Best way to maintain some remote control but not absolute?
-
I am not an MSP nor do I currently do contracts for maintenance or anything like that.
When I get called, it's usually onsite. I don't leave remote control software permanently installed or anything like that.
(I want to do these things in the future, but don't now)I'm wondering what the best method is to be able to remote control a system but in a way where it requires user interaction and control. I don't want apps on my computers or phone or anything and create an liabilities.
For example a small business has a Zen server with one VM. I'm not sure I want access via iDRAC, but maybe I do? Maybe I want access to Zen, maybe not? Maybe I just want access to the VM itself, but only when needed?
Is there an acceptable method for break/fix scenarios where I can just have them do this or that or run something and THEN I get the control I need?
Or is it better that I set this up so I can gain control even without their interaction? This seems like something of a liability if we don't have a contract of sorts. They may tell me it's ok to have this access, but that doesn't mean I want to.Do I leave some kind of program on there dormant in case I need to tell them to open it? Do I leave myself a user account? Even that seems iffy to me.
I'm wondering what is not only a good practice, but is legally sound and what tools this would use. As an example, their external IP could change, so if I'm not running some tool to reveal the IP to me, this already means I need to get info from the client before I could get in.
-
ScreenConnect (and many other remote control software) have what might be called rescue modes.
What I mean by this is, you email them a website to connect to, they then download a client (hopefully one that doesn't require local admin rights to run - though then you probably won't have UNC control either) then connect and you do the work you need to do.
iDRAC really doesn't play into your question. Should your customers have it? I say absolutely. If not you, whomever is doing support for them can remote into another computer on their network, then use iDRAC from that internal computer.
-
What about Google Chrome Remoting?
-
@Dashrender I find that TeamViewer is pretty easy to walk people through for that sort of thing.
I'm thinking of things like, would it be wise to put another VM on it running Xen Orchestra and then enable a connection to that? Maybe that's overkill for something I may only ever access a few times.
I guess at a certain level I'm wondering if I should give myself access to Xen, or just to the VM(s), or both?
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
What about Google Chrome Remoting?
The tool doesn't matter. It depends on the issue. What if it's the case that the VM is down but Xen is accessible? I could fix it that way if I had access to Xen.
-
@guyinpv said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
What about Google Chrome Remoting?
The tool doesn't matter. It depends on the issue. What if it's the case that the VM is down but Xen is accessible? I could fix it that way if I had access to Xen.
Sounds like you do need iDrac (or equivalent) then.
It's saved my bacon a few times.
-
@guyinpv said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
What about Google Chrome Remoting?
The tool doesn't matter. It depends on the issue. What if it's the case that the VM is down but Xen is accessible? I could fix it that way if I had access to Xen.
To get to that level, we use a Jump server.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@guyinpv said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
What about Google Chrome Remoting?
The tool doesn't matter. It depends on the issue. What if it's the case that the VM is down but Xen is accessible? I could fix it that way if I had access to Xen.
To get to that level, we use a Jump server.
I don't understand how you get web gui access with a Jump server.
-
It really boils down to what you want for access?
Do you want continuous no third party access? or do you want to make sure that someone onsite knows you're connected?
As for what you have access to - why would you limit what you can manage remotely? Xen Orchestra isn't a replacement for iDRAC (especially if it's installed on the XenServer it's managing).
If you want to be able to remotely manage the hardware that the XenServer is running on, you'll need iDRAC or something else that provides that same level of access.
once you have that level of access inside the network, now you just have to decide how you'll gain access to the inside of the network - be it Jump Box, or TeamViewer, or ScreenConnect, etc.There is no right answer for all situations. It's more up to you and the client to decide what is best.
If you're looking to lower your personal risk, then a rescue setup like TeamViewer (fyi no free for business use) will keep you at bay until the customer grants you access to their network via the software. of course this also typically means that the computer you are connecting to is no longer usable for that employee while you are working. If this is an emergency only thing, that might be doable. But if you are going to be doing monthly maintenance for example during work hours, this might not be acceptable, so other solutions would need to be considered.
-
Come to think of it, I'll probably install Xen Center on the owner's desktop. If needed I could gain remote access to that box and use XC from there. I don't suppose I would require remote access to iDRAC at all.
I guess what I was thinking is that I could install a 2nd VM as a kind of monitoring/remote control box that I could use, perhaps XO or something else. But again I don't think I should give myself absolute control like this without some action on the part of the owner. Nor do I really want to start opening ports on the router.
-
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
-
@BRRABill said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
Exactly - and it can generally be had for a few hundred dollars, over the life of the machine, totally worth it for me. Even more worth it if I work remotely to the hardware at all.
-
@BRRABill said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
Wouldn't you want a dedicate IP (and NIC?) for it and have to open up the firewall and everything? How do you maintain access for dynamic IPs from the ISP?
I have two servers with iDRAC, just never played with it yet. -
@guyinpv said in Best way to maintain some remote control but not absolute?:
@BRRABill said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
Wouldn't you want a dedicate IP (and NIC?) for it and have to open up the firewall and everything? How do you maintain access for dynamic IPs from the ISP?
I have two servers with iDRAC, just never played with it yet.You can user ZeroTier to a jump box.
-
@guyinpv said
Wouldn't you want a dedicate IP (and NIC?) for it and have to open up the firewall and everything? How do you maintain access for dynamic IPs from the ISP?
I have two servers with iDRAC, just never played with it yet.It can share its IP. Or, it can have its own.
For me, I own all the systems, so I VPN to the network, then access the iDrac. But I am assuming you could also open up the firewall as well.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@guyinpv said in Best way to maintain some remote control but not absolute?:
@BRRABill said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
Wouldn't you want a dedicate IP (and NIC?) for it and have to open up the firewall and everything? How do you maintain access for dynamic IPs from the ISP?
I have two servers with iDRAC, just never played with it yet.You can user ZeroTier to a jump box.
But how does that help a server stuck at POST?
-
@BRRABill said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@guyinpv said in Best way to maintain some remote control but not absolute?:
@BRRABill said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
XC won't give you access to the console on the server if there is a problem during say, bootup. XC and XO only work as long as XS is working.
Yes if there is some sort of boot or POST error, you are driving there.
I never used to put iDrac on servers, but after using it a few times, I'll never buy/support one without it now.
Wouldn't you want a dedicate IP (and NIC?) for it and have to open up the firewall and everything? How do you maintain access for dynamic IPs from the ISP?
I have two servers with iDRAC, just never played with it yet.You can user ZeroTier to a jump box.
But how does that help a server stuck at POST?
Nothing else that except for KVM or KVMoIP/OOB management tools.
-
All of this is great but how does it play out?
Small business with dynamic IP.
6 workstations and a copier that use the server.
1 server running file shares and 1 business app, Windows Server, on XenServer.
Dell hardware, iDRAC available if wanted.
Always trying to stick to free stuff, of course.
I could always use TeamViewer to one of the workstations and use XC from there, or XO installed on another VM.
I could install some remote software on the individual VM though I need to deal with router/IP issues depending on the software.
I could create some kind of dedicated jump box that only I have access to which then allows me in to various things over local network. Not sure how this works. Is it Linux? Can I still use the Windows VM gui?
And all this needs set up in a way where the owner has to grant access so that I don't have any-time access for liability reasons.
TeamViewer needs license for business so maybe I can use VNC software? I could do the ZeroTier thing if that is completely safe and transparent to all operations.
I could combine the above and just use normal Windows Remote Desktop, but I would have to maintain my own user account on the server, or be given admin credentials as needed.
Lots of options. Unsure about standard practices.
This seems like such a basic use case.
Assuming my ONLY option now is to show up physically at the office. What is the very next best thing? Probably at least direct remote access to the VM itself. But if I can't leave TeamViewer on there, and can't use Remote Desktop without credentials and opening firewall. What's the next option? -
@guyinpv said in Best way to maintain some remote control but not absolute?:
I could create some kind of dedicated jump box that only I have access to which then allows me in to various things over local network. Not sure how this works. Is it Linux? Can I still use the Windows VM gui?
We use LInux. What is a Windows VM GUI?