Virtual Network Computing (VNC) relies on a specific set of network ports to establish remote graphical sessions between machines. Understanding which ports are in use, and how they interact with firewalls and network address translation, is essential for reliable deployment. This guide details the standard port allocation for VNC server implementations and explores the nuances of real-world configurations.
Default VNC Port Range
The foundational rule for VNC server ports is based on the display number. The default port is calculated by adding 5900 to the display number, resulting in a common range of 5900 to 5906. A display number of :1, for instance, listens on port 5901. This convention ensures that multiple sessions can coexist on a single server without port conflicts.
Port 5900 and Display Numbers
Port 5900 specifically corresponds to display number 0. While technically valid, display 0 is rarely used for standard remote desktop sessions, as it typically represents the physical console. Most administrators begin their configurations at display 1, translating to port 5901, to avoid interfering with direct local access. The linear relationship between display numbers and ports makes it easy to predict where a new session will listen.
The Role of the VNC HTTP Port
Modern VNC server ports configuration usually includes an HTTP port alongside the primary RFb protocol port. This auxiliary port, calculated by adding 6000 to the display number, serves a specific purpose in the connection process. For display :1, this results in port 6001, which primarily handles the initial HTML5 browser connection or provides the Java Web Start file for legacy client access.
Connecting Through Firewalls and NAT
Network Address Translation and enterprise firewalls often block the high-numbered ports used by VNC server ports, requiring careful planning. IT departments frequently allow outbound connections to common web ports but restrict direct access to the 5900 series. Consequently, tunneling VNC traffic through standard HTTPS port 443 is a frequent strategy to bypass restrictive network policies without creating complex firewall exceptions.
Security Considerations and Non-Standard Setups
Relying on the default VNC server ports exposes the service to automated scanning and brute-force attacks. Security best practices dictate changing the listening port to a non-standard number to reduce noise. However, this adjustment requires updating the client connection string to specify the new port number, ensuring the client attempts to reach the service on the correct interface.
Tunneling and SSH Integration
An effective way to secure VNC traffic without altering default application settings is to use SSH tunneling. This method encrypts the connection between the client and the server, effectively creating a secure tunnel through which the VNC protocol travels. Even if the traffic is intercepted on the network, the encryption prevents sensitive screen data and credentials from being exposed.
