Remote access to airport disk from Windows

Very helpful, thanks Tesserax. I also read your more recent article on the 3 methods for connection a Mac to an Airport share remotely: AirPort Disk - Remote Access (3 Methods)

I tried setting up the haring per you article to work with Windows, but I can't seem to get it to work. I have VNC ports mapped and that is working just fine from Windows. After reading more of this thread, I realize it's because my ISP Comcast, blocks the necessary ports required for SMB file sharing (same ISP on both sides of the attempted connection).

I was wondering if you knew any alternative methods in sharing out my airport disk over WAN to a Windows computer with this limitation. I read that Comcast will not lift these blocked ports if requested. I know VPN is an option but is there any non-VPN solutions? Is there anyway to change the file sharing port for SMB in macOS?

I'm presuming Comcast blocks this stuff because it probably is not the most secure solution anyway, even with a very good password. Maybe I am better off not doing this in the first place?

I was wondering if you knew any alternative methods in sharing out my airport disk over WAN to a Windows computer with this limitation.

One caveat. You do know that SMB over the Internet is inherently not secure ... correct? Doing so without using VPN would not be recommended, especially with sensitive data.

Ok, with that said, have you tried mapping a different port instead of the well-known TCP port 445 ... which Comcast is blocking? That is, when setting up port mapping, use a TCP port for the "Public TCP Ports" option that is not 445, like 45000.

I'm presuming Comcast blocks this stuff because it probably is not the most secure solution anyway, even with a very good password.

That would be a good assumption.

Thanks for the help.

Yes, I did try changing the public TCP port to a different unused port, but I could still not make the connection. If I'm correct in assuming the private TCP port needs to remain 445, I'm guessing Comcast has a way of blocking that privately used port, and so changing the public one isn't going to matter, right? I don't know how they can block a private port, but my testing has led me to believe that is the case. I'm new to this stuff, so that may be false.

It is interesting though, I am able to access the drive using AFP over the Internet, because I confirmed Comcast does not block the use of that protocol's port (548). I wonder if that means AFP is any more (or less) secure than SMB over the Internet? If Comcast is allowing traffic through on those ports, I might be apt to think it's less of a security concern then SMB, but I really have no clue about all of this. Should I be concerned about using AFP over the Internet too, just as much as SMB?

Security concerns aside, the issue being because Windows doesn't support AFP, I can only access the drive over the Internet with another Mac right now (using Connect to Server). I can still access the drive in Windows using SMB if the Windows PC is on the local network, so at least I know I have it mostly setup right.

In the meantime, I'll have to look into a VPN solution since that would be a lot more secure.

If I'm correct in assuming the private TCP port needs to remain 445, I'm guessing Comcast has a way of blocking that privately used port, and so changing the public one isn't going to matter, right? I don't know how they can block a private port, but my testing has led me to believe that is the case. I'm new to this stuff, so that may be false.

Yes, the private port must remain at 445 as that is what the "SMB server," in the AirPort Extreme, is listening on for SMB requests from a client ... whether that client is on the local network or from a remote location. Comcast shouldn't be able to block private IP addresses or associated ports on your local network that are behind a NAT router. (That being the Extreme again.) Most likely, Comcast is blocking "business level services" for their consumer-grade Internet service (at the WAN-side of your Extreme) and will want you to upgrade to the same level at an additional cost ... and by business level services, I am referring to running an email, ftp, web, or file server, etc. on your local network for remote access.

It is interesting though, I am able to access the drive using AFP over the Internet, because I confirmed Comcast does not block the use of that protocol's port (548). I wonder if that means AFP is any more (or less) secure than SMB over the Internet?

Unfortunately, it is no more secure than SMB. Again, using a VPN tunnel would be what typically be used to secure any file sharing protocol. SMB just happens to be more "popular" and possibly why Comcast elected to block it. One option: switch ISPs.

Security concerns aside, the issue being because Windows doesn't support AFP

That's true as far as natively, but there a number of third-party Windows apps that do support AFP that might be worth a try. I currently don't use any myself so I can't make any recommendations, but it may be worth your time to do a little research to find those that do support AFP for remote access.

I started thinking more about this.

If I could get around the Comcast port blocks, or switch to an ISP that doesn't block those ports, and I decided to setup SMB sharing over the Internet, could I limit the connection to only allow traffic from 1 specific IP address?

That way, it may be a more secure setup, in that only 1 IP address that I specify can access the SMB port, and any other requests outside of that IP would be rejected. That sounds more secure to me, I'm just not sure if you can do that. I vaguely remember reading someone that setup a connection over the Internet, and limited the traffic to specific IPs. Sort of like blocking all phone numbers, except allowing a few numbers to come through. Anyone have any experience doing something like this?

Ok, here are the basic steps to configure the 802.11n AirPort Extreme Base Station (AEBSn) to share an attached USB HDD to the Internet from a Windows 7 PC.

1. Start the AirPort Utility > Select the AEBSn, and then, note the IP address shown.
2. Select Manual Setup.
3. Verify that Connection Sharing = Share a public IP address is selected on the Internet > Internet Connection tab.
4. Select Disks, and then, select File Sharing.
5. Verify that both the "Enable file sharing" and "Share disks over the Internet using Bonjour" options are enabled.
6. Verify that Secure Shared Disks = With a disk password. (Recommended)
7. Verify that AirPort Disks Guest Access = Not allowed. (Recommended)
8. Select Advanced, and then, select the Port Mapping tab.
9. Click the plus sign to add a new port mapping.
10. For Service, select the "Windows Sharing" option. The will open the appropriate UDP/TCP ports for the SMB file sharing protocol. (Note: This option would only allow PC or Linux clients to access the AirPort Disks. If you want both Macs and PCs to connect, you would need to also select the "Personal File Sharing" option as well.)
11. In the Public UDP Port(s) and Public TCP Port(s) boxes, type in a 4-digit port number (e.g., 8888) that you choose. In the Private IP Address box, type the internal IP address of your AEBSn that you wrote down in step 1. In the Private UDP Port(s) and Private TCP Port(s) boxes, type 548. Click Continue.
12. In the Description box, type a descriptive name like "AirPort Disk File Sharing," and then, click Done.
13. Click on Update.

To connect to the shared AirPort Disk from a remote location using a PC running Windows 7:

1. From Start > Computer > Map network drive
2. In the Folder window, enter the DynDNS-provided Domain Name or Pubic (WAN-side) IP address of the AEBSn, followed by a colon and the Public port number that you choose in step 11 of the previous procedure. For example: \\www.mydyndnsdomain.com:8888\<AirPort Disk Volume Name> or \\123.456.789.123:8888\<AirPort Disk Volume Name>
3. Click Finish.
4. You should be prompted for your user name and password. The user name can be anything you like; the password should be the Disk password for the AEBSn that you created in step 6 previously.

I have a dynamic ip address so maybe it would be easier to go through dyndns.com or no-ip.com and use a dynamic global hostname in the AEBS.

The AirPorts do not have a means to configure for DDNS, so you would need to download a simple client that runs on a Mac or PC to keep the DynDNS server updated everytime your dynamic IP address changes.

Basically, all you need to do is go to the DynDNS site (or whichever DDNS supplier you prefer) and sign up for their service. They will then provide you with both the DDNS client and the URL that will be assigned to you. Once you have these, you would install the client on your computer and run it. You would then use the URL when attempting to access your router from the Internet.

In this case, you would enter the URL into the Map Network Drive's folder window as I described earlier.

Regardless of, whether your ISP provides you with a Dynamic or Static IP address, they need to provide one that is accessable from the Public network. Some ISPs only provide Private IP addresses that are restricted to their own network. The latter types of addresses may not work with DynDNS. You may want to check with your ISP on this.

In the AirPort Utility on the File Sharing tab, double-check to see if you have "Share disks WAN" enabled.

Unfortunately, from what I have read and experienced (been trying to setup something similar as yourself) the vast majority of ISP's actively block any remote SMB connections. Essentially, regardless of what you have done on your end to open up the SMB ports, the ISP has them blocked. I'm not entirely sure why this is, something to do with security. The only way around this is to either find a Windows program that can do AFP or set up a VPN - which is a bit easier said than done.

I would second noraa's comments, especially about ISPs that actively block SMB traffic. You may want to double-check with yours to find out if not only SMB is being blocked, but what else is as well.

Have you considered other alternatives that might be much simpler, such as Drobox or SugarSync? These services copy your designated folders (which can be anywhere on your computer or networked disk) to a cloud storage, which is then available anywhere in the world.

I have tried all the settings suggested in this discussion, however I am still unable to connect to my hard drives connected to my Air Port Extreme from a PC that is at a remote location. I am able to map PCs that are connected to this Air Port Extreme but from a remote location I can't. Is there something I am missing? I have contacted my ISP and they say that SMB file sharing is not blocked. Any suggestions?