This FAQ is almost as popular as:
How can I get a VNC Viewer to connect through a firewall I don't control?

Here's the usual situation: someone that you offer tech-support for
(a school, a parent, a prison inmate) is on a LAN that's behind a
firewall they'd love to setup correctly, but email still confuses
them, and you're not about to ask them to "port forward TCP 5900".
But you still want to connect to their PC with VNC to help remotely
administer their system.

This is exactly what the VNC Server "Add Client" command is meant for.
With this command, the world is turned upside-down: the VNC Server 
initiates a connection to an awaiting VNC Viewer (ie, a Viewer setup
to be in "Listen Mode"). Once connected, the person on the Viewer
side is immediately connected, just like a "normal" VNC session (only
without the password challenge).

The "add client" connection from the Server to the Viewer uses TCP 
port 5500 instead of port 5900 like a "normal" connection does. This
almost means that everything you know about SSH tunnelling can also
be applied to "Add Client" connections. Groovy.

One more thought about listen-mode connections: it requires that someone
or something at the VNC Server side of the connection initiate the session.

So suppose you have a PC at work, behind a corporate firewall that you do
not control. You can setup a VNC Viewer in Listen-Mode at your home, and
then use software such as "Windows Scheduler", to run something like this 
every minute/hour/day:

"c:\...\RealVnc\WinVNC -connect my.home.ip.address::5500" 

In this way, your work-PC will attempt to connect on a regular basis to
your home-PC, giving you VNC control over a PC behind a firewall.