Remote Management caveats?
 

I have a Mac Pro and a Mac BOOK Pro and I'd like to be able to use Remote managment/remote desktop to control the Mac Pro from the Mac Book Pro whilst in the other room watchin' videos, or at the library working.

Are there any dangers or pitfalls to using Remote Management? At home, I'll be using our wireless network on the MBPro end, to access my Mac Pro, whose connection to our router is ethernet wire-based.

Are there security risks to doing this over our wireless network, or doing so when I'm at the library?

thanks for any thoughts..


a

Just use built in Screen Sharing rather than remote management.

As such on Local network if the WIFI is a secured network then there is very low risk of doing this. You have to authenticate to connect using screen sharing or remote managemnt.

I never advise opening up port 5900 to the world !

You can always look at something like LogMeIn free if you want access to your machine when away from home/network. It takes the pain out of all the secure configuration etc.

ShareTool is not free, but it makes available all the other machine's Bonjour services; screen sharing and iTunes library being the most useful. It is secure and will work securely from the WAN

5900 being remote management?


a

5900 being VNC in general. Remote management works over a VNC.

ok, but with respect to agentx's comments...

where is the low risk if screen sharing is used...I'm probably not interpreting this correctly.

thanks!

a

On the Apple web site under Screen Sharing, it says:

The trick arises if the target computer (the server of the screen share) is not an exposed host -- i.e., not NATed behind a router. If it is, then you do have to open a port on the router and port forward to the internal machine.

OK..hate to appear dense but there's something I'm not getting here...I enable screen sharing on the mac whose screen I want to appear on the MBP. I see that mac's name in the side bar of the MBP. so far, all makes sense.

However, MBP can't pull up the Mac Pro screen, plus, port 5900 is open on the Mac Pro.

I do have a firewall enabled on router and on each mac. Not sure if that's helping or harming the process...

Am I close to getting this, or way off?

thank you,

a

Let's differentiate between screen sharing on a LAN and screen sharing from the WAN (outside your router).

From inside the LAN, start Screen Sharing on the client (laptop) and enter the internal IP Address of the iMac. In the next dialog, enter the username (on the iMac, not the laptop) and password there. Done. A window should open showing the iMac screen. Does that work?

it does not...MBPro throws out a warning telling me to turn on Screen sharing (It is turned on for both machines).

I never get asked the user/pass of the host, either.
weird...

a

What are the systems involved? My MBP is Snow Leopard and the iMac is Lion. Screen sharing works in both directions. I do not have any ports open except those set by the Sharing System Pref. I'm running an Airport Extreme router.

Computer to be shared: 2009 Mac Pro Desktop, with hardwire ethernet connection to wireless router. Lion.

Client Computer: 2010 Mac Book Pro, with air port connection to internet/router. Snow Leopard.

thank you,

a

Screen Sharing checked in the Sharing Pref Pane on both machines, right?

Try with firewall off?

Yes.


a

no, didn't try that,but wouldn't that leave me vulnerable to things firewalls are supposed to protect against?

a

Sure, but you would also find out if that's stopping your screen sharing (or makes no difference)
Could be that you have your firewall settings too restrictive.
If turning off your firewall helps, then someone here can likely help you set that up, so you are still protected, but you can work the way you want....

Ah...I see....I do set up my OS X firewall to include "Block all incoming" and "Enable Stealth mode."

I will try with firewall off, but wanted to include that bit of information to the discussion before I do.

a

OK, then...with firewall off on both machines, I was able to pull up each machine on the other. Which shows that the connection can be made.

One thing that caught my eye: the Mac Pro, once pulled up on the MBPro, made me sign into a User..Mac Pro is Lion. MBPro didn't ask for a user. MBPro is Snow...

So, is there a way I can get this connection, AND be secure?

thank you,

a

Can I kindly prevail upon a knowledgeable person here to help me learn how to set this up while maintaining security?

Thank you!

a

Maybe this thread will help?
Looks similar to your situation.
https://discussions.apple.com/thread...art=0&tstart=0

Assuming this is your wireless network, this means that you have a router*, and there is no point in having both a router and a firewall - the router is actually better. So unless you are expecting to be hacked from inside your house you can turn the firewalls off.

* do all of your computer's IP addresses begin with 192.168?

May I interrupt for a more detailed explanation of this? I would have thought a secured router along with the built-in OS X firewall would be a good combination, and you seem to be saying that's not a better setup than a secured at-home router.

As I understand it, NaOH, the machines within a LAN are protected from fiddling by the router's network address translation (NAT) from the exposed router address to private addresses in the ranges: 10.0.0.0 - 10.255.255.255,
172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255 with the first and last of these being the most commonly used. These are not routable on the WAN whose routers will reject them. What that means is that these internal addresses cannot be reached except by the router and other machines inside the router. So how does stuff reach you? You initiate the transaction, say a URL of a web site and the router remembers that and redirects the response to the machine that originated the request. You can only get viruses, trojans, etc. but doing something to content that came to you as part of a request -- opening an attached file, running a javascript, etc. VNC, one way or another sets up a listening port on the router that is then passed to the machine that set it up. NAT is inherently safe because your machines are not "exposed" to the Internet.

Thanks, NovaScotian. Makes sense, especially since I was improperly interpreting "wireless network," which acme.mail.order said, as "wireless Internet connection."

Let me clarify my set up...I have a wireless router which also has 4 hard wire ethernet ports.

My Mac Pro Desktop is connected via Cat 5 cable to one of these ethernet ports.

The Mac BOOK Pro notebook hooks to the internet via wireless when I'm in the other room watching movies and wanting to operate the Mac Pro Desktop remotely.

If you already understood that, please never mind...

;-)

a

Assuming that you're using WPA2 for your wireless security, it doesn't really matter how the machines are connected to the router -- if they're inside it, they're safe except for things you do yourself (like run a downloaded java program, for example). This is not to say that your own apps can't be sending stuff "home" that you'd rather not share, but nothing can infect your machine unless you permit it.

I am using WPA2, but how do you mean "inside it?"

do you mean that the machines are inside of WPA2 protection?

Yep. The key item is this: your router should be the only connection to your service provider in your LAN so that every device within your system -- iPad, iPod Touch, Laptop or Desktop -- connects to the Internet through the router by wire or Wi-Fi, but not otherwise. This is true even if you have, for intense, two AirPorts. One should connect to the Internet and the other should be set up as a bridge.

yes, that describes how our computers get on the internet..

so, as that is the case, I can feel save about using remote management and screen sharing?
what about the warning against having port 5900 open ever?

I use ShareTool to connect to my iMac from my MBP when I'm outside my LAN (just Screen Sharing by itself when I'm inside via a local address -- I've set up my AirPort so both of my machines have fixed internal addresses). I don't know about Mac's remote management, but to do it in any way you need a server (normally running as a daemon) for it running on the machine to be reached and at least in ShareTool, it doesn't use port 5900. In your case, I don't know. If you want to use Screen Sharing by itself, then you do need to expose the host. I don't recommend that.

NAT (in your home router) stops connections that are initiated from outside of your local network from getting to computers that are inside your local network. So if you have NAT (which you do) and don't poke any holes in it, there's no easy way for someone with a VNC client outside of your local network from connecting to your VNC server listening on port 5900. Even when that someone with a VNC client outside of your local network is actually you, and you WANT to connect to the VNC server listening on port 5900.

To actually use VNC from outside your local network to connect to a computer inside your local network, you will have to open holes in the protection offered by NAT. Specifically, this is sometimes done by port forwarding connections to a specific port on the external interface of your router (say, port 5900 for VNC Display number 0) from your router to the computer that you have listening on that port.

That lets you, when you're outside of your LAN, connect via VNC to a computer inside your LAN. However it simultaneously lets anyone else connect to the VNC port on the computer inside of your LAN.

VNC is not a very secure connection, which is why forwarding port 5900 from your router to the computer running VNC server is kinda scary.

That all was general explanation. Now to your specifics...if I'm interpreting you correctly, both the VNC client and the VNC server machines are inside of the same local network. Is that right? It doesn't really matter if they connect over ethernet or WiFi, they're both connected to the same router and they're both inside of the network. So you don't need to set up port forwarding--and don't do it if you don't need to. As mentioned, VNC is insecure. So keep it inside the walled garden of your internal network, keep your wireless security good by using WPA2 on your WiFi so you can't be cracked by someone parked in front of your home or office, and you should (generally) be safe.

Trevor

Yes, that is absolutely right.


Roger that..don't need to..don't want to..won't.

I am using WPA2, a decent password, (I will probably make it tougher) and router firewall on. Now.."generally" safe...is this, providing that I am not careless, or assuming some genius hacker lookin for kicks doesn't put his or her sights on my Macs?

thank you!

a

Yeah, that's right. Make sure that you don't have "Remote Management" switched on for your router, too. If you have Port Forwarding set up in the router for some more secure protocol, like ssh, make sure that the computer that the port forwarding is pointed at has it's firewall on and has all good strong passwords.

Trevor