ARD Ports -- direction matters.

If port 3282 outbound is open on the Client, then you can also do software updates and other advanced features, but only if port 3282 inbound is not blocked by your NAT box or firewall.

Just to avoid potential confusion for anyone reading, this appears to be a typo. The correct port is 3283, as you correctly state later in your post.

I'm also dubious that observe and control will work if 5900 is blocked in either direction (since traffic has to flow both ways), but I've not tested it so I can't say it's not correct.

Here's what's confusing me.

I have six Macs behind my firewall. ARD is working fine while inside on the LAN.

I opened ports 5900 and 3283 on the router for the first computer at local IP 192.168.1.2

Since I can't assign those same ports to more than one local IP, my Netgear router instructs me to add ONE to the ports. So I then opened ports 5901 and 3284 to 192.168.1.3, and ports 5902 and 3284 to 192.168.1.4

This seems very wrong to me. If you need ports 5900 and 3283, then how can these others work?

Anyway, I disconnected the laptop Airport and dialed into my ISP to test.

ARD only shows ONE computer in the Scanner under Network Address and I can't connect to it. Shouldn't all three show up?

I also can't tell which one it is. It only lists the external IP from the DSL account and under both computer name and DNS name, it lists the domain from my DynDNS service. Even if I get all the computers to show up, how to tell them apart doesn't seem to be aparent.

Thank-you.

Hi,

Im having exactly the same problem. I'm connected to an unrestricted ADSL connection, and i'm trying to connect to another network via the internet. It has ADSL modem---> airport extreme---> 3x Mac os x Clients

On the airport u can set up port fowarding, even of the same port to several IP addresses! I tried this but with no avail - in ARD 3.0 it comes up with just one ip address, so i can only control one computer.

How do i control more than one???

Ta

How do i control more than one???

I can NOT believe that if you are an IT person for a small company using ARD, you are not allowed to ARD into more than one Mac from outside the network. Since you can only use ONE set of ports for ARD, this seems to be the case.

I've started and participated in several other Apple threads about this issue. Not one good answer. Not even to tell me whether Apple intended this or not.

Someone said to control the other machines via ARD on the network remotely from ARD outside the network. LOL. I have a 13" Macbook and the other Macs have much large resolutions. Can you imagine how slow controlling ARD via ARD would be? Not to mention that you'd need an electron microscope to see and click the icons.

Someone else said to use VPN to tunnel into the network remotely and then you can use ARD on all the machines. I had some trouble with VPN and again could not get any answers about how this is supposed to be setup. When I investigate VPN, it seems to take me to places where I don't need to go. Involving Windows machines and such. How does VPN get setup to work with ARD?? What are the considerations regarding routers and VPN?

And yet someone else said to use Chicken of the VNC or another open source third party solution. Just great. Why do I have ARD, then?

Questions remain open after several threads-

1. How to use ARD to control more than one Mac from outside the network with the step by step solution.

2. If not, then why? Workarounds? If possible, workarounds involving only ARD and things built into OS X, please.

Thank-you.

The problem with controlling more than one computer lies not with Apple or necessarily even the net. The problem is logic.

NAT is a system of letting multiple computers on a private network share one global IP address. Port forwarding is the technique of taking traffic from the net, which has the global IP address as the destination, and redirecting it to a specified internal computer.

The problem then lies with how are you going to select which internal machine to control when they are all pretending to have the same external IP address?

One solution is to use different port numbers to direct to different machines. But I don't think ARD is designed to handle that.

The only out-of-the-box solution I am aware of is to set up VPN, which gives the controlling machine one of the available internal IP addresses, and (theoretically) it can communicate with the other machines as if it were on the network.

However, I have not actually tried this myself (but am soon to be required to) so may have more details for you if desired.

Ray.

"> The problem with controlling more than one computer

lies not with Apple or necessarily even the net. The
problem is logic.

NAT is a system of letting multiple computers on a
private network share one global IP address. Port
forwarding is the technique of taking traffic from
the net, which has the global IP address as the
destination, and redirecting it to a specified
internal computer.

The problem then lies with how are you going to
select which internal machine to control when they
are all pretending to have the same external IP
address?

One solution is to use different port numbers to
direct to different machines. But I don't think ARD
is designed to handle that."

I don't fully agree with you. Yes you can direct certain ports to certain machines. The problem is that ARD only uses one specific port rather than a range of ports. Therefore, you are unable to assign other ports to other machines in your router.

Generic VNC programs do allow a range of ports and therefore do allow you to control multiple machines from outside the local network.

So anyone thinking of purchasing ARD to control your network from outside of your network should think hard about this. Maybe a generic and free VNC solution would actually work better than ARD for you.

Myself, I'm very disappointed in Apple for not providing either an ARD solution or an ARD workaround for such a common way network admins would want to use their product.

"> The only out-of-the-box solution I am aware of is to

set up VPN, which gives the controlling machine one
of the available internal IP addresses, and
(theoretically) it can communicate with the other
machines as if it were on the network.

However, I have not actually tried this myself (but
am soon to be required to) so may have more details
for you if desired.

Ray."

Yes, you are the second person to suggest VPN as the way to make this work. I've wasted countless hours trying to figure this out. It seems that all the VPN information I could find just dealt with how to inter-connect Windows & Mac.

If you figure this out, please provide the details as you suggest. Thank-you.



(2) Mini 1.66 Ghz Duo Core • MacBook 1.83 Ghz Duo Core Mac OS X (10.4.8) (2) B & W G3/500 • Gigabit G4/1.6 Ghz Dual

I got round this snag by adding WAN Ip addresses, one for each machine.

You need to run VPN on your server in order to use ARD for your Macs in the same subnet. I assume there is a router running NAT and a private LAN is connected to this router, and this private LAN is where your server and other Macs sit.

Let me put some example IP addresses: server is 192.168.1.1, your private LAN subnet is then 192.168.1.0/24, and your WAN IP address is 10.1.1.1 (assuming this is a public network IP address).

In your router, you need to set Port Forwarding for UDP ports 500,1701,4500 from WAN to 192.168.1.1's UDP ports 500,1701,4500. You also need passthrough of L2TP & IPSec on the router.

On the server, configure VPN service as L2TP over IPSec and use MS-CHAPv2 for the PPP Authentication (I have some problem with Kerberos setting). You need to enter the Shared Secret passphrase as well. Remember to choose a range of IP address that does not clash with your addresses from your DHCP server. On the VPN Client Information tab, you need to fill the DNS and Search domains, and I designate 192.168.1.0/24 as Private Network Type.

Now, run Internet Connect from a Mac on a public network (assuming the ISP doesn't block ports 500,1701,4500). Select New VPN Configuration and choose L2TP over IPSec. Enter 10.1.1.1 (from above) as the Server IP address together with a valid username and password from the server plus the Shared Secret. Click on Connect and hopefully you should be able to see your private LAN...it works for me. Now run ARD as per normal.

THANK-YOU!

Finally something solid to try.

Hi!

I have started another thread ("connecting to DIFFERENT PCs/Macs behind the same router?")for exactly the same question.

Dave Sawyer suggested following this method:
http://docs.info.apple.com/article.html?artnum=300838

To put it short, this indicates that you can tell ADR to use an specific port (instead of 5900) to connect to a remote PC.

I'm going to give it a try.

regards

W

Hi!

I have started another thread ("connecting to
DIFFERENT PCs/Macs behind the same router?")for
exactly the same question.

Dave Sawyer suggested following this method:
http://docs.info.apple.com/article.html?artnum=300838

To put it short, this indicates that you can tell ADR
to use an specific port (instead of 5900) to connect
to a remote PC.

I'm going to give it a try.

regards

W

I'm not sure how that applies.

The generic VNC clients allow other ports to be specified for access. Therefore you can map any number of various sets of ports for each unique IP addresses through the router.

Apple Remote Desktop only allows ONE set of ports to be used. Therefore you can only map those ports to ONE unique IP address behind the router.

If you don't have ARD... Just install VNC clients on the PCs and Macs with different ports for each and you're all set.

However, if you have ARD and expect to be able to access different Macs from outside your local network, then you must come up with a different solution. Earlier today somebody described setting up VPN on a network server to grant outside ARD access to the various machines on the LAN. This is the only real solution anyone has suggested for using ARD outside the network with multiple Macs behind the firewall.

Well, the Apple Doc I provided the link for clearly states the opposite. It is for ADR 2.2, however I don't see any reason why it shouldn't work for ADR 3.

It seems that you can force ADR 3 to use specific ports.
Did you ever try that?

W

Well, the Apple Doc I provided the link for clearly

> states the opposite. It is for ADR 2.2, however I

don't see any reason why it shouldn't work for ADR
3.

It seems that you can force ADR 3 to use specific
ports.
Did you ever try that?

W

That would be great if it worked with ARD as well as VNC but it doesn't.

This only applies to VNC clients, NOT other ARD clients.

The Apple Doc you linked states only the following:

" Remote Desktop 2: How to specify a port number for a VNC client
Remote Desktop administration software, by default, uses port 5900 to communicate with a VNC server. Occasionally, it's necessary to add a VNC server that listens on another port. Here's how to use Remote Desktop to change the port number for a VNC client:
Add the VNC client to your list.
Select the VNC client, and Get Info for it.
Click the Edit button.
Edit the IP Address field to include the port number. For example, to change the number to port 5902, add it like this:
10.0.0.5:5902
Click Done to apply the changes.
Note: This only works for the IP address. If you edit the DNS name, it will not have the same effect."

Well, the Apple Doc I provided the link for clearly
states the opposite. It is for ADR 2.2, however I
don't see any reason why it shouldn't work for ADR
3.

It seems that you can force ADR 3 to use specific
ports.
Did you ever try that?

W

Try this article:

http://docs.info.apple.com/article.html?artnum=106847

Noting the paragraph:

"When making any type of connection through NAT, it is usually only possible to direct (port map) a particular type of traffic to a single IP address on your private network. This means you may only be able to control a single NAT client when using Remote Desktop from a public IP address."

Hmmmmm

I think the doc itself is not entirely clear:

"Occasionally, it's necessary to add a VNC server that listens on another port."

Thats exactly what I'm trying to do. However I'm trying to connect to a PC (WinXP), not a Mac. This PC runs a VNC server, and I could set it up to listen on an other port (eg 5901).

Maybe this solves my problem, but not yours...

regards

W