Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Manage multiple NATted Macs with Apple Remote Desktop Apps
I manage my parents' Macs, thousands of miles away with Apple Remote Desktop (ARD). Since they have a router with NAT, it is a challenge to manage more than one machine because I can only forward incoming connections to a one of them. Here is how I do it:
  1. Set up each machine to use DHCP and call the location "No ARD."
  2. Duplicate the configuration, select static IP addressing, and use the same IP address for all the Macs. Call that location "ARD."
  3. Set up the router to forward TCP and UDP packets to the static IP address above for ports 3283 and 5900.
  4. Turn on ARD in sharing (Remote Management in Leopard) for each machine and set up an account, permissions etc.
  5. Set all machines to the "No ARD" location.
To manage any one machine, I just request that my parents select the "ARD" location from the Apple menu. After I am done, I make the change back to the "No ARD" location myself. While there are other ways to do this, this method is simple enough for them to remember, doesn't involve any changes to the router, entering passwords or changing System Preference panes, and can be easily checked for errors.
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[14,388 views]  

Manage multiple NATted Macs with Apple Remote Desktop | 27 comments | Create New Account
Click here to return to the 'Manage multiple NATted Macs with Apple Remote Desktop' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: macavenger on Feb 19, '08 08:36:56AM

I would think it would be easier to simply put all the machines on static IP, and change the port-forwarding statement in the router, as you can do that yourself easily and remotely with no interaction from your parents. Usually just log in and change one number. At least with most routers, if you have them configured for it. Of course, if you don't, or if your router doesn't have a remote access option at all, then yeah, this solution would be an easy and good option. Just my 2¢

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: ashevin on Feb 19, '08 08:52:12AM

Generally speaking, it's a very bad idea to allow remote administration of the router from the WAN (Internet) side. Usually, home routers are configured to only allow access via it's LAN address (commonly 192.168.0.1).



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: club60.org on Feb 19, '08 10:25:32AM

Most of the routers allow to set a whitelist (or one IP address) for remote administration.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: jiclark on Feb 19, '08 01:55:36PM

Yes, but how hard would it be to spoof that one IP address?



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: tji on Feb 19, '08 03:28:17PM

> Yes, but how hard would it be to spoof that one IP address?

Quite hard. Setting your IP to whatever you want is not hard. But, getting the return packets to route back to you is the difficulty. That, and getting by the spoofing filters most ISPs employ (i.e. a source address should always fall within the ISP's range of valid IPs. A spoofed packet outside that range is dropped).

Also, determining the IP to spoof in the first place is difficult. Unless you happen to be in the routed path of the packets, where you can sniff it, you can't tell what the configured address is.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: Lutin on Feb 20, '08 01:29:53AM

Some routers require to be rebooted to apply the change in port forwarding settings.
And some other don't allow to reboot them remotely (only way is to pull off the power plug).

So, in certain situation, this hint is quite useful.
Of course, none of this hacks would be needed if there were a way to change the connection port within Remote Desktop 3.2.
Apple, are you listening?



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: madamov on Feb 19, '08 08:50:34AM

Timbuktu used to allow, probably still allows, to remote control one machine within network and start Timbuktu on that machine to control computers within local networks, so you have session inside session. Last I tried that with ARD version 2 and it didn't allow it, I don't know if they changed it with version 3.

You can combine ARD and Timbuktu, have your parents install Timbuktu on all local machines, use ARD to get inside local network, then use Timbuktu to control machines on local network.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: RickoKid on Feb 20, '08 08:02:47AM

You can control ARD Admin using a remote Mac using ARD (piggybacking). You just need to enable the "Allow control of this computer when this application is running" option.



[ Reply to This | # ]
Manage multiple NATted Macs....CAREFUL!!
Authored by: rbenezra on Feb 20, '08 09:26:44AM

I have been doing this type of thing for years but warn that you should never open the ARD ports for security reasons. I would only open port 22 for SSH on my home network since the encryption with public and private keys is quite secure (Note I did have port 22 opened for me at work to do the reverse commute and one day there were 6000 hits per second (!!) on my machine from an ip address in China as someone tried unsuccessfully to get in to our network; if there are open ports protected with just a user id and password, they can get in at this rate with NO PROBLEM, and they will, probably just for fun).

So the set up is with Timbuktu which allows you to direct all traffic through a secure tunnel. You need to set up SSH on the home computers, know the IP address of the home server (if dynamic, you need a domain name, free these days through DynDNS), different static ip addresses on the home computers and a means to direct the traffic to a particular machine (SSH Tunnel Manager, also free, with a fairly simple set up allows you to direct traffic to any machine on the home network through the secure shell). I know it sounds like a lot but it really is quite easy and once set up, just works seamlessly. Post back if you need more help.



[ Reply to This | # ]
Use different ports for each machine
Authored by: rdguthrie on Feb 19, '08 09:03:51AM

It would be far simpler to do the following:

1. Assign static IPs for each machine.

2. Configure the router to forward one port from the outside to a specific machine's ARD port on the inside.

So for multiple machines with static IPS, you just forward port 9990 to machine 192.168.1.90:ARD. Do the same for the other machines: 9991 to 192.168.1.91:ARD, 9992 to 192.168.1.92:ARD, etc... I had to do something similar to allow bittorrent to work for multiple machines on my network.

No action require by your users, except to turn on the machines.

The one advantage your setup has is that there's no access from the outside without an action taken on the inside, so it's somewhat more secure.



[ Reply to This | # ]
Use different ports for each machine
Authored by: zebrum on Feb 19, '08 10:22:35AM

Unfortunately this obvious solution won't work here. The poster of this hint should have pointed out there is no way to change the connection port within Remote Desktop 3.2. I believe this is the limitation he is trying to overcome.



[ Reply to This | # ]
Use different ports for each machine
Authored by: makip on Feb 21, '08 12:53:43PM
Apple Remote Desktop's port limitation is not a show stopper. Mapping different fixed router ports to our home machines is how I manage our remote access - you can get around the fixed port limitation by either..
1- forwarding your own localhost:ARD to yourRouterIP:PORT and then just connecting Remote Desktop to "localhost"
2- using other VNC software! try Vine Viewer, JollysFastVNC, or Chicken of the VNC

Note this method alone (and that specified the original hint) is NOT a secure connection. See rbenezra's comment above and search this site for "VNC SSH" or something similar to find pointers on secure VNC access to home.

My router lets me reserve specific DHCP allocated IP's to machines with specific MAC addresses. It's a convenience, otherwise I would have to used a fixed IP setup ("DHCP with manual address" option on each machine).

Also, using a free service like DynDns.org means i dont need to remember my home IP.

Useful links on secure access:
http://howto.diveintomark.org/remote-mac/
http://www.macosxhints.com/article.php?story=20050429153115383

[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: Grant Symon on Feb 19, '08 09:09:48AM

I've been running ARD to manage remote Macs (via the internet) for a number of years and although it's harder to configure for internet use than Timbuktu, it has other advantages. However ... all this seems to be somewhat redundant since Leopard has ARD capability built-in. It seems that a lot of that capability is switched off, but that it can be activated, if you care to fiddle with plists and so on.

Simply using iChat with the built-in screen-sharing, is a far better solution. It's safer too, since there are no holes poked in the firewall.

There is another solution that I have used with great success too ... not particularly safe and requires that the remote router has UPnP support, but Lighthouse.app is very easy to configure and can map any port on the fly. Dead easy.

Grant



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: ghay on Feb 19, '08 02:20:23PM

I find logmein.com is extremely good, and works with dynamic ip addresses.

I had major problems keeping track of a remote computer on a dynamic ip until using logmein.
I also pretty much use skype, as ichat really struggles with most public wifi zones.

ymmv



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: da2357 on Feb 19, '08 10:22:32AM

I agree that the solution several have mentioned of assigning static IPs is a better long-term solution. As was pointed out, though, the disadvantage is that it leaves ARD potentially open for all (at least anyone capable of figuring out account names and passwords). However, this can be resolved by teaching the end-user to leave ARD ("Remote Management" in 10.5) off except for when you've coordinated a time that you'll connect to resolve their computer woes. Giving the end-user the ability to toggle on-off ARD in System Preferences > Sharing gives them the security of knowing that their computers are not open to the world's prying eyes. I've done this with a number of clients and it works fine.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: charlesbouldin on Feb 19, '08 10:42:32AM

If the Macs are running Leopard, you can use iChat and screen sharing to do this with no worries about routers. I do maintenance and set up work on my parents machine this way.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: jiclark on Feb 19, '08 02:02:41PM

Okay, since Screen Sharing using iChat has been recommended a couple of times, what do you recommend as the easiest/best way for someone who's never used iChat to get up and running? (Assuming they don't have a .Mac account either, since that's obviously the easiest solution!)

I personally cringe at the thought of telling a friend or family member that they need to go to AOL to sign up for a free username. I know it's not that big a deal, but a lot of people I know would be put off by that process. Is there any other option?



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: jiclark on Feb 19, '08 02:04:25PM

Answering my own question, it occurs to me that signing up for a free .Mac trial account would be the best option, eh? Or are there others?



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: jiclark on Feb 19, '08 02:11:06PM

One more question about this: how far back, OS-version-wise, does this work? In other words, from my Leopard-version of iChat, can I use Screen Sharing on computers running Panther? I know it works with Tiger, but I doubt it does with earlier versions... That would be a bummer, as I know a fair number of people still running 10.3.x, and I've yet to see any cheap Tiger upgrade discs popping up for sale anywhere. I suppose eBay is an option, but again, a lot of people I work with would never buy from an eBay auction...



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: dcoyle on Feb 20, '08 04:59:03PM

I second critcol. This is amazingly easy and the performance is really, really good even over my Mom's 768 kB/S DSL line. As a side benefit, when people she knows ask if she has an AIM account for whatever seniors chat about, she can now say yes.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: critcol on Feb 19, '08 02:04:40PM

You set up the AOL account for them and then tell them to turn on iChat when they need help. Works wonders with my parents.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: blueatria on Feb 19, '08 02:45:28PM
I have been using hamachi (https://secure.logmein.com/products/hamachi/list.asp) for a long time to let me access my macs at home while I am away from home and manage my parents windoze machine from anywhere. It provides a secure VPN style private network that you can do any sort of ip connection over. I use 10.5 screen sharing and ssh to talk to my macs and a vnc client to manage the windoze box. It works great. There is a free versions of hamachi for windoze OSX and others. LogMeIn also have paid for products which I have tried but they don't really do what I want simply.
Hamachi install is a little bit of a pain and is only command line. The gui version still has some problems with Leopard but the command line version works great. There is a forum that is usefull for setup queries.
You could continue to use ARD if you want but there would be no need for any port fowarding nonsense and hamachi is very secure. Just my 2cents.

On a side note I have tried to get Back to my Mac working and that has been a complete waste of time. I have all Apple hardware and I am a paying subscriber to .mac and have had no luck at all.

[ Reply to This | # ]
ARD for non-local machines??
Authored by: tji on Feb 19, '08 03:02:27PM

I have a VPN connection back to my parents' house, but I don't know how to initiate an ARD connection while not local.

When I'm at their house, I see their iMac in the Finder, and can select 'share desktop'. But, to do it remotely, I can't find how to initiate Apple's client.

I can use "Chicken of the VNC", and it works okay. I just think the Apple client is more network efficient.

How do you initiate your connections?



[ Reply to This | # ]
ARD for non-local machines??
Authored by: bagelturf on Feb 19, '08 07:10:36PM

I saw this hint:

Just use SSH for this, it's really simple:

Starting under Leopard:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart –restart –agent
(yes, I know, but really, restart is the way)

Stopping under Leopard:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart –stop

The command is the same under Mac OS X 10.4, but the path may be a little difference inside of CoreServices, IIRC.



[ Reply to This | # ]
ARD for non-local machines??
Authored by: blgrace on Feb 20, '08 05:04:56AM

In Leopard I've been manually opening up the Screen Sharing app and just typing in the the hamachi IP of the machine I want to control.

/System/Library/CoreServices/Screen Sharing



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: morespace54 on Feb 20, '08 02:14:21PM

On a side note, I had a hard time (!) getting "Screen Sharing" connecting from my 10.5 machine (on iChat, Safari or whatever) to an different machines (10.4 and 10.5). All I could get was a message saying "0.0.0.0.0 computer is unavailable".

Then I discovered that because I used ARD on my main computer before I upgraded my system, the "Screen Sharing" option was greyed out by default in system preferences...

So if you were using ARD prior to upgrading and plan to use Screen Sharing instead, you might want to uncheck the ARD option before trying to connect to other computer with Screen Sharing.



[ Reply to This | # ]
Manage multiple NATted Macs with Apple Remote Desktop
Authored by: khalatian on Feb 21, '08 07:47:49AM
use http://www.LiveLOOK.net - no firewall/NAT headaches. works not only on Mac but Windows and Linux as well

[ Reply to This | # ]