- Have the target user ssh to you, with a remote port forward that connects an arbitrary TCP port (e.g. 5800) on your machine to port 5900 on their machine. Email them the command line entry to the user, since they probably aren't ssh-savvy if you're trying to ARD to them in the first place.
- Use ipfw to rewrite packets for 127.0.0.1:5900 to go to 127.0.0.1:5800.
- In ARD, create a machine manually by address, and specify 127.0.0.1
- (Optional) I actually created a secondary address on my lo0 (127.0.0.2), and had ipfw look for 127.0.0.2:5900 to rewrite to 127.0.0.1:5800. This means that I can be set up to reach more than one remote client at a time, without having to reconfigure anything.
Here's the longer version: I recently bought a 10-client copy of ARD for, among other things, helping my little brother and my mother with their Macs (VNC lacks some key features, discussed below). ARD has no direct support for connecting or listening on non-standard TCP ports, so there is no straightforward way to connect to a machine that is behind a residential gateway (NAT) or a firewall.
You are probably already familiar with SSH port forwarding; if not, you'll have to read up on that elsewhere. Normally you pick an arbitrary port on your local computer, and configure ssh to create a proxy connection to the normal port on the destination computer. Then you configure your appliction to connect to localhost on the arbitrary port.
In this case, ARD will not let you specify a non-standard port. So, if you try to ARD to 127.0.0.1, you'll just end up connecting to yourself. Also, ARD client seems to *always* be running, even if you disable it in the Sharing System Preferences panel. As such, I was unable to simply forward port 5900 directly; ssh always fails to bind to that port because it's in use.
The solution:
- Configure ipfw to rewrite packets destined to 127.0.0.1 port 5900 (the standard ARD TCP port) to 127.0.0.1 port 5800 (the arbitrary port your destination user will be forwarding to himself). In Terminal, run this command: sudo ipfw add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.1 dst-port 5900
- Tell the remote machine to ssh to you, and forward the remote arbitrary port to themselves on port 5900. They presumably have no idea how to do this, so you should just email them an entire ssh command line, and ask them to paste it into Terminal, like this:
Note that ip_num is your IP address or domain name, and username is an account on your machine. I have a non-administrator account on my machine that I use when I need someone else to connect to me. Don't use localhost, as Mac OS X likes to resolve that to an IPv6 address, and SSH will end up proxying an IPv4 port forward into an IPv6 session, which probably won't work.ssh ip_num -l username -R 5800:127.0.0.1:5900 - Configure a new machine in ARD with address 127.0.0.1, and your remote user's username and password.
There are two optional spins that I'm actually using with this:
- As described, this trick will only let you connect to one host -- ARD will not let you configure multiple machines with the same address. You can trick it into it doing so, but even so, you'd only be able to have one connection at a time. So, I actually add secondary addresses to my loopback interface, like 127.0.0.2, 127.0.0.3, etc., and I configure ipfw to look for those, and re-write them to different TCP ports. Then I have the remote users use different TCP ports. Since I connect to them regularly, I actually set up .ssh/config files for them, so they only need to type ssh me.mydomain.com. The command to add the secondary IP address is:
And the modified ifpw command to make use of it is (note that this syntax looks backwards, but it's not; ipfw is just weird):ifconfig lo0 alias 127.0.0.2/32add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.2 dst-port 5900 - The secondary addresses and ipfw stuff is certainly tedious to set up, so I have scripts in /System -> Library -> StartupItems which make it all happen automagically at boot time. Between that and having set up their .ssh/config files to use the right port forward and username, all I have to do when they want my help is tell them to type ssh domain in Terminal, and then I fire up ARD.
- I can't find any VNC clients that can connect to the built-in OS X VNC server using 8-bit color. 16-bit is the minimum, so it makes for a slower connection. If your remote user has Dock magnification and/or hiding turned on, you're looking at minutes just to click on a Dock icon. ARD allows 8-bit greyscale, and even 1-bit black & white. Yes you can turn off their Dock effects, but that takes time, and is a little rude, and this is faster for everything else too, not just that.
- ARD will scale the remote screen to your screen or window if it is smaller. It will also auto-scroll if you need to turn of scaling because things are too small.
- ARD has excellent support for the remote machine having two monitors. It will actually show you both displays at once (scaled or scrolled), or you can pick which one you want to see.

