@stuartjordan said in Once off or short term remote access solution:

@jaredbusch Do you have to install the remote plugin and login with your gmail account to access the machine though?

I have ConnectWise installed for me.

@scottalanmiller said in Free / Cheap Unattended Remote Access Utility for Windows PCs:

@EddieJennings said in Free / Cheap Unattended Remote Access Utility for Windows PCs:

@NetworkNerd

My MeshCentral VM is in Vultr.

Same here. Way better than AWS, Azure, or GCP for standard workloads like this.

Just for home use, it could likely sit in a free AWS Lightsail instance if it is small enough.

@Dashrender said in Remote Access for home user:

@manxam said in Remote Access for home user:

@fuznutz04 : Keep an eye out for the "hidden" hibernate that doesn't show up under "Plan settings" (only sleep and display). I've seen multiple systems that have "Hibernate after" configured under "Sleep" in the advanced settings as default.

There's also the problem where some systems become broken and once a system goes to sleep, it will continue going to sleep no matter what after something like 2 mins of non use. Rebooting fixes it, until it goes to sleep again... there is a fix somewhere in these threads too, reg fix.

Hahah, yeah. I was part of that thread too having been bit by it myself. Thankfully I haven't seen that behaviour in over a year.
Your thread : https://mangolassi.it/topic/18166/windows-10-goes-to-sleep-outside-listed-sleep-times
My thread : https://mangolassi.it/topic/17731/windows-10-ignoring-display-sleep-inactivity-settings

@scottalanmiller said in Making an RDP Terminal Server with Ubuntu Linux:

I recommend the Remmina RDP client tool, it's the bomb.

I love Remmina as a client.

I'm on 0.7.47, I don't see a problem w Windows machines?

@scottalanmiller That's one hell of a run on sentence! Do you actually speak without pausing or breathing? :)

@scottalanmiller said in MeshCentral2 Issue:

@dafyre said in MeshCentral2 Issue:

What I saw on my Fedora 29/Gnome desktop was that it showed up, but most of the remote features did not work.

that's more of what I would expect.

As discussed in another thread (I think)... that's due to Wayland being used for Gnome.

Holy cow, I just realized that we've been using MC since Dec, 2018. That's 27 months ago!

@scottalanmiller said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?

It all runs on HTTPS connections.

I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?

I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.

What attack surface? The only thing you access is the web interface.

That's still a surface. Why even let attackers get to a management server to attempt a brute force or DoD?

And that is different from letting an attacker attempt to brute force or DoS a VPN?

You always have an open port to come in.

That is true, but it doesn't reveal what's behind it. Something like mesh central would be something an attacker would be interested in, but if it's behind your VPN sever they have no clue its even there.

Except VPNs are far better known and more "interesting". Nothing says "I've got something to hide that I think is valuable" like a VPN. VPNs are big advertisers that someone believes they have something worth something.

So what? Now you have to break into the VPN and mesh central. It makes it harder for an attacker.

Breaking into the VPN doesn't net you much if your traffic is encrypted internally, in fact you are in the same spot as having all your valuable assets public facing.

VPN is easy to implement with minimal hardware in an immutable fashion and gives you an extra layer of defense that is quite difficult to breach.

Install Guacamole on Ubuntu (Docker version)
https://chasewright.com/2017/08/01/guacamole-mysql-docker/

@stacksofplates said in Remote management of VMs hosted in colocation:

@dashrender said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@eddiejennings said in Remote management of VMs hosted in colocation:

Allowing an SSH connection to the managementVM from the Internet

I have not tried this approach yet, and it appears more risky than the Screen Connect approach, since SSH to that VM would be open to the Internet. Unless I'm missing some benefit to this approach, I'll not be using it.

Use a strong key, lock to your IP. Very safe. Add Fail2Ban, of course.

Or add Salt and open/close based on need so it doesn't stay open.

Fail2ban doesn't work with keys.

But it would work normally with people attacking using non-keys, would it not? Or am I missing something about what it would do?

Why would you not require keys? Not making them mandatory defeats the purpose of using them.

I think he means - if a hacker is trying to use a password on a system setup to only allow keys - the fail2ban will block those users, or won't it?

No. It's dropped before fail2ban even sees it.

Oh, makes sense. There is no "attempt" like with a password, it is "already blocked."

@jaredbusch said in I need to control a chromebook with no user interaction:

@scottalanmiller said in I need to control a chromebook with no user interaction:

Only the Chrome RDP code of which I am aware.

You need that everytime right?

Yes, I've looked into automating it and couldn't find a way.

@dbeato said in RDS 2016 Remote App issue:

@dafyre said in RDS 2016 Remote App issue:

@dbeato said in RDS 2016 Remote App issue:

@dafyre said in RDS 2016 Remote App issue:

@dbeato said in RDS 2016 Remote App issue:

I am also leaning to do this:
https://social.technet.microsoft.com/Forums/windows/en-US/96cf9ef3-6ec2-4c7a-9e9f-21aeb6ef794d/remote-desktop-collection-is-missing-properties-i-would-like-to-add?forum=winserverTS

That's essentially why the powershell script does... So you ran the script and you're still not getting correct RDP files from the RD Web site?

yeah, it didn't really work since it is not updating anything on the connection broker. I am going to redo it all...

Curious.

You mean after I finish redoing it?

Just strange that it isn't working. I have Gateway, Web, and Connection Broker on same system here, so that could be part of it.

@scottalanmiller posted here too
https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

@mike-davis said in How MSPs provide their services:

@scottalanmiller said in How MSPs provide their services:

That's a lot of investment for a system like that. If you have hundreds of customers, it can make sense. But it takes a lot of customers to recoup the lost time into that system. It can work out well for a traditional MSP, but depends on large scale standardization to justify the investment.

I don't know about hundreds of customers. The number of end points might be more relevant. For me at about 10 MSP customers I can justify the investment. When you look at the time it takes to set up something like a zabbix server and maintaining a WSUS server vs not having to that helps make it worth it. Missed revenue because you didn't have a system in place to capture every minute hurts.

It would be a blend, I'm sure. A single customer with a million end points wouldn't make sense because you'd use more traditional tools in a single customer scenario. And a hundred with only one end point each wouldn't do it either. So some combination of enough end points for volume and enough customers for complexity put together.

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:

Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares.

Woops, that's crazy but definitely there is an issue with DNS

huh?

If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com.

User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.