How to remotely access a Mac behind a corporate firewall

Accessing your Mac remotely isn’t really that difficult, if it weren’t for your resident IT-Department. You could simply open System Preferences / Sharing, enable ARD (Apple Remote Desktop) and check the VNC viewer checkbox. By doing so, your Mac starts listing on port 5900 and you could access it via any VNC viewer, like Chicken of the VNC (for the Mac), or RealVnc, or TightVnc (on Windows).

VNC is one of the very few – if not the only – cross platform solutions, allowing to access a Mac from a Windows box or vice versa. However, opening a server port is usually unacceptable and not tolerated by your IT folks – for a good reason, I might add.

OSXvnc to the rescue

Fortunately, there is the OSXvnc open source project, while providing only a subset of Apple’s ARD, it has the nice feature, allowing the server to make the initial communication request.
Usually, you open port 5900 on the machine you would like to remotely control. That machine starts to listen for request from a vncviewer, on the predefined port. In this case, like with almost all clients, the viewer initiates the communication.
OSXvnc allows you to enter an IP address and by clicking the Add button, let the vnc server call the client (the vncviewer). Obviously, to make this work, the vncviewer would have been started in listening mode on the machine with the given IP.

 

Now, there is a little problem that still needs to be resolved: OSXvnc needs user interaction (clicking the add button), to make it initiate the connection. A really short shell script installed as a daemon however helps us to work around this issue.
To make it clear how this all works, lets create a common scenario:
A PowerMac G5 that we want to remotely control is located in the office, behind a tight corporate firewall.
A laptop we want to use as the controlling machine, runs OS X with Chicken of the VNC installed, or Windows with a VNC Viewer.

Lets start on the server-side by installing OSXvnc on the G5.
The next things we need to do is find a port that is open for outbound traffic. Some companies have all ports above 1024 open for outbound, outhers are more restrictive. However, usually there are some ports left open. E.g., if you can browse the Internet, port 80 is open for outbound traffic. To continue with our common scenario, let’s assume port 8200 would be open for outbound traffic.

The remaining part of the information-gathering phase is to find out about your IP address at home. This IP and the outbound port will have to be configured in this shell script:

The script simply checks if there is currently an established connection on the predefined port, in which case it would do nothing. If there isn’t a connection going, it first kills any previously started OSXvnc processes and then trys to initiate a connection on the predefined port to the predefined IP address.

We install the script in a place like /Library/SysScripts on the G5 and don’t want to forget to give it execute rights.
The last thing that remains to be done on the server, is to deploy this script as a daemon and make it execute frequently. Tools like lingon are great for doing this. Here is the descriptor I ended up with in /Library/LaunchDaemons, which polls for a client every 15 seconds.

Find out more about launchd, what it does and where to deploy the descriptors here: http://developer.apple.com/macosx/launchd.html

After this is done, OSXvnc trys to call your home IP address on the defined port every couple of seconds. All what is left to do now is forward the request from your Router at home to your laptop and start your vncviewer in listing mode.

How to forward a port (8200 in our example) to your Laptop, depends pretty much on your router. In any case, since OSXvnc sends the connection request, we need to make sure the calls arrive at machine running the vncviewer. Last thing left is starting the vncviewer. Windows folks do this via the command line, like
vncviewer -listen 8200

Mac users using Chicken for the VNC, use the GUI.

No later than 15 seconds after starting the viewer in listening mode, you will look at your office-computer’s screen …

 

 

Leave a Reply