Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use Apple Remote Desktop with Macs behind firewalls Apps
This hint describes how to use Apple Remote Desktop (ARD) to connect to a Mac that is behind a residential gateway, or more generally, behind any device that is performing NAT or dropping the necessary TCP ports. The short version of this hint is this:
  1. Have the target user ssh to you, with a remote port forward that connects an arbitrary TCP port (e.g. 5800) on your machine to port 5900 on their machine. Email them the command line entry to the user, since they probably aren't ssh-savvy if you're trying to ARD to them in the first place.
  2. Use ipfw to rewrite packets for to go to
  3. In ARD, create a machine manually by address, and specify
  4. (Optional) I actually created a secondary address on my lo0 (, and had ipfw look for to rewrite to This means that I can be set up to reach more than one remote client at a time, without having to reconfigure anything.
Read on for a more detailed walkthrough...

Here's the longer version: I recently bought a 10-client copy of ARD for, among other things, helping my little brother and my mother with their Macs (VNC lacks some key features, discussed below). ARD has no direct support for connecting or listening on non-standard TCP ports, so there is no straightforward way to connect to a machine that is behind a residential gateway (NAT) or a firewall.

You are probably already familiar with SSH port forwarding; if not, you'll have to read up on that elsewhere. Normally you pick an arbitrary port on your local computer, and configure ssh to create a proxy connection to the normal port on the destination computer. Then you configure your appliction to connect to localhost on the arbitrary port.

In this case, ARD will not let you specify a non-standard port. So, if you try to ARD to, you'll just end up connecting to yourself. Also, ARD client seems to *always* be running, even if you disable it in the Sharing System Preferences panel. As such, I was unable to simply forward port 5900 directly; ssh always fails to bind to that port because it's in use.

The solution:
  1. Configure ipfw to rewrite packets destined to port 5900 (the standard ARD TCP port) to port 5800 (the arbitrary port your destination user will be forwarding to himself). In Terminal, run this command: sudo ipfw add 00099 fwd,5800 tcp from me to dst-port 5900
  2. Tell the remote machine to ssh to you, and forward the remote arbitrary port to themselves on port 5900. They presumably have no idea how to do this, so you should just email them an entire ssh command line, and ask them to paste it into Terminal, like this:
    ssh ip_num -l username -R 5800:
    Note that ip_num is your IP address or domain name, and username is an account on your machine. I have a non-administrator account on my machine that I use when I need someone else to connect to me. Don't use localhost, as Mac OS X likes to resolve that to an IPv6 address, and SSH will end up proxying an IPv4 port forward into an IPv6 session, which probably won't work.
  3. Configure a new machine in ARD with address, and your remote user's username and password.
Now ipfw will intercept these packets before your local ARD captures them, and send them down the arbitrary poirt, and thus the ssh tunnel, which will proxy the TCP session to one at the local end going to the correct ARD port.

There are two optional spins that I'm actually using with this:
  1. As described, this trick will only let you connect to one host -- ARD will not let you configure multiple machines with the same address. You can trick it into it doing so, but even so, you'd only be able to have one connection at a time. So, I actually add secondary addresses to my loopback interface, like,, etc., and I configure ipfw to look for those, and re-write them to different TCP ports. Then I have the remote users use different TCP ports. Since I connect to them regularly, I actually set up .ssh/config files for them, so they only need to type ssh The command to add the secondary IP address is:
    ifconfig lo0 alias
    And the modified ifpw command to make use of it is (note that this syntax looks backwards, but it's not; ipfw is just weird):
    add 00099 fwd,5800 tcp from me to dst-port 5900
  2. The secondary addresses and ipfw stuff is certainly tedious to set up, so I have scripts in /System -> Library -> StartupItems which make it all happen automagically at boot time. Between that and having set up their .ssh/config files to use the right port forward and username, all I have to do when they want my help is tell them to type ssh domain in Terminal, and then I fire up ARD.
Why not VNC? Is anybody even still reading? You probably already know that this is all much easier using VNC, which is built into OS X. No tricky packet rewriting necessary; the clients all let you specify the port. Well, ARD version 3 has some key features that I can't seem to find in any VNC clients:
  1. I can't find any VNC clients that can connect to the built-in OS X VNC server using 8-bit color. 16-bit is the minimum, so it makes for a slower connection. If your remote user has Dock magnification and/or hiding turned on, you're looking at minutes just to click on a Dock icon. ARD allows 8-bit greyscale, and even 1-bit black & white. Yes you can turn off their Dock effects, but that takes time, and is a little rude, and this is faster for everything else too, not just that.
  2. ARD will scale the remote screen to your screen or window if it is smaller. It will also auto-scroll if you need to turn of scaling because things are too small.
  3. ARD has excellent support for the remote machine having two monitors. It will actually show you both displays at once (scaled or scrolled), or you can pick which one you want to see.
Note that ARD 3 is very expensive; it retails for $250, I think. If you're eligible for academic pricing, I think you can get it for $150. I found a factory-sealed 10-client version on eBay for under $130, which is fairly common.
  • Currently 2.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)

Use Apple Remote Desktop with Macs behind firewalls | 12 comments | Create New Account
Click here to return to the 'Use Apple Remote Desktop with Macs behind firewalls' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use Apple Remote Desktop with Macs behind firewalls
Authored by: msilverman on Jul 07, '06 09:10:18AM

If you need to control the screen of a few machines behind various routers, assuming you (a) have money to spend and (b) don't already own ARD, you should really consider using Timbuktu.

It is specifically designed to allow for easy remote control of machines behind routers, both using automated SSH-tunnelling or non-SSH connections (if you choose). The screen-sharing speed is also better then ARD and it is a lot more stable.

ARD is great for administering machines on your local LAN, but using it to go across routers is like using a hammer to pound in a screw, as this (very clever, but incredible convoluted) hint shows.

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: artful38 on Jul 07, '06 09:24:57AM

I'll second the comment about using Timbuktu. I bought it to support my sister and mother-in-law across the country and it is very slick. Easy to configure for routers (they both have DSL). Timbuktu works really well across the internet, you can reduce the colors and shrink the screen if you have to, and also do things like swap files and clipboards. The other nice thing is that Timbuktu works with PCs, if you have any unfortunate family members stuck on that platform and you get drafted (i.e forced by the wife) into helping them since you are "the computer geek" for the family!

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: kray on Jul 07, '06 07:42:36PM

And on that note -- why note just have the remote user setup a reverse (-R) tunnel and just use that?

ssh -R 5901:

Then you could simply point your ARD at localhost:5901 using the remote username/password on their Mac.

For some reason -- trying to substitute localhost for above does not work ... and for that I'm not sure why (yet :). Any hints?

Also -- as previously stated ARD works best on a local network as it also uses UDP traffic for full functionality for which ssh is only TCP based (today). The remote desktop functionality will work as-is for TCP port 5900 -- though you'll lose other capabilities as remote shutdown/restart, locking the screen, etc...

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: foilpan on Jul 07, '06 09:15:04AM

from what i've found, the issue with forwarding ARD connections over ssh is that ARD needs to pass both TCP and UDP packets, and ssh port forwarding only handles TCP.

would it be easier to configure the appropriate ports on the remote routers ?

see this article for details.

or, you could set up VPN access to each site, negating the need to do any of the configuration you mentioned here.

i'm curious to see how others have dealt with using ARD with port forwarding or ssh tunnels, etc.

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: atverd on Jul 07, '06 11:13:32AM

ARD has support for non-standard ports. You may specify them in IP:Port format and it will work in it's limited VNC-compatible mode. But there is another problem - it doesn't allow you to have multiple VNC ports on the same IP. If you want to forward port to one machine and to another machine this is not going to work. I hate this and even have bug opened with Apple for that.

[ Reply to This | # ]
Authored by: EddEdmondson on Jul 10, '06 06:40:39AM

Pretty obvious, but probably also bears repeating - I'd be wary of emailing too much info about how to ssh in. You probably want to substitute a dummy user@machine argument, and then phone them to pass on the real username, machine name and password.

Even if you're only giving them a non-admin account you don't want to risk your email being read by naughty people.

[ Reply to This | # ]
Error in hint
Authored by: avramd on Jul 10, '06 10:51:52AM

For the benefit of anyone reading this hint between now and when my correction is implemented by the edtors, step 2 in the "quick version" at the top has the port numbers reversed; you rewrite packets for so they will go to

[ Reply to This | # ]
An AppleScript for the remote user
Authored by: waboom on Jul 12, '06 11:21:49PM
I do the same support for my family; to make it easier on them, I wrote this AppleScript for them to run. Since I may be traveling when they call for help, it prompts the user for an IP address or domain name to connect to before running the ssh command in terminal. It also does some quick sanity checking on the IP address to make sure it's a valid IPv4 address. Just change "ARDHero" at the top to your name, and "ARDHeroAccount" to whatever the account name is on your end that they should log into. Save as an application in Script Editor and you should be set.

set ARDHero to "Steve"
set ARDHeroAccount to "ard_acct"

set isValidIP to false
repeat while isValidIP is false
	set remoteIP to text returned of (display dialog "what is " & ARDHero & "'s IP address or Domain Name?" default answer "")
	set savedTextItemDelimiters to AppleScript's text item delimiters
		set isValidIP to true
		set AppleScript's text item delimiters to {"."}
		set IPList to every text item in remoteIP
		set countOfIP to count of IPList
		if countOfIP is not equal to 4 then set isValidIP to false
		repeat with index from 1 to countOfIP
			set currentValue to text item index of IPList as integer
			if currentValue > 255 then set isValidIP to false
		end repeat
		set AppleScript's text item delimiters to savedTextItemDelimiters
	on error -- In case something bogus happens, make sure the delimiter is set back
		set AppleScript's text item delimiters to savedTextItemDelimiters
		set isValidIP to false
	end try
	-- Check if they entered a domain name
		last character of remoteIP as integer
	on error --if the last character isn't a number, it's a domain name
		set isValidIP to true
	end try
	if isValidIP is false then
		display dialog ("This is not a valid IP address:" & return & remoteIP) buttons "Try Again" default button "Try Again"
		set x to button returned of (display dialog ("Is this the correct address?" & return & remoteIP) buttons {"No", "Yes"} default button "Yes")
		if x is "No" then set isValidIP to false
	end if
end repeat

tell application "Terminal"
	do script ("ssh " & ARDHeroAccount & "@" & remoteIP & " -R 5800:")
end tell

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: k0t1k968 on Jul 14, '06 01:02:53PM

Excellent hint.

Using ipfw I was able to connect to Apple Remote Desktop (ARD) client via SSH tunnel. One problem still remains. ARD refuse to recognize tunneled ARD client as "ARD Client". It thinks that it is just generic VNC server on other end of the tunnel( Current Status = VNC On ). As a result, none of ARD "extras" work ( Copy, Install, Unix, ... ).

Is it possible, to "convince" ARD that there is a "ARD Client" on other end of the tunnel?

Andrei Tchijov
Leaping Bytes, LLC

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: Zeitkind on Jul 15, '06 05:08:59AM
No, because ARD is based on TCP and UDP-connections. ssh can only tunnel TCP as stated above, so you only will get the "VNC-part" of ARD. If you want a full working ARD, you should try VPN (either with roadwarriors or net2net). Any Linux based firewall with FreeSwan/OpenSwan or OpenVPN will be fine for that. Another possiblity is to tunnel UDP over TCP, some solutions for unix are around. I tried to build udptunnel ( and it seems to start. Not tested though because I use VPNs for that.

[ Reply to This | # ]
Use Apple Remote Desktop with Macs behind firewalls
Authored by: smkolins on Jul 30, '06 06:54:30AM
An older hint here covers much of the same ground and suggests using a ssh key as part of the security.

The whole management of ssh tunnels has a gui in development - and it seems almost aimed at the same kind of application (apple users helping out other apple users, even switchers) but is still in beta - and appears to not use reverse tunnels? At least there is a note on the 1.0 beta that reverse tunnels don't work...

Possess a pure, kindly, and radiant heart!

[ Reply to This | # ]

Use Apple Remote Desktop with Macs behind firewalls
Authored by: fmwap on Mar 24, '08 09:29:57AM

Some useful information I discovered while trying to get ARD working:

If you enable the VNC service, you can then connect to the VNC port using ARD (not just VNC) -- this also makes ARD use TCP instead of UDP for transport. You just need to specify the new port number when making the client connection.

Worked great, we don't have any more issues w/ remote ARD sessions any more.

I think this should be a tip in itself, I couldn't find it documented anywhere else.

[ Reply to This | # ]