Skip navigation

Port Forwarding to 2 computers using Apple Remote Desktop ?

7430 Views 23 Replies Latest reply: Dec 14, 2013 5:05 AM by 747-8driver RSS
1 2 Previous Next
troy728 Calculating status...
Currently Being Moderated
Sep 25, 2012 10:57 PM

Hi Guys,

 

I'm hoping someone can at least help me understand the problem I'm having with ARD and 2 computers on my home network. I'm not a total newbie, but acronyms like PPoE, and such will confuse me.

 

Scenario:

For months I've been port forwarding to ARD at home while working away, and it's been working fine. Now the wife wants me to troubleshoot her machine while I'm away too (argh).

 

So I'm looking for a way to connect to both my own home machine, AND (now) her's too using Apple Remote Desktop 3.5

 

I have a D-Link G604-T which is working fine with just the one machine, but I don't seem to be able to get it working with the other machine. Ive read about setting up 5901 ports etc, but don't really understand the principle of what needs to be done.

 

Guidance or advice for a relative non-technophobe most gratefully received please.

Mac OS X (10.6.8)
  • drtidmore Level 1 Level 1 (10 points)

    I do this all the time and it is really straightforward.  Several steps are necessary.

     

    1) Change the port address (Remote Management Port & Screen Sharing Port) information in ARD for each machine to ports other than the default 5900, 3283, (I just add one to each for each machine physically behind a single WAN IP address (such as 5901, 3284 for first machine, 5902, 3285 for second machine and so forth)

     

    2) You also have to setup DHCP IP reservations in the home network router such that each target machine will ALWAYS get the same local IP address as port forwarding requires you enter a local static IP address.

     

    3) THEN, you have to make the appropriate offsetting changes in the router port forwarding supporting the end machines (ie have it route say 5901 to 5900 and 3284 to 3283 to the DHCP reserved SPECIFIC local IP address of the machine such as 192.168.0.100).

     

    As you likely also have a ISP that only gives you a one dynamic WAN IP address, you will need to add dyndns.org to your bag of tricks.  This service supplies you with a URL (you only need ONE for all machines that reside on the same WAN IP address (ie behind the router).  This URL will resolve to the actual current IP address that your ISP is providing. It does this via a process that you install on your Macs (software on thier website). Then in ARD you enter the assigned URL in the DSN Name Field and leave the IP address blank (ARD will automatically fill in the actual IP address when you press DONE.  This way you never have to worry about what the actual WAN IP address your machines are using.

     

    FYI, the forward TO info is always 5900, 3283 and don't forget to make forwarding entries for BOTH TCP/IP and UDP using the same forwarding info.

     

    Hopes this helps.

  • drtidmore Level 1 Level 1 (10 points)

    As you already have local static IP addresses that part is done. As long as you have any viable domain name service (www.no-ip.org)in place that will work as well.  As to where and how to make the port address changes, I assumed you were using Apple Remote Desktop, ARD.  If you are using some other VNC software, then you will need to someone change the default control port.

     

    Here is the screen shot of the data entry screen in ARD.  Enter the DNS name in the Address field, your login info, and then override the default values for the ports to the values you have chosen for each specific machine. You can also override these settings in existing ARD entries by double clicking on the machine entry and then choosing edit.

    Screen Shot 2012-09-26 at 4.43.54 PM.png

  • drtidmore Level 1 Level 1 (10 points)

    Yes, when you override the default 5900 and 3283 port settings in ARD you are changing the ports that the ARD uses to address that particular remote computer located at a specific WAN IP address.  You can use any port so long as you don't use any of the "well established" ports that the IP community as well as Apple have chosen.   The ARD client is hard coded to ONLY respond to 5900 and 3283 so that is why we use port forwarding when there are multiple machines on a local network.

     

    Here is a list of the well established ports. 

    support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US

     

    I prefer to stay in the same range as the default port addresses as those are clear of well established ports.

     

    As for the ssh port, you have two options.  If your support tech ONLY gets to your work computer, then add a port forward entry into the router to send port 22 to the specific local IP address of your work computer.  That way whenever port 22 arrives at the router, it will send it to ONLY your work computer.  The second is to have him use another port entirely for ssh and then have the router forward that other port to port 22 on the computer desired. The first way has the advantage of not requiring your support tech remembering that your work computer ssh is NOT on port 22, but it has the disadvantage that ssh will only be available to the ONE work computer. FYI, having your tech use some port other than port 22 is actually a good idea as port 22 is one that you typically don't want left open since a hacker due to hackers.  Well secured networks, DON'T allow port 22 originating traffic. You can also turn off ssh within OSX security settings.  Even on those computers where I have ARD priviledges I leave ssh turned off since if I need to ssh into the machine, I can use ARD to turn on ssh remotely, the ssh into the machine.

     

    You CAN'T have the same incoming port assigned to more than one computer in the router.  Of course you CAN have the same outgoing ports assigned to the same ports as that is what port forwarding is all about.  Understand that when a port connection originates from the local computer, the router sets up route so that it can automatically funnel traffic, but that ONLY works with the initial connection originates with the the local computer (thing web browsing as an example).  Unless ARD happens to sit on the local network, it can't reach machines sitting on the local network without port forwarding and same applies to any inbound originating traffic, so for any of those other originating incoming ports to work, specific port forwarding entries must be created in the router.

  • drtidmore Level 1 Level 1 (10 points)

    Yes, by entering 3284,5901 into ARD, you are instructing ARD to use those ports for communicating to the specific machine.  The remote machine that you are controlling still uses 3283,5900 and the router port forwarding settings handle the switching between the ports, coming and going.

     

    Yes, you HAVE to make the port forwarding entries into the router.  As you will have more than a single machine that you wish to control via ARD on your local network, you MUST NOT use 3283 or 5900 as the incoming port settings for ANY machine, so you will have to change the settings for that existing machine.

     

    You make the port settings changes to your MBP in the above scenario.  I think you are confusing the two sides of ARD.  The client code is part of OSX and while you do have to turn it on in preference sharing settings, there is NOTHING to install of configure other than an occasion code update (such as the recent ARD client update).  The server code is what you MUST install and configure. Typically this is installed on ONE machine that will be the CONTROLLING machine.  You DON'T install the server code on the client machines!

     

    David

  • Mark Blake Level 1 Level 1 (0 points)

    David

    I understand we can change the default ports 3283 and 5900 for a specific client.  I also need to change 22 to something else.

    I am connecting to a Mac on a third party network to a computer behind a Nat, and they wont forward 22 for me, as they already use that for another device. Their care factor to resolve this is much less than mine - understandably.

     

    I think I am out of luck.

  • drtidmore Level 1 Level 1 (10 points)

    Port 22 is the default for SSH and has nothing to do with ARD.  As I have stated previously, while SSH is a good thing to have, it is NOT something that well secured machines typically leave open to incoming traffic.  I always turn it off on client machines once I have ARD up and running.

     

    You can still use port forwarding to solve the issue.  You will have to choose an unused port that you will use FROM the external machine when you desire SSH on the client machine and add an entry into the port forwarding table in the router that is responsible for NAT for that particular client (ex forward port chosen port # to static local address of client machine to port 22). 

     

    This is exactly the same thing we do to allow ARD on multiple macs running on the same local area network behind NAT, just different ports involved.  The idea is to leave the client machines using default, well known ports and to use port forwarding to allow an external machine to reach those individual machines by send incoming requests to a otherwise UNUSED port that will trigger a port forwarding activity to the desired machine and to the well known port for that particular capability.

  • Mark Blake Level 1 Level 1 (0 points)

    Port 22 is the default for SSH and has nothing to do with ARD.

    Thank you so much. Your comment completely befuddled me so I turned off SSH in one of my client machines and everything still works, like shell commands, file copy.     I have always thought the required ports were 22, 3283 and 5900,  and that 22 was needed for *all* file transferring.

     

    I just read the Apple Remote Desktop Administrator's Guide again, and I understand it much better now, the file transfers et al are still done via 3283,   port 22 is only required if I want to encrypt all communications.  Some people might want that but I dont.  The required reading is on pages 75-76,  and 164.

     

    I am connecting to my 40+ machines colocated inside university networks.  Now that I dont have to get them to allow access via SSH, I will get much less hassle when setting up new sites from the security admins.  I dont think you will ever ealise how much that will make my life easier :-)

  • 747freightdog Calculating status...

    Now what happens if you take your home computer to your workplace and start using ARD?

    In my case the remote address I use to access a computer quickly changes into the local address of that same computer!

    When I get home again I have to change the address and ports back to the correct remote addresses/ports.

    Very annoying although I only have 2 computers to manage.

     

    Mark, how do you cope with that?

    MBP
  • st3v1e Level 1 Level 1 (60 points)

    Hi again guys,

     

    Not being a true tecchie - I'm still struggling with a problem I had a year ago. ANd I guess a little bit of knowledge is dangerous - and that's me!

     

    So I'm revisiting this same issue, and am having problems as before - I didn't actually manage to get it working, and found another solution), so I thought I'd continue the problem in the same post - hope that's OK?

     

    Situation is:

    • I have 2 computers at home, and need to access them when I'm away.
    • Mac 1 is an i7 iMac running 10.6.8
    • Mac 2 is an older 17" MBP (circa 2003 - still going strong) with 10.5.8
    • Both have ARD client installed.
    • I'm using www.no-ip.com as my dynamic DNS hosting company, as a static IP isn't going to be an option at this time - and both had No-iP's DUC daemon running which accesse their individual hostname (though they still seem to have the same external IP ? Is that correct?)

     

    Problem:

    I've been able to connect to one of the two (usually the one with the lowest numerical internal IP address - ie: 10.1.1.27 as opposed to 10.1.1.28), but not to each one individually when forwarding ports 3283 and 5900

     

    So after a bit of reading around, I've setup my Router, to forward to 2 computers in the same home office with slightly different port numbers:

     

    I set the Macs up as follows:

     

    iMac (Computer #1)

    Internal IP address set manually to: 10.1.1.27

     

    MBP17" (Computer #2):

    Internal IP address set manually to: 10.1.1.28

     

    Next I went to my router (D-Link DSL G-604T), and set port forwarding to:

     

    10.1.1.27 - TCP/UDP to 3284 and also 5901

    10.1.1.28 - TCP/UDP to 3285 and also 5902

     

    Screen shot 2013-12-11 at 11.30.47 AM.png

     

    Screen shot 2013-12-11 at 11.31.45 AM.png

     

    So hopefully that's all correct?

     

    Both machines have ARD client installed on them, and I have remote accessed them individually previously, so I'm pretty sure ARD is OK on them.

     

    Next, I saved and rebooted the G-604T and ensured the config had saved - it had.

    Now I went to my "Work_MBP" - this is the machine I'll use when I'm away, to access the Mac's at home & opened ARD (from inside the same network), and tried to view either of the machines via my internal network, to see if I could get access - nothing.

     

    In ARD, I tried both the local IP address:  10.1.1.27:3284 and the No-iP address - myusername.no-ip.org:3284

     

    So possibly I'm only able to access this from outside of my local network, but I'm suspecting that I need to tell each of the "home" macs, that they now need to use a different port for screen sharing, for this to work.

     

    I'm thinking that each is set to screen share on 3283 (as the default port), but now I'm saying - forget that, we'll use 3284 - so neither is seeing the router forwarding to it? So I'm guessing I may need to be re-assigning the screen sharing port on each home machine? But if that's the case, I've no idea how to do that!

     

    How close am I?

    Maybe I'm totally off base with this, but some help or guidance would be GREATLY appreciated as I'm away again next week, and this is becoming a pain!

     

    Thanks for any input guys.

  • drtidmore Level 1 Level 1 (10 points)

    You are on the correct path, but does not appear that you have it setup correctly.  FYI, I support multiple OSX platforms running behind routers all the time, so it DOES work.

     

    I use dyndns.org to setup free external (WAN) IP addresses resolution (you have to physically log into the website monthly to keep it active, but it is FREE.  There is a for fee option as well.  This will give you a named address that will automatically be resolved to the most current ISP WAN address assigned to your home enviroment. You do have to load a client on one or both of the local machines that automatically tracks the actual WAN address and reports it to dyndns.org.  I have used this for several years with absolutely NO issues as long as the local machine is running the daemon that tracks the WAN address.  I tend to run it on ALL machines so that if one craps out, the others will keep reporting.

     

    It does NOT appear that you have the port redirection setup correctly.  You should be setting up TCP/UDP port 5901 to redirect to port 5900 and 3484 to redirect to port 3483 AT the specific STATIC local IP address.  Each additional machine would use sequentially higher ports so that each can be reached specifically.  Again, each offset pair of ports is used for a SINGLE machine and the IP addresses on those machines MUST be STATIC.

     

    The ARD client does NOT allow the changing of the ports 5900/3283 so you have to ensure that the external redirection ports (5901/3284...) redirect to not only 5900/3283... but each pair redirects to ONLY one specific local machine address 

     

    Using your example, Mac #1, local IP 10.1.1.27 would have an entry in the router such that wheneven ports 5901 & 3284 hit the router, it redirects those ports to 5900 & 3283 TO IP address 10.1.1.27

     

    Mac#2, local IP 10.1.1.28 would have an entry in the router to redirect 5902/3285 to 5900/3283 TO IP address 10.1.1.28

     

    Then from your remote ARD machine, you make an entry for each machine using the same named WAN IP address BUT you change the ports to reflect which machine you want to ARD into.

     

    ARD then attempts to connect to the WAN IP address at the offset ports, which are redirected to the proper default ports at the SPECIFIC local IP address which you setup.

     

    Hope this makes some sense. 

     

    David T

  • st3v1e Level 1 Level 1 (60 points)

    Hi David,

     

    Thanks for your reply, I'm sure I'll get this eventually, but I'm going to need a "hold-my-hand" approach until I'm fully sure of whats going on here I'm afraid.

     

    The dyndns.org setup you have looks very similar to my No-iP.org setup, so I'm familiar with that thanks.

     

    You should be setting up TCP/UDP port 5901 to redirect to port 5900 and 3484 to redirect to port 3483 AT the specific STATIC local IP address.  Each additional machine would use sequentially higher ports so that each can be reached specifically.  Again, each offset pair of ports is used for a SINGLE machine and the IP addresses on those machines MUST be STATIC.

     

    I have definitely setup each machine (internally) with static IP's - again that's something I'm familiar with. Both the 10.1.1.27 & 10.1.1.28 are set to use DHCP with manual address in the network settings.

     

     

    The ARD client does NOT allow the changing of the ports 5900/3283 so you have to ensure that the external redirection ports (5901/3284...) redirect to not only 5900/3283... but each pair redirects to ONLY one specific local machine address 

     

     

    Yes I kind of understand what's happening here, and it makes more sense than my current train of thought. But I'm struggling to understand what I need to do in the router - presumably it's the router config I need to change, and not the ports in the Macs?

     

     

    Using your example, Mac #1, local IP 10.1.1.27 would have an entry in the router such that wheneven ports 5901 & 3284 hit the router, it redirects those ports to 5900 & 3283 TO IP address 10.1.1.27

     

    Mac#2, local IP 10.1.1.28 would have an entry in the router to redirect 5902/3285 to 5900/3283 TO IP address 10.1.1.28

     

     

    I'm almost there with your explanation (apologies) but if I'm understanding you correctly, I'll need to Filter the ports in the router. But is the 5900 an incoming or outgoing port - and ditto for the 3283 port?

     

    Screen shot 2013-12-11 at 6.56.37 PM.png

     

    I've made a couple of attempts to do this using the Filters section in the router, but from inside my local IP (obviously) I can't test it, as the only IP I see is the local one.

     

    Here's a screenshot of the config page I use to setup the basic Port Forwarding on the router:

    http://portforward.com/english/routers/port_forwarding/Dlink/DSL-G604Tv2/default guide.htm

     

    And here's a whole bunch of screenshots for the same router - maybe you can advise where and what I need to configure?

    http://screenshots.portforward.com/routers/Dlink/DSL-G604T/default.htm

     

    Thanks for your patience, once I've done it, I'll be able to work through and reverse engineer (understand) whats going on.

     

    Steve

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.