How I, a newbie, got VNC to work across the Web with SOHO firewall on cable modem

Dave Gayman
Fri Jul 11 13:08:00 2003

In this list there regularly pops up a cry for help:  "I can't reach my 
home computer using VNC via the Web" -- that is, with the Java-enabled browser.

Reading answers in the archives here and from many a Web search gave me 
only partial clues here and there, because I don't understand what a NAT 
is, what tunneling is, or what is meant by IP address, gateways, dynamic 
DNS or other terms casually flung about.  Of course, I should not be trying 
to do anything along this line, but there you are:  I wanted to work my 
home computer when I was on the road.

The solution to my problem turned out to be multi-fold.  (My problem was 
this:  I could reach my primary home computer via browser anywhere on any 
of my home-based local-area network machines.  However, I could NOT reach 
my primary home computer when using a browser on any machine outside my 
home LAN.)

Unlayering the problem like a cosmic onion resulted in the following:

1.  The Java viewer in VNC -- no surprise -- needs Java.  Microsoft has 
stopped including Java in Internet Explorer because someone yapped at them 
and they took their baseball bat and went home.

So, if you're using a late-model IE, you probably have to download Java 
from Sun.  Sun has finally shielded us from having to know what "Java 
virtual machine" means by automating the process at

2.  My SMC Barricade router/hub/firewall whatever-the-heck-it-is, which I 
threw into my cable modem setup to save me from nasty people and then later 
turned into a LAN by adding other computers to it, had to be told that VNC 
is OK to let through.

For the Barricade, this is done by going into the configuration utility, 
clicking on "Virtual Server" (no idea what that means) and indicating 
"Service Ports" of 5800 and 5900 for the IP address of the primary home 
computer.  The latter is easily found by hovering your mouse over the VNC 
icon in the little tray at the bottom of the screen.  Owing to confusing 
chatter in various places, I also added Service Ports 5801 and 5901, but I 
have no idea why.

3.  The browser running the Java viewer has to be told the IP address of 
docs tell you.

As a way of torturing you, this turns out to be ABSOLUTELY NOT the same as 
the IP address that the SMC Barricade tells you it is, if your cable ISP, 
like mine, assigns you a dynamic IP address -- that is, one that can change 
at the whim of the ISP provider.  I don't know how the ISP does this, and I 
don't care.  I found mine through a helpful guy at my ISP's phone-based 
technical support.

4.  The solution to reaching this dynamic IP is, of course, "dynamic 
DNS."  I think this is a named (or numbered) Web address -- an address you 
choose -- that maps itself to your actual IP address, even when the latter 
changes. The practical result is that on any computer anywhere, you can 
enter an unchanging (non-dynamic) URL in the address line of your browser 
and still talk to yourself, regardless of where you have gone as the result 
of your ISP futzing with your IP address (probably called 'dynamizing' it).

The free dynamic DNS service from No-IP works for me (No-IP Free at  There are others that you can pay for and 
probably these have advantages.  I was not able to discern what they are.

5.  This whole thing, I'm told, is unsafe because nasty people can "sniff 
your packets."  I hope this does not mean what it appears to mean 
(something akin to what those ill-trained pet dogs do to your 
trousers).  To keep baddies from sniffing, apparently, you have to "tunnel" 
via "SSL."  If and when I understand what that means in the IBM-clone 
world, I'll be back with an update.

Point 1 took me several hours to find out.
Point 2 took me 3 days to work out
Point 3 took an additional day
Point 4 took half a day
Point 5 is still unresolved and I'm still just a dog watching television on 
this one.