[Editor’s note: Since this article was published, Glenn Fleishman has written two interrelated books about Back to My Mac use and troubleshooting, and Screen Sharing in Leopard. The ebooks are $10 each and $15 for both of them. You can read excerpts and purchase the books for immediate download.]
If you’re a Mac OS X 10.5 Leopard user dying to use the new screen- and file-sharing service called Back to My Mac, Apple has released some new information that’s helped me get the service to work and may help you too. In brief, Back to My Mac requires a full .Mac account and connects through secure tunnels all the computers on which you have both entered your .Mac account information and turned on Back to My Mac in the .Mac preference pane. (You can read a full rundown of the service in an article I wrote for Macworld.)
Back to Which Mac? I had difficulties getting Back to My Mac to function correctly. It first worked between two of my computers set up with Leopard; one computer was at home, the other at my office. The home computer could access the screen and files of my work machine, but not vice versa. I knew that a firewall might be in the way because of a Qwest-supplied DSL router that was problematic to configure. Back to My Mac requires either NAT-PMP (Network Address Translation Port Mapping Protocol) or UPnP (Universal Plug and Play) to open a static incoming port via which remote computers can connect.
(The router crashed whenever I attempted to connect it via its Web interface, but I discovered that if I used a URL path (like /home.html), and not just the IP address of the router, I was able to configure it successfully. This is apparently a bug in the 2Wire DSL router that manifests itself for Mac users, but not apparently for other users.)
After a few days of using Leopard, I was unable to get Back to My Mac to work at all. Fellow TidBITS editor Jeff Carlson had the same experience. When 10.5.1 was released, my home machine could once again see my work machine but not vice versa. Jeff and I did some testing, and found strange problems. When we used the same .Mac account details at one of his computers and two of mine, one machine would show the other two computers in the Back to My Mac set, one would show none, and another would show just one. We were stymied.
However, after overcoming my Qwest DSL router problems, I was able to test information provided in a Knowledge Base article about Back to My Mac security. Apple notes that the service uses UDP over port 4500 and TCP over port 443. While I had already known that, I hadn’t tried to set up my DSL router’s firewall. (Apple also links from this note to a page I’d forgotten that describes all the ports its operating systems use for common and Apple-specific services. This is very helpful when configuring a firewall.)
Turning on Incoming Access for Two Ports — Because the router crashed when I was configuring it, I had disabled its Wi-Fi capabilities and attached an AirPort Express Base Station to an Ethernet port on the router. NAT-PMP was turned on for the AirPort Express, but that apparently didn’t enable the right kind of punch-through for Back to My Mac via the router.
I determined that the Qwest DSL router lacked UPnP, which is a shame, but it had some very fine-grained controls for enabling incoming access to specific services by name for computers on the local network. (It seems to pick up the Samba sharing name of those computers to identify them by IP address, even when the address changes; or I could assign a static private address, too. It’s a little complicated, but well implemented and explained in the router Web interface.)
I turned on incoming access for the two ports mentioned in the Apple tech note, and now Back to My Mac works as expected. If you’re in the same boat, it’s worth digging out the manual or calling technical support to figure out how to enter the port information you need to allow incoming access. Some devices don’t offer the level of control that my 2Wire DSL router has, and you would have to either open incoming access for all computers on given ports, or map those ports from the outside world to a particular computer on your privately addressed network.
Apple’s Lacunae in Security for Back to My Mac Documented — It’s worth mentioning that the Knowledge Base article I mention earlier explains briefly many of the security concerns that I mentioned in my Macworld article. Notably, Apple points out that Back to My Mac’s linchpin is your .Mac password. While the password is protected when you log into .Mac and Back to My Mac uses strongly encrypted tunnels, the password itself is the only key needed to enable this feature. Thus, if you have a weak password or if it can be easily guessed, other people could gain access to any Back to My Mac-enabled system, too. Picking a strong password provides a greater defense against a password being compromised through
guessing or social engineering.
Apple suggests that you use the screen locking feature that’s available with the Leopard screen saver; that you use Keychain Access to enable a menu item that lets you manually lock the screen; that you disable automatic login for any user account with Leopard that has a .Mac account pre-filled in the .Mac preference pane; and that you consider the physical security of any Mac for which you’ve entered .Mac password information.
All of this is laughable, because Apple could have provided a simple assistant and/or a checkbox for Back to My Mac that would have guided you through picking a stronger .Mac password and turning on the various features it mentions. It’s not rocket science.
Apple’s note amounts to a statement like this: “Back to My Mac is very secure between locations and doesn’t disclose any private information; but the endpoints are very weak and we didn’t provide any help to you to make the endpoints stronger automatically.”
It’s a big admission, couched as advice.
Do you have experiences with Back to My Mac, for better or for worse? I’d like to hear them. If you can’t get it to work, I’d like to offer some advice. Contact me at [email protected]. I’m working on a book on the subject of remote access, and learning more about Back to My Mac problems will help me better help others in the book.