I have had success getting a couple of different configurations working with PC Anywhere 9 (earlier versions may be configured differently) host and remote behind a couple of types of firewalls. I'm not a router or firewall expert so others may be able to provide more information. The configurations I have working are:
1) An OpenBSD firewall (another free Unix-like OS) which is using IP filtering + NAT.
2) An NT machine using Wingate 3
I haven't played with any hardware routers yet, although the basic concepts should remain the same. I'm going to assume you are using NAT + IP filtering, Wingate setup is a bit different. You may be able to setup two machines connected through the router without the modems in the mix to make it easier to test, although if you are not too familiar with how to do this it may be more trouble then it is worth. Hopefully this will get you started, it can be a pain to get working.
Basically PC Anywhere uses two ports: 5631(TCP packets only) and 5632 (UDP packets only). Port 5632 is only a status port, I think it mostly is used to determine if somebody is already using the connection, 5631 is the port used for the sessions. You may want to disable 5632 to simplify things initially, according to Symantec's docs it doesn't hurt anything, other than if someone is already connected you will just get a blank black window that appears to not connect. I've ended up leaving it disabled since the client does not timeout as fast looking for a host.
Port 5631 is disabled on the client (remote control machine). You need to create a registry key TCPIPConnectIfUnknown and set it to 1 to disable port 5632. Look for TCPIPConnectIfUnknown in document:
http://service1.symantec.com/SUPPORT/pca.nsf/9f19833cbd7241aa85256758005492c7/50e6686eec2eee9b882567230071a2f0?OpenDocument&Highlight=0,5632The client end is usually pretty easy to get working, you just need to allow the router to forward packets on ports 5631(for TCP packets) and 5632 (for UDP packets. The UDP port needs to have "keep state" set on.). It is easiest to test though with the host not being behind a firewall yet. If you are already accessing the Internet the forwarding is already happening, you just have to ensure that the router is not filtering data on these ports from going out. The easiest test is just to try to connect to a working PC Anywhere host machine through the router. If it doesn't work you need to update your filtering rules to not filter these ports.
The host end is more difficult. Usually a firewall or Internet router is configured to not allow connections to be established from the Internet. You need in effect to configure a reverse NAT situation, you need to map ports on the router's external interface to forward to an internal IP address and port on the internal network. You also have to ensure that any filters are not blocking incoming packets on these ports.
For more PC Anywhere firewall information you will want to read some info in their knowledgebase at:
http://service1.symantec.com/SUPPORT/pca.nsf/9f19833cbd7241aa85256758005492c7?OpenViewSearch on "5631" and/or "firewall"
Some answers your questions:
>>1. How do I tell PCAnywhere the address of the host workstation?
You need to know this before starting to configure the client. If the host address is dynamic and you were using a software router/firewall then you could install an IP posting program on that machine which will modify a web page in a known location whenever the IP address changes on the host end. It might be possible to build something custom to retrieve this from your routers, and do the same thing on a polled interval.
>>2. Does the host workstation have to have a fixed IP address or can it be assigned dynamically (the router will do this or will do
fixed IP addresses within a range)
It does not, but depending on the features of your router I'm not sure if multiple dynamic addresses would be supported (at least on the inexpensive routeers). You might want to check this before getting more addresses.
>>3. Does each workstation I want to access have to have an ip address assigned by the isp?
No, although point #2 might apply. You can map other ports on the same IP address (E.g. 5633, 5634) on the host end to forward to different machines on that network. Unfortunately PC Anywhere is lacking when it comes to TCP options, so you need to modify the registry of the client machine to use these ports (a global option) and then change them back after. You can probably leave the hosts alone, and just have the router map 5633-> 5631 on the internal hosts IP (although I haven't tried this. If it doesn't work set the ports the same on both ends). See the Symantec KB for more info. It is easier to have more IP addresses, although usually somewhat more expensive. You might be able to overcome this issue in conjunction with PC Anywhere gateway, but I haven't tried it.
>>4. I think this all has something to do with NAT and there are ports at issue, but I'm really clueless on this stuff
It is probably IP Forwarding combined with NAT (or IP forwarding). Your documation might also use the term "stateful inspection" which is usually a more intelligent version the same concepts.
>>5. The next challenge is going to be desktop to desktop video conferencing and automated file transfers desktop to desktop.
If you don't already have software to do this, I'd configure automated file transfers by writing a program to poll a web page on a regular interval from your client's end to look for changes. If the page changes then transfer the necessary files using the web brower control. There shouldn't be firewall issues if web browsing in IE already works.
I haven't setup video conferencing, but some of the simpler video protocols (like CU CMe?) weren't written with firewalls in mind (although it should still be possible). You may want to tunnel using a VPN instead.
>>6. I will also want to operate/access my office from the client or tunneling over the web from the road.
You may want to look into VPN (Virtual Private Networking) software (unless your router already supports it) and configure your router to allow it through. I suppose you could just use PC Anywhere as well. Or you could use VPN software and tunnel PC Anywhere over it etc.
Good Luck!
Kevin
