When Leopard’s Back to My Mac feature was first announced, it sounded great: A simple way to connect two Macs over the Internet to securely share screens and exchange files. Would that it worked so simply in real life.
Sometimes, Back to My Mac really does work the way Apple says it should: you enable Back to My Mac on the two Macs you want to connect, the connection works seamlessly, and you see the other systems in the Finder’s sidebar under the Shared section. But frequently, getting the service to function can be maddening. In some cases, it won’t work—no matter what you try.
What You Need
Part of the problem is that Back to My Mac (BtMM, for short) has four critical requirements, without any one of which it won’t work.
First, BtMM requires that your router have its own publicly reachable IP address. This turns out to be one of the hardest requirements to meet.
A publicly accessible IP address is one that any computer on the Internet can reach, not just machines within a local area network (LAN). Unfortunately, many Internet service providers (ISPs) assign only private addresses. Computers using private addresses can make requests to the larger world, such as a Web browser requesting a Web page, but they’re generally unreachable from the outside in—just as if they were behind a firewall. This keeps interlopers from easily accessing your computers, but you’re also blocked when you want to reach your machines remotely.
Finding out whether or not your router has a publicly reachable IP address can be tricky. If your ISP assigned you an address for your router that must be entered manually, and it doesn’t start with 10, 192, or 174, it’s likely a public IP address. If your router’s address is assigned by DHCP, launch AirPort Utility, select your router, click Manual Setup, and then click on the Internet icon to find the address assigned next to IP Address; again, if it doesn’t start with 10, 192, or 174, it’s probably public.
Failing those two steps, the only reliable way to find out is to check with your ISP. If you don’t have a publicly reachable IP address, you can request one. Some ISPs will provide such an address for free, others charge for it.
If your computer has its own publicly reachable IP address, your router doesn’t factor into the equation, and BtMM will work just fine.
The second requirement is automatic port mapping. Ports are like individually numbered cubbyholes within an IP address assigned to a computer or other device, such as your router. (A port is to an IP address as an apartment number is to an apartment building.) Back to My Mac needs to be able to ask your router to open up a port on the router’s public IP address side. The BtMM system on one computer passes those port numbers via MobileMe to any other BtMM system so that any two BtMM-enabled computers using your MobileMe account can communicate with each other.
Automatic port mapping comes in two forms. Network Address Translation-Port Mapping Protocol (NAT-PMP) is found only in Apple AirPort base stations released in 2003 or later. It’s enabled by default. To check if it’s turned on, fire up AirPort Utility (Applications:Utilities), select your base station, and click on the Manual Setup button at the bottom. Click on the Internet button, and select the NAT tab. Enable NAT Port Mapping Protocol should be checked. If it isn’t, check it and then click on Update in the lower right. (Clicking on Update restarts the router, disconnecting all users for up to a minute.)
UPnP is found in nearly all broadband gateways (with or without built-in Wi-Fi) from vendors including D-Link, Linksys, and NetGear. Because of security concerns, UPnP isn’t always turned on out of the box. (UPnP can make it easier for outside parties to peer into your network, so router makers may want you to choose that option explicitly.)
The way you enable UPnP varies widely by router. Typically, you’ll enter an IP address into your browser to connect to the router’s built-in configuration tool. Once you do, search for advanced or multimedia options. With nearly all of Linksys’s routers, for instance, you select the Administration tab, choose the Management tab beneath it, and select Enable next to the UPnP label; you then click Save Settings to restart the router with UPnP turned on.
Many routers—most notably those made by 2Wire, which provides broadband modem/routers to telephone companies, including Qwest—don’t support UPnP, usually because of telco security concerns.
To find out whether your router supports either NAT-PMP or UPnP, select the Back to My Mac tab in the MobileMe system preference pane. It should provide you with feedback as to whether Leopard can properly get what it needs from your particular router. If you see an error about NAT-PMP or UPnP after turning on Back to My Mac, check your router’s manual.
You might see an error about “double NAT”: That means your router is issuing private addresses for the Macs on your network, but it’s plugged into another router (typically your broadband modem) that is also providing private addresses. If that’s the case, you must enable bridge mode on the router to which the computer is directly connected. (For AirPort base stations, that’s set via AirPort Utility in the Internet view’s Internet Connection tab. Set Connection Sharing to Off [Bridge Mode].)
The third requirement for BtMM is Leopard itself. Using 10.5.4 or later is the best choice, as Apple continues to add troubleshooting advice and improve the service’s reliability. If you’re using Leopard on some computers and Tiger, Panther, or even Windows on others, there are other ways to connect them (see “BtMM Alternatives” below).
Finally, BtMM requires a MobileMe account. BtMM combines many different Internet standards—including IPv6, Kerberos, IPsec, Bonjour, wide-area Bonjour, dynamic DNS, and NAT-PMP/UPnP. Because of that, Apple needed a place to stash some numbers and other information about each computer that you control. MobileMe is that place.
MobileMe also updates DNS records (the service that turns human-readable domain names into computer-readable numeric IP addresses), allowing each computer logged into the same MobileMe account to access what it needs to connect with any of the others.
You need a full MobileMe account to use Back to My Mac: either an individual account, or an account that’s part of a family pack. The cheaper email-only add-on account won’t work.
If you don’t meet all four of these requirements, Back to My Mac simply isn’t an option for you. When I first started testing BtMM in fall 2007, I was able to get BtMM to work using manual port mapping—in which I assigned fixed ports to BtMM. But that didn’t work consistently, Apple doesn’t support it, and I’ve been unable to get it working in 2008.
Note that BtMM is asymmetrical: if computer A is connected to a network that meets the Back to My Mac specs, and computer B is not, B can still connect to A; the reverse is not true.
BtMM Alternatives
Fortunately, Back to My Mac isn’t the only way to connect to remote computers. I regularly use two alternatives: Timbuktu Pro combined with Skype; and LogMeIn Free for Mac. Both methods typically work on private networks that BtMM can’t handle.
Timbuktu Pro is a venerable program that I once regularly used to connect from an Apple Portable over 1200 bps dial-up to a Mac server. Paired with Skype, its remote screen control, file exchange, and other features can be tunneled to otherwise unreachable computers.
Once you set up a free Skype account, download, install, and launch the software, and log in, Timbuktu Pro adds an additional tab in its New Connection window that shows Skype contacts, noting which have Timbuktu support for Skype turned on. You can then select a contact in that list and connect with a legitimate Timbuktu account. (Timbuktu allows both Timbuktu-only accounts for login, as well as accounts that rely on OS X. For Skype, you must have a Timbuktu-only account set up.)
That price tag is part of the reason I recommend LogMeIn Free for Mac for home users and small businesses. As the name implies, you can set up an account at no cost.
You download and install a small software package for each machine you want to remotely control. You can then use the company’s Web site (Safari and Firefox are both supported) to access remote machines. You can control both Mac and Windows computers that have LogMeIn installed. The company announced a beta test in October of iPhone and iPod touch software, called Ignition, that would work with Mac OS X and Windows LogMeIn clients, too.
Base Stations
Recently Apple released updated its AirPort Extreme Base Station and Time Capsule hardware so that you can remotely access them via MobileMe. A firmware upgrade released around the same time extended this feature to all 802.11n AirPort Extreme and Time Capsule base stations. That firmware update also enables you to remotely configure these base stations via AirPort Utility over Back to My Mac. Remote configuration works with any 802.11n AirPort Express base station, too.
These connections work one way: you can reach drives attached to or built into these base stations via Back to My Mac, but you can’t connect to computers attached to those base stations; for that, you’ll need to follow the instructions above.
Glenn Fleishman is author of the e-book Take Control of Back to My Mac (TidBITS Publishing, 2008) and a frequent contributor to Macworld.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.