Troubleshooting Back to My Mac

When Leopard’s Back to My Mac feature was first announced, it sounded great: A simple way to connect two Macs over the Internet to securely share screens and exchange files. Would that it worked so simply in real life.

Sometimes, Back to My Mac really does work the way Apple says it should: you enable Back to My Mac on the two Macs you want to connect, the connection works seamlessly, and you see the other systems in the Finder’s sidebar under the Shared section. But frequently, getting the service to function can be maddening. In some cases, it won’t work—no matter what you try.

What You Need

Part of the problem is that Back to My Mac (BtMM, for short) has four critical requirements, without any one of which it won’t work.

First, BtMM requires that your router have its own publicly reachable IP address. This turns out to be one of the hardest requirements to meet.

A publicly accessible IP address is one that any computer on the Internet can reach, not just machines within a local area network (LAN). Unfortunately, many Internet service providers (ISPs) assign only private addresses. Computers using private addresses can make requests to the larger world, such as a Web browser requesting a Web page, but they’re generally unreachable from the outside in—just as if they were behind a firewall. This keeps interlopers from easily accessing your computers, but you’re also blocked when you want to reach your machines remotely.

Finding out whether or not your router has a publicly reachable IP address can be tricky. If your ISP assigned you an address for your router that must be entered manually, and it doesn’t start with 10, 192, or 174, it’s likely a public IP address. If your router’s address is assigned by DHCP, launch AirPort Utility, select your router, click Manual Setup, and then click on the Internet icon to find the address assigned next to IP Address; again, if it doesn’t start with 10, 192, or 174, it’s probably public.

Failing those two steps, the only reliable way to find out is to check with your ISP. If you don’t have a publicly reachable IP address, you can request one. Some ISPs will provide such an address for free, others charge for it.

If your computer has its own publicly reachable IP address, your router doesn’t factor into the equation, and BtMM will work just fine.

The second requirement is automatic port mapping. Ports are like individually numbered cubbyholes within an IP address assigned to a computer or other device, such as your router. (A port is to an IP address as an apartment number is to an apartment building.) Back to My Mac needs to be able to ask your router to open up a port on the router’s public IP address side. The BtMM system on one computer passes those port numbers via MobileMe to any other BtMM system so that any two BtMM-enabled computers using your MobileMe account can communicate with each other.

Automatic port mapping comes in two forms. Network Address Translation-Port Mapping Protocol (NAT-PMP) is found only in Apple AirPort base stations released in 2003 or later. It’s enabled by default. To check if it’s turned on, fire up AirPort Utility (Applications:Utilities), select your base station, and click on the Manual Setup button at the bottom. Click on the Internet button, and select the NAT tab. Enable NAT Port Mapping Protocol should be checked. If it isn’t, check it and then click on Update in the lower right. (Clicking on Update restarts the router, disconnecting all users for up to a minute.)

Enable NAT Port Mapping
To see if Network Address Translation-Port Mapping Protocol is turned on, check the AirPort Utility's Manual Setup.
The other, more widely used form of automatic port mapping is called Universal Plug and Play (UPnP). This standard is used for a variety of purposes to allow multimedia and gaming across networks. One part of it handles automatic port mapping, and Back to My Mac works just fine with it. (The only difference? Apple says that if you’re using UPnP, updates about which BtMM-enabled Macs are available can take up to 15 minutes; they’re nearly instant with NAT-PMP.)

UPnP is found in nearly all broadband gateways (with or without built-in Wi-Fi) from vendors including D-Link, Linksys, and NetGear. Because of security concerns, UPnP isn’t always turned on out of the box. (UPnP can make it easier for outside parties to peer into your network, so router makers may want you to choose that option explicitly.)

The way you enable UPnP varies widely by router. Typically, you’ll enter an IP address into your browser to connect to the router’s built-in configuration tool. Once you do, search for advanced or multimedia options. With nearly all of Linksys’s routers, for instance, you select the Administration tab, choose the Management tab beneath it, and select Enable next to the UPnP label; you then click Save Settings to restart the router with UPnP turned on.

Many routers—most notably those made by 2Wire, which provides broadband modem/routers to telephone companies, including Qwest—don’t support UPnP, usually because of telco security concerns.

To find out whether your router supports either NAT-PMP or UPnP, select the Back to My Mac tab in the MobileMe system preference pane. It should provide you with feedback as to whether Leopard can properly get what it needs from your particular router. If you see an error about NAT-PMP or UPnP after turning on Back to My Mac, check your router’s manual.

You might see an error about “double NAT”: That means your router is issuing private addresses for the Macs on your network, but it’s plugged into another router (typically your broadband modem) that is also providing private addresses. If that’s the case, you must enable bridge mode on the router to which the computer is directly connected. (For AirPort base stations, that’s set via AirPort Utility in the Internet view’s Internet Connection tab. Set Connection Sharing to Off [Bridge Mode].)

The third requirement for BtMM is Leopard itself. Using 10.5.4 or later is the best choice, as Apple continues to add troubleshooting advice and improve the service’s reliability. If you’re using Leopard on some computers and Tiger, Panther, or even Windows on others, there are other ways to connect them (see “BtMM Alternatives” below).

Finally, BtMM requires a MobileMe account. BtMM combines many different Internet standards—including IPv6, Kerberos, IPsec, Bonjour, wide-area Bonjour, dynamic DNS, and NAT-PMP/UPnP. Because of that, Apple needed a place to stash some numbers and other information about each computer that you control. MobileMe is that place.

Mobile Mac preference pane
This tab in the MobileMe system preference pane tells you whether or not Back to My Mac is working.
For example, when you sign into MobileMe via the system preference pane, and have Back to My Mac turned on, Leopard asks the router for those port numbers behind the scenes then passes that information on to MobileMe.

MobileMe also updates DNS records (the service that turns human-readable domain names into computer-readable numeric IP addresses), allowing each computer logged into the same MobileMe account to access what it needs to connect with any of the others.

You need a full MobileMe account to use Back to My Mac: either an individual account, or an account that’s part of a family pack. The cheaper email-only add-on account won’t work.

If you don’t meet all four of these requirements, Back to My Mac simply isn’t an option for you. When I first started testing BtMM in fall 2007, I was able to get BtMM to work using manual port mapping—in which I assigned fixed ports to BtMM. But that didn’t work consistently, Apple doesn’t support it, and I’ve been unable to get it working in 2008.

Note that BtMM is asymmetrical: if computer A is connected to a network that meets the Back to My Mac specs, and computer B is not, B can still connect to A; the reverse is not true.

BtMM Alternatives

Fortunately, Back to My Mac isn’t the only way to connect to remote computers. I regularly use two alternatives: Timbuktu Pro combined with Skype; and LogMeIn Free for Mac. Both methods typically work on private networks that BtMM can’t handle.

Timbuktu Pro is a venerable program that I once regularly used to connect from an Apple Portable over 1200 bps dial-up to a Mac server. Paired with Skype, its remote screen control, file exchange, and other features can be tunneled to otherwise unreachable computers.

Once you set up a free Skype account, download, install, and launch the software, and log in, Timbuktu Pro adds an additional tab in its New Connection window that shows Skype contacts, noting which have Timbuktu support for Skype turned on. You can then select a contact in that list and connect with a legitimate Timbuktu account. (Timbuktu allows both Timbuktu-only accounts for login, as well as accounts that rely on OS X. For Skype, you must have a Timbuktu-only account set up.)

Timbuktu-Skype connection
The Skype tab in Timbuktu Pro appears when Incoming Skype Access is activated. All online buddies are shown at the top, with a Yes next to those who have Timbuktu access turned on.
This method generally works reliably anywhere you can make and receive Skype calls or instant messages. The downside? You need a copy of Timbuktu Pro for each computer; a starter pack of two licenses costs $179.95.

That price tag is part of the reason I recommend LogMeIn Free for Mac for home users and small businesses. As the name implies, you can set up an account at no cost.

You download and install a small software package for each machine you want to remotely control. You can then use the company’s Web site (Safari and Firefox are both supported) to access remote machines. You can control both Mac and Windows computers that have LogMeIn installed. The company announced a beta test in October of iPhone and iPod touch software, called Ignition, that would work with Mac OS X and Windows LogMeIn clients, too.

Base Stations

Recently Apple released updated its AirPort Extreme Base Station and Time Capsule hardware so that you can remotely access them via MobileMe. A firmware upgrade released around the same time extended this feature to all 802.11n AirPort Extreme and Time Capsule base stations. That firmware update also enables you to remotely configure these base stations via AirPort Utility over Back to My Mac. Remote configuration works with any 802.11n AirPort Express base station, too.

These connections work one way: you can reach drives attached to or built into these base stations via Back to My Mac, but you can't connect to computers attached to those base stations; for that, you'll need to follow the instructions above.

Glenn Fleishman is author of the e-book Take Control of Back to My Mac (TidBITS Publishing, 2008) and a frequent contributor to Macworld.

Subscribe to the Apple @ Work Newsletter

Comments