How do I... Provide remote assistance on computers behind a NAT device?

Learn to use port forwarding to get around a NAT firewall when using Microsoft Windows XP's remote assistance feature.

This article is also available as a TechRepublic download. This article was originally published on May 13, 2004.

Several years ago I gave up computer support because once I touched someone’s PC for the first time, I usually got blamed for anything else that goes wrong after that, even if it isn’t related to what I did. Even so, I have always been one to help out a friend in need. Several months ago, a friend called me because his son had crashed his computer. A closer examination revealed that the machine was infested with viruses and Trojans. The damage was so extensive that I had no choice but to reformat the machine and load Windows XP and all of his applications from scratch.

To make a long story short, in the months since this repair, my friend has called me over a dozen times to fix all sorts of minor problems. Although I really don’t mind helping friends, this particular person lives over an hour away from me so it’s kind of a pain to have to make that long drive every time that my friend needs help. To save myself some time and wear and tear on my car, I introduced my friend to Windows XP’s remote assistance feature.

Remote assistance and NAT

Remote assistance is a handy feature, and I have used it on more than one occasion to help out other friends. However, this particular friend was using a Network Address Translation (NAT) firewall. Since your typical ISP only assigns you a single IP address, if you have more than one computer, then you will need multiple IP addresses. NAT allows you to create an entire network of bogus IP addresses. When someone needs to access the Internet, the request is sent to the NAT firewall, and it makes the request to the Web site on behalf of the user. In doing so, the request appears to have come from the network’s one legitimate IP address. When the Web site replies to the request, the reply is sent to the NAT firewall. The NAT firewall receives the request and then forwards it to the appropriate bogus IP address on the private network.

So why is using NAT such a big problem for someone who is trying to provide or receive remote assistance? Well, there are a couple of reasons. First, think about the name NAT Firewall. While a NAT Firewall box does provide NAT services, it is first and foremost a firewall. Firewalls are designed to block any unauthorized types of packets. This includes packets used for remote assistance.

Secondly, even if the person’s NAT firewall were configured to allow remote assistance related traffic, the entire concept of NAT causes some problems. For instance, let’s say that the computer that a home-based user needs help with has an IP address of If the user were to send you a remote assistance invitation, it would attempt to connect your computer to Unfortunately, this is a bogus IP address that exists only on the user’s private network. The address is not accessible from the Internet, which means that you can’t attach to the machine through a remote assistance session.

Tweaking NAT

Although Windows doesn’t natively support NAT traversal for remote assistance sessions, there is a way that you can provide remote assistance to someone who is behind a NAT firewall. However, doing so requires a little bit of tweaking by your user. If the user isn’t very knowledgeable about computers, the necessary tweaking might be over their heads and you might find yourself having to provide remote assistance in person after all.

The process begins in the usual way. The user who needs remote assistance would click the Start button, select the Help and Support Option, and would then click the Invite A Friend To Connect To Your Computer With Remote Assistance. The user who needs help would then follow the prompts and send you a request for remote assistance, either through e-mail or through an instant message.

Although the invitation usually arrives in the form of an e-Mail or instant message, the invitation itself consists of an XML file. Figure A shows what the file looks like. If you look closely at Figure A, you’ll notice that there is an IP address embedded in the XML file. In this particular case, the IP address is This is a bogus address that exists only on my private network. If this invitation had been sent to me by a friend, the invitation would not work because it addresses a machine that is behind a NAT firewall.

Figure A
You must change the IP address found in the invitation.

If I want to help the user who sent the invitation, the first thing that I would have to do is to modify the invitation. I would need to change the bogus IP address to the user’s one legitimate IP address. If the user doesn’t know what his legitimate IP address is, he should be able to get it by looking at the configuration section of the NAT firewall. Unfortunately, I can’t give you exact instructions because every firewall’s user interface is a little bit different.

Adjust port forwarding

Changing the address found in the remote assistance invitation is only half of the tweak. Remember that using this address will only get you as far as the NAT box, as it won’t forward remote assistance traffic on to the user's computer. Furthermore, the NAT box is still set to block remote assistance traffic.

These problems can be addressed through port forwarding. If you look at Figure A, you will notice that the highlighted IP address is immediately followed by a colon and by the number 3389. This number is the port that remote assistance traffic is set to use. Therefore, to get remote assistance traffic to the PC that users need help with, they must enable port forwarding on the NAT firewall and must forward any traffic destined for port number 3389 to the bogus address on their private network.

Again, the configuration procedure will be a little bit different depending on what brand of NAT firewall is being used. However, you can see an example of remote assistance port forwarding in Figure B. The settings shown in Figure B tell the NAT firewall that if any traffic comes in on the legitimate IP address through port 3389, the traffic should be redirected to on the private network.

Figure B
Use port forwarding to send remote assistance traffic to the appropriate PC.

One PC limit

The only problem with this configuration is that it only allows one PC on the entire private network to receive remote assistance. If another user were to require remote assistance with a different PC, the NAT firewall’s port forwarding option would need to be reconfigured. Nonetheless, you still won't have to drive to the user's location to help troubleshoot a PC when using port forwarding.


Editor's Picks