Shadowing End Users Devices using NoTouch

NoTouch has multiple options for Shadowing endpoint devices for HelpDesk Administrators

Shadowing in our terminology means that you see the screen of one machine on another machine. Other terms to describe this would be screen-sharing, mirroring, remote assistance. It means that basically two people on two different workplaces will get to see the same contents (although there doesn't need a second person to be present) and be able to work with keyboard and mouse. Check out the Stratodesk HTML5 Shadowing video!

The shadowing method described herein works via HTML5, the free VNC software; it seamlessly works with clients behind firewalls and private IP addresses.


Shadowing via NoTouch Center

To start a shadowing session, simplyCenter-en-Shadowing

  1. Select a client, and
  2. Click the Shadowing icon in the toolbar to the right

A new browser window will open - most likely it will wait until somebody on the endpoint accepts the incoming shadowing request! After that has been done, you will be able to see and control the endpoint.

This uses the VNC protocol, with the noVNC HTML-5 module - both are open source, free software and work really well!


  • When you shadow a device through NoTouch Center you will always get a certificate warning. Even if there is a valid SSL certificate on the device you will still get a warning because the connection is being tunneled through NoTouch Center.
  • A client that was just booted up may not yet be connected to the WebSocket - allow at least 60-90 seconds after boot-up for this to happen.
  • If an empty browser window appears, most likely the WebSocket is not up (yet) and NTC falls back to the old behavior of starting a Java applet.

How to find the client to shadow

Most likely the Identify feature will help you in shadowing situation, especially when it is a user that is asking for help.

Requirements / Required TCP ports

These things are required:

  • Either use Stratodesk Virtual Appliance of the newest 18.04-based generation or NoTouch Cloud. Older 14.04-based appliances are not supported.
  • Clients must be able to use the WebSocket communication mechanism with NoTouch Center. It defaults to on, but please double-check that you didn't turn it off at some point.
  • The Front-End service parameter should be on "NoTouch Center" in the VA Configuration section of the VA Console of Stratodesk Virtual Appliance
  • The NoTouch OS endpoints must be able to open an SSH (Secure Shell/TCP port 22) tunnel to NoTouch Center
    • SSH is widely regarded as very secure and unbroken and the system is using strong public/private key authentication (no guessable passwords)
  • Administrators must be able to open connections to random TCP ports in the range 49152 - 65535 to NoTouch Center
    • These ports are IANA-assigned for private use. No well-known ports use these services. You are not risking opening access to some service that might be running. That is strictly for on-demand shadowing and assigned randomly. If you think about making that range smaller, think twice, that makes it actually less secure!
    • Stratodesk Virtual Appliance uses a host Firewall - it will add access entry rules dynamically. Just make sure your own external firewall doesn't block access.
  • If using the Stratodesk Cloud Xtension then port 6667 also needs to be open, as this is the incoming SSH tunnel for client devices.

No listening service is used on the client. In fact, even during an open session, you will not see an open, listening port on the client.

Note: If you think something like "but XYZ doesn't need all these ports" - yes but it sends all your traffic over proprietary ports through their cloud gateways that you have zero control over. In our case, everything goes only through your Stratodesk Virtual Appliance instance. Doesn't that sound much better?

Shadowing by logging into the client web front-end

You can log in to the client via Configuration web access provided it has not been disabled. Simple select the "Shadowing" menu entry in the left sidebar. Again, keep in mind, you may have to wait for the end user to confirm your shadowing request.

Allow unattended shadowing

By default, the user on the endpoint machine is asked if the incoming screen-sharing is allowed or not. Normally the user will click "Yes" to approve the request.

There are some cases when a machine needs to be shadowed, but no user is working on this machine or no keyboard/mouse attached. Examples are display terminals in bus or train stations or airports, or displays in industry halls or construction machines behind glass walls. To enable shadowing on these machines, set the parameter "Ask user at new connection" to "off". You will find this parameter in the "Screen shadowing" section of the "Services" parameters.

Please not that shadowing users without their consent is illegal in most legislations in the world.


You will find all configuration parameters in the "Services" section, look for "Screen Shadowing" there. You do not need to configure anything here for the basic Shadowing to work as described herein. In fact, it works with "Mode" parameter being set to its default "off" because NTC doesn't use the background daemon, it starts the session on-demand.

  • Mode. If you intend to use a standalone VNC viewer, this governs the operation mode (see below)
  • Ask user at new connection. If set to on (default), the user will be prompted to accept or deny the incoming request. For example in remote control rooms, dashboards, airport information screens or similar with no keyboard/mouse attached, you should disable this because nobody can accept the connection otherwise.
  • Remind user of running remote shadowing. If set to on (default), a red text will flash every few seconds to remind the user that a remote shadowing session is ongoing.
  • Password. If you intend to use a standalone VNC viewer, this will be the session password.
  • TCP port. If you intend to use a standalone VNC viewer, this will be the TCP port that we are listening on for incoming VNC requests (default: 5900)

Advanced configuration

The NoTouch Center Configuration properties allow you to edit these advanced configuration values:

  • Set the range of used TCP ports for the administrator side (note - as stated above, a smaller range does not mean more secure):

Other methods

Shadow endpoints from a standalone VNC client

Most people find the methods above (from NoTouch Center) and below (user-initiated) very comfortable. In some situations you may want to use a standalone VNC client to connect to the endpoint systems. The clients can actually launch a VNC server, not just on request by NoTouch Center, but as a background service. In that situation you must also set a shadowing password.

The following modes are available:

  • off. The VNC server is not started by default (only when NoTouch Center issues a shadowing request).
  • on/once. The VNC server will start at boot time, allow exactly one connection, and then terminate.
  • on/only one. The VNC server will start at boot time, allow exactly one simultaneous connection.
  • on/replace. The VNC server will start at boot time, and any subsequent new connection from a VNC connection will terminate the existing connection.
  • on/shared. The VNC server will start at boot time, and multiple VNC client can connection and all see and work on the same screen.

The parameters offering these modes are:

  • In NoTouch Center, "Services" -> "Screen Shadowing|Mode"
  • On the endpoint, "Services" -> "Screen shadowing", the parameter is called "Mode".

The parameter "Shadowing password" allows to set the passwort that will be specifically used for standalone VNC. It must be set, otherwise the standalone VNC server will not start. Older NoTouch versions that do not have this parameter use the normal admin password instead.

Windows users may find a freeware VNC viewer here: TightVNC download page

Older OS images and older NoTouch Center

NoTouch OS before 2.40.5197 and Center before 4.20.943 did not have the HTML5-based Shadowing. NTC had a Java applet that could connect to NoTouch clients, if it could establish a direct TCP connection to the client. This method became deprecated because it was unencrypted, and required this ability to directly connect to a client, and browsers dropped support for Java applets.