UltraVNC MultiViewer settings not working, Admin Properties

[jtech]

Hello!

I've been fighting with Ultravnc a bit to get it to honor the MultiViewer settings but can't seem to figure it out. I have a Windows 7 pro in place where more than one person can RDP into the Terminal Services and afterwards they can use VNC to localhost/127.0.0.1 to initiate a connection to the graphics "console" of the PC so they can open software that otherwise won't run over RDP/terminal-services. The problem is that I have tried to set UltraVNC MUltiViewer properties to either refuse new connections or even to disconnect existing connections in Admin properties but it doesn't seem to want to work, it always just lets a new connection happen and so if one user connects and another connects after they will both share the session. I do not want users to be able to spy on another user so I would like for either the current connected VNC user to be disconnected or to disallow new connection.

Actually there is an additional feature which would be nice and I will post it in Feature Request forum, and that is when using a "Super/Admin" password to be able to connect and share/view/control current sessions even if Admin properties denies that right to the other regular users/regular-password. That way only I as Admin can connect to existing VNC connections.

But getting back to current problem, actually making MultiView settings to take effect, perhaps the problem is that UltraVNC only identifies new connection based on IP address of connecting client? And in this case since connections all originate from the same server they all have the same IP address? Could that be the reason the settings aren't working for me? If so is there any way to fix it so it works for connections all coming from the same IP address/client? thanks!

[Rudi De Vos]

There are 2 viewer modes ( shared/non shared), you set the mode on the viewer site. ( viewer option)

If you start the viewer is shared mode, you allow multiple connection.
overwritten by server option (*) Refuse all(no sahred/shared) new connection

If you start the viewer in non shared mode, you only want to have one viewer connected.
The multiviewer server option tell how "non shared" viewers need to be handled when another viewer connect.

[jtech]

Hi,
Thanks it seems that the setting on uvnc server MultiViewer settings in admin properties of "Refuse all new connection" does work as you say. Previously I had used the setting right above that called "Refuse the new connection" which didn't seem to prevent connection sharing. (Although first time I tried it had some glitch whereby after I disconnected I couldn't connect anymore (kept saying connection rejected) even though I wasn't connected anywhere anymore, strangely during this it did let me connect again from a different machine/IP on internal network. Second time testing seemed to work as expected even from same machine via different MS-RDP sessions, new connection possible after 1st connection disconnects.)
But now I have the problem that even I can not shadow a regular user and I wanted the "other" users not to be able to do this but I myself would like a way to override that "Refuse all new connection" setting so I can shadow/share an existing user's connection even when the others can't. Is this possible somehow?

[Rudi De Vos]

There is not some superuser or ip in vnc, settings are for all.
Not possbile to exclude someone.

Perhaps....
There is an option the request access to the user when vnc connect.
-this option can be disabled when no user is logged on
-this option is ip based
If you set, ask access when someone is logged ( logged == logged on via windows) and exclude your own ip...
-then new connections need to be accepted by the current user
-and you can excluse your own ip, so you never need to be accepted

Only problem seems to be
-pc1 connect with vnc, but doesn't do anything
-pc2 connect, because no user is logged, he get access
If someone connect, but doesn't logon, he is not protected.

I was thinking on following options

AuthHosts=
+ =allow
- = deny
? = query
syntax:
-:+10.0.60.141:?10.0.31.169:-10.0.20.240:
instead of 10.0.60.141 you can use 10.0.60, then it is valid for the full range of ip addresses.

QuerySetting=2
Define on how to react on the (-,?,+) from the Authhosts.
0="+:Accept, ?:Accept, -:Query"
1="+:Accept, ?:Accept, -:Reject"
2="+:Accept, ?:Query, -:Reject [Default]"
3="+:Query, ?:Query, -:Reject"
4="+:Query, ?:Reject, -:Reject"
It is used to specify a set of IP address templates which incoming connections must match in order to be accepted. By default, the template is empty and connections from all AuthHosts_Tip5="hosts are accepted. The template is of the form:
+[ip-address-template]
?[ip-address-template]
-[ip-address-template]
In the above, [ip-address-template] represents the leftmost bytes of the desired stringified IP-address.
For example, +158.97 would match both 158.97.12.10 and 158.97.14.2. Multiple match terms may be specified, delimited by the ":" character. Terms appearing later in the template take precedence over earlier ones. e.g. -:+158.97: would filter out all incoming connections except those beginning with 158.97. Terms beginning with the "?" character are treated by default as indicating hosts from whom connections must be accepted at the server side via a dialog box. The QuerySetting option determines the precise behaviour of the three AuthHosts options.

QueryTimeout=10
QueryTimeout is the time the messagebox is shown.

QueryAccept=0 ( 0=refuse 1=accept 2=refuse)
This popup a timed messagebox to allow the user (server site) to allow/reject an incoming connect.

QueryIfNoLogon=0
Disable/enable query settings when no user is logged.

If the user is logged on, but has his screensaver on you normal can't get access as "QueryIfNoLogon" find a logged user.
to overwrite this set QueryAccept=2 and QueryIfNoLogon=0 -> no messagebox when screen is locked.

[jtech]

Thanks for all the details, its very late now and I'm a bit brain-dead so I'll have to reread later, I thought might be a problem If its IP based since all the users/VNC clients will be from same IP due to going from an RDP session, but I think basically I can maybe connect from a different IP on the local network of the vnc server and whitelist that one. I'll have to test and try out. (What file do I need to edit, some Authhosts? where is it etc...)

Also your recommendation makes me think of a way to do this from RDP side, ie taskmanager in windows, user tab and right click on logged in user and select "remote control".

As a sidenote, I hear all this buzz about splashtop that its the greatest thing ever or something, anyone here tried it?
I myself am using TurboVNC client usually with UltraVNC server due to the UltraVNC server performance optimizations that TurboVNC can tap into etc. My next step was to try it using VirtualGL. Also Xen HDX seems interesting and cheaper than PCOIP etc.