Apple Remote Desktop Administration from a PC with NAT

Oct 30, '07 07:30:01AM

Contributed by: amhest

Last weekend I had to connect via VNC/Apple Remote Desktop to the MacBook that manages my mother's business from a PC. This was complicated by the fact that we were both behind NAT routers in different regions of the country.

This hint provided a good start. Unfortunately, I did not have the luxury of advanced setup and all of my machines run Windows XP. These instructions require a slight short-term reduction in the security of your PC; use at your own risk. These steps are quick-and-dirty, some refinements are certainly possible.

Read on for the detailed how-to...

  1. Buy the three-seat Apple Remote Desktop Server 3.x and install it (on the Mac). Supposedly there is way around this using the free client version, but I did not discover that until it was too late so I did not bother to investigate it.
  2. Update the Mac to the latest version (3.2+). This is important.
  3. On the Mac, run this one-line command in a terminal window to enable all Remote Desktop access (it should copy and paste as one line):
    sudo /System/Library/CoreServices/RemoteManagement/\
    ARDAgent.app/Contents/Resources/kickstart -activate \
    -configure -access -on -restart -agent -privs -all
    You can choose to be more precise later if you like. See this article for more info.
  4. I'm not sure if this command is also needed, but run it anyway (it should copy and paste as one line):
    sudo /System/Library/CoreServices/RemoteManagement\
    ARDAgent.app/Contents/Resources/kickstart -configure \
    -allowAccessFor -allUsers -privs -all
  5. On the Mac, open the sharing control in the main user preferences area. Choose Apple Remote Desktop, choose to enable VNC access, enter a VNC password, and then save.
  6. Restart the Mac. This is the simplest way over the phone to be sure all the daemons are restarted.
  7. On the PC, either turn off Windows' firewall, or figure out how to make sure it stays out of the way. It may be enough to enable port 22 and 5900, but I am not sure.
  8. On the PC, create an account for the user of the Mac. Very few privileges are needed, but you will need to give the password to the Mac user later.
  9. On the PC, follow these instructions to install Cygwin and sshd and start sshd as a service.
  10. On the PC, verify that you can connect via ssh to localhost as the user created in the earlier step:
      ssh -l evan localhost
  11. On the PC, download and install tightVNC for Windows.
  12. No changes from defaults are required for the router or firewall on the Mac.
  13. Determine the LAN IP number of your PC. It probably begins with 192.168; run ipconfig in a Command window to see the details.
  14. From the PC, connect to the PC's gateway router. I connect to a Linksys WRT54G, which is directly connected to my cable modem. By default, Linksys offers a web-based administration tool; I will reference this in examples. Other routers should behave similarly. Presumably a more complicated forwarding scheme could be created in a more complex network. This configuration will need to be corrected if internal or external DHCP leases expire.
    1. Locate the external IP of the router. This is typically the IP number assigned by your ISP. It may be dynamic but it will probably be valid long enough to complete the task at hand. Make sure it does NOT begin with 192.168. LinkSys shows this on the router's status page.
    2. Allow anonymous connections to your router. LinkSys has this on the security tab. Not sure if this is mandatory. Be sure to save changes.
    3. Enable forwarding of port 22. Set up a forwarding rule such that port 22 of the gateway router is forwarded to port 22 of your PC. This is accomplished by setting the router to forward port 22 to the IP number for the PC from the prior step. LinkSys does this on the "Applications and Gaming" tab. Be sure to save changes.
  15. On the Mac, open a Terminal window and execute the following command. Replace evan with the username you created earlier, and replace 123.123.123.123 with your router's externally-reachable IP number that you found above.
      ssh evan@123.123.123.123 -R 5900:127.0.0.1:5900
    This creates a reverse SSH tunnel, such that all traffic sent to port 5900 on the PC at 123.123.123.123 is forwarded to port 5900 on the local machine (the Mac).
  16. On the Mac, enter yes when prompted to accept a key.
  17. On the Mac, enter the Windows password for the user created earlier. NOTE: If you do this routinely, it is much better to authenticate with an SSH key rather than use a password. (See this hint.)
  18. On the Mac, the prompt in the Terminal window should change to reflect the name of the Windows user. This is a full-blown cygwin terminal session on the PC. If this works, we should be all set to fire up VNC on the PC.
  19. On the PC, open tightVNC (vncviewer.exe) and connect to 127.0.0.1. This tells VNC to connect to port 5900 on the PC which, because of the SSH tunnel created above, forwards all traffic over the internet to port 5900 on the Mac.
  20. Enter the VNC password that you created earlier. Voila! You should see the Mac desktop on the PC in a VNC Window.
  21. When you are finished, you should crank up security again:
[robg adds: I haven't tested this one, and I'm not sure all the steps as shown are required (or even recommended). I'm hoping the readers can fill in and/or correct any inaccuracies.]

Comments (5)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071024123234595