As any fanboi-fule know, since at least OSX Tiger (10·4), Apple has built LAN-based control of other macs into the OS. (In 10·4, it’s known as Apple Remote Access; in 10·5 upwards, it’s known as Screen Sharing.)

This week I’ve been exploring its abilities and limitations. It works just fine for controlling my other macs from SURGE, my main machine. It can even control my beat-up, second-hand PC laptop, on which I’ve installed TightVNC server. (I did try RealVNC – the original VNC software – but I couldn’t achieve connections.) This isn’t a surprise – ARA/SS is built on VNC.

Within my LAN, it just works, allowing me to have an ergonomic set-up with the laptops on shelves above my desk. But there is a caveat:

• If PISMO is connected to my DVI monitor via PISMO’s extra videocard and my KVM device, the Screen Sharing display has an interesting hue, even though the external and internal displays are normal. (The displays aren’t mirrored, so I can make the most of the 20″ DVI monitor.)

I’m puzzled that the same doesn’t occur with HEXIE, who has an external VGA monitor to make up for her very small internal monitor.

If HEXIE is outside my LAN, thanks to BackToMyMac (and regardless of whether ‘official’ VNC port-forwarding is enabled on my router/firewall/ADSL modem), HEXIE can connect directly to SURGE’s volumes, allowing me to copy files back and forth. This means I don’t need to carry all my data with me: I can just grab what I need when I need it. Also, SURGE stays at home so he’s backed-up hourly to our TimeCapsule. Better, HEXIE is much lighter than SURGE, which saves my back.

Better still, so long as the ports used by VNC are forwarded by my router/firewall/ADSL modem to SURGE, Screen Sharing allows me to directly control SURGE. This means that HEXIE can tell SURGE to work on SURGE’s own files (which hence remain safely backed up), without risking having multiple versions of files on different computers. Also, although I’ve not tried it yet, I believe that SURGE could process files on volumes connected to HEXIE, thus relieving HEXIE’s less impressive processor, HD and RAM, without the files ever really leaving their homes.

If HEXIE is connected to the internet via my O2 mobile broadband dongle, only Screen Sharing is available. But that’s enough to allow me to email files to myself, so this slight lack isn’t an issue provided I copy the results back to SURGE.

If VNC port-forwarding is switched off, then HEXIE is restricted to BackToMyMac-enabled direct connections to SURGE’s volumes and files. (So, if VNC port-forwarding is switched off and HEXIE is connected to the internet via the O2 dongle, HEXIE has no remote access to SURGE.) I’ve not found a way to remotely access the router to switch on port-forwarding (or do anything else to the router, for that matter). This is natural result of security, so I’m not worried. It’s just up to me to remember to do switch on port-forwarding when needed.

However, what if both my hostess and I both want remote control of our home machines? Accessing SURGE from my hostess’s PowerBook would then allow her to tell SURGE to BackToMyMac into her desktop machine across our LAN. But this means giving her unfettered access to my main machine and all my data. Good job I trust her! The other obvious limitation is that only one of us can have useful access at any time. Both local machines could observe SURGE but if my hostess is using SURGE to access her home machine, then the image of SURGE (on both local machines) will be completely occupied and we’d be fighting over control of a single cursor!

This also raises a serious question: how do real tech-support folk access multiple machines on a LAN behind a router/firewall, without changing the target of VNC port-forwarding on the router/firewall?

• Leaving the security set-up open to outside manipulation seems wrong.
• Relying on the presence of a drone within the LAN’s building seems equally fraught. Would you really want to encourage lusers to guddle with security software?
• Even worse, what if the building containing the machines to be accessed is unstaffed?

Potential answers seem to be

• a very secure tunnel to the accessees’ router/firewall, so that the inside-LAN end of the port-forwarding tunnel through the router/firewall can be securely changed from outside
• multiple tunnels from accessees within the LAN, through the router/firewall, to the tech-support staff. After all, VNC works by VNC servers on the accessees serving monitor images and choosing to receive mouse-clicks and keyboard commands from VNC clients on the tech-support machines. If the accessees close the holes in their internal firewalls that allow VNC commands to reach them, the tech-support staff would be powerless, no matter what port-forwarding exists on the LAN router/firewall.
• Or just maybe I should have realised something from my work’s firewall being a separate box from the ADSL box, sitting between the internet connection and the switches that connect our desktops to the outside world.

Comments gratefully received!

Also, my current system relies on the macs running OSX. I have a game that works best on native OS9 (hence on PISMO) and yet totally borks if PISMO connects to the big monitor, which would otherwise enhance game-play. I hope that an OS9-happy VNC server would get around this but I fear that VNC was developed on *nix, then ported to Windows while giving older OSes a body-swerve. More investigations to come.