-pc
UltraVNC Proxies/Gateways:
UltraVNC has a "repeater" tool (http://www.uvnc.com/addons/repeater.html
and http://koti.mbnet.fi/jtko/) that acts as an VNC proxy. SSVNC can
work with both mode I and mode II schemes of this repeater.
Note: only SSL (or unencrypted) SSVNC connections make sense with
the UltraVNC repeater. SSH connections (previous section) do not
seem to (let us know if you find a way to use it).
For mode I repeater the viewer initiates the connection and passes
a string that is the internal VNC server's IP address (or hostname)
and port or display:
VNC Host:Display: :0
Proxy/Gateway: repeater://myproxy.west:5900+joes-pc:1
Note here that the VNC Host:Display can be anything; we use :0.
The Proxy/Gateway format is repeater://proxy:port+vncserver:display.
The string after the "+" sign is passed to the repeater server for
it to interpret. For this example, instead of joes-pc:1 it could
be joes-pc:5901 or 192.168.1.4:1, 192.168.1.4:5901, etc.
If you do not supply a proxy port, then the default 5900 is assumed,
e.g. repeater://myproxy.west+joes-pc:1
For mode II repeater both the VNC viewer and VNC server initiate
connections to the repeater proxy. In this case they pass a string
that identifies their mutual connection via "ID:NNNN":
VNC Host:Display: :0
Proxy/Gateway: repeater://myproxy.west:5900+ID:1234
again, the default proxy port is 5900 if not supplied.
In this case, mode II, you MUST set Options -> Reverse VNC Connection.
That is to say a "Listening Connection". The reason for this is that
the VNC server acts as a SSL *client* and so requires the Viewer end
to have an SSL cert, etc.
Set REPEATER_FORCE=1 in the Host:Display (hit Enter, and then clear
it) to force SSVNC to try to a forward connection in this situation.
We have also found that usually the Listening viewer must be started
BEFORE the VNC Server connects to the proxy. This is a likely bug
in the repeater tool.
For mode II, you probably should also disable "Verify All Certs"
unless you have taken the steps beforehand to save the VNC server's
certificate, or have previously accepted it using another method.
Also, after the connection you MUST terminate the listening VNC Viewer
(Ctrl-C) and connect again (the proxy only runs once.) In Windows,
go to the System Tray and terminate the Listening VNC Viewer.
BTW, the x11vnc VNC server command for the mode II case would be
something like:
x11vnc -ssl SAVE -connect repeater=ID:1234+myproxy.west:5500 ...
It also supports -connect repeater://myproxy.west:5500+ID:1234
notation.
For mode I operation x11vnc simply runs as a normal SSL/VNC server
x11vnc -ssl SAVE