Direct answer

How can I run remote support without opening inbound ports?

Use an explicit support flow with permission, route state, documentation, and a clean disconnect path.

Short answer

Remote support should start with authorization, not an exposed network hole. Remote Comp content should position support as a short, approved session where the host starts at the problem, route state is visible, the fix is documented, and the session is ended.

Ask for permission first

The person at the host should understand what the operator needs to see, what they need to control, and when the session will end.

Keep the route state inspectable

Support copy should name the current route and avoid claiming broad network behavior that the product has not proven for the exact session path.

Document and disconnect

Record the symptom, cause, route used, permission changes, and next owner before the session closes.