Best way to maintain some remote control but not absolute?
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense.
What? If they hire someone else to do that job the OP is doing, I would fully expect them to cut the OP off. Of course, the new support person should be doing their investigation to make sure that's the case.
Why? SUpport is not an all or nothing thing. It is common to have multiple support people or companies and to have them do different things or to work at different times. There is no reason to cut off one support person just because you are using another one.
If they hire someone else to do the OP's job - why are they keeping the OP around? Unless they have given the OP another job to do. Now if they hire another support vendor to do something the OP does not do.. then of course, they both work equally.
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense.
What? If they hire someone else to do that job the OP is doing, I would fully expect them to cut the OP off. Of course, the new support person should be doing their investigation to make sure that's the case.
Why? SUpport is not an all or nothing thing. It is common to have multiple support people or companies and to have them do different things or to work at different times. There is no reason to cut off one support person just because you are using another one.
If they hire someone else to do the OP's job - why are they keeping the OP around? Unless they have given the OP another job to do. Now if they hire another support vendor to do something the OP does not do.. then of course, they both work equally.
IT isn't a one man show kind of job. Lots of companies use more than one person and/or company to do overlapping work. Is it ideal? Of course not. Is having an MSP be a one man show ideal? Of course not. It is what it is, a common business practice whether it is for fault tolerance reasons (you need more than one MSP in case one isn't available) or capabilities reasons (you want better technical coverage) or different roles (you need different support from different people or companies.)
One of the reasons that you pick NTG over a one man shop is that you get a long history of corporate governance and stability with the reliability of a full staff all "in one box." Even with a company as established and "large" as we are, we often work side by side with other vendors. For companies that are smaller, like one or two man shows or those that don't have the eight years of "survival" experience needed to have faith in corporate stability it's very common to have companies offset that by having more than one vendor involved.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender make sure that you pass those costs onto the clients, or otherwise you just invested in their business twice. Once in paying for their tools, and again in getting paid to do half as much work!
I didn't buy the remote access software/suite, they did. So there was no cost to me. Of course in making my life better I also decreased my billing, but I wanted my personal time back more than I wanted to be paid for driving there.
Oh okay, that's better.
now with all that in mind... I could raise my rates because I would be making less money - I wonder how many companies do that?
Lots. Companies with low rates normally do so by being very inefficient. Companies that are highly efficient have higher rates because they are using the extra overhead to invest into better skills, tooling, training, etc.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
But as far as the remote access goes - if they don't want you to have access except when they expressly permit it.. then they could change the password on the account you create in the remote control software themselves every time you are done, then give you the new password the next time they need server, then change, and give and change and give, etc.
This would require decentralized control, which adds a bit of complication compared to centralized control. But doable.
How is this decentralized? and if it is, then NTG has decentralized control in their SC setup since multiple people have access to the admin system (hopefully each with their own account) and can lock others out.
The assumption being that there is no account control or instead of locking out the password they would just disable access if the system was centralized but keep the end user's access controls. That's the beauty of centrally managed, you don't have all this overhead of changing passwords as a security mechanism.
-
No need to belabor the points. I think the legal question is pretty much settled. There is no way to avoid it if a company wants to go after you, and they wouldn't sign off on full release of liability either.
The convenience of unattended access should be recommended, as long as the business fully understands what that means and how it will be used. They could be given an envelope for the lock box with instructions about the system in case they ever want to change support or remove it, etc.
Support pricing should not change even if labor time decreases due to automation, remote tools and so forth. Cost of tools still passes on to customer.
I could use a dedicated jump box and open it to the web, or use ZeroTier and leave remote control open only once inside the network. Or I could use standard remote tools directly on the workstations/server that don't require changes to router such as ScreenConnect, TeamViewer, Deskroll, NoMachine, Remote Utilities, etc.
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
-
@guyinpv said in Best way to maintain some remote control but not absolute?:
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
Move them to XO and solve that issue. No need for workstation access or Windows licenses.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@guyinpv said in Best way to maintain some remote control but not absolute?:
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
Move them to XO and solve that issue. No need for workstation access or Windows licenses.
Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
That means I would need 2 more VMs on the server, one for jump and other for XO. -
@guyinpv said in Best way to maintain some remote control but not absolute?:
Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
That means I would need 2 more VMs on the server, one for jump and other for XO.One fewer, right? Either you need the Jump OR ZeroTier, but not both. But for access to a remote Windows machine you need ZeroTier + RDP or similar. Doesn't XO almost make it easier? And it lets you use a tiny Linux VM instead of a Windows machine that is either expensive or used for something else.
-
where would you install ZT? on the XO VM? I suppose that would work.
So his management would be something like :
SC to control Windows PCs and windows server VMs
ZT to manage XO to manage XSPersonally I wouldn't install ZT unless you're going to install it EVERYWHERE at that client.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
where would you install ZT? on the XO VM? I suppose that would work.
Definitely there.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
SC to control Windows PCs and windows server VMs
ZT to manage XO to manage XSIf you are using a VPN you presumably always have a dedicated machine for that client. So you just.... open a web browser. That's it. Nothing more to it. It's always there, always ready to go. No SC, no PC, no Windows, no hops.
-
Where did VPN come into the discussion?
-
Remote Utilities allows use up to 10 clients including business for free. Chances are good I'll hook that up to the server. From there I suppose I could RDP to workstations.
Doesn't take care of using XO though. Maybe I would hook up RU to one workstation as well just in case. Otherwise I could access XO from the server VM, assuming it isn't down. If it is down, then I could get to the workstation instead and try to access XO. If that doesn't work, something is up with the hardware or network. -
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
ZeroTier
-
So if you don't want to use ZT here's what I would do (and currently do when not using ZT). Set up a jump box and use dynamic tunnels for your access (or local tunnels but you need to know the ports ahead of time).
For the dynamic tunnels you can use:
ssh -D 1080 user@hostThis turn your SSH client into a SOCKS proxy. You can tell your browser to use a SOCKS proxy on port 1080 (default port) and just browse to the normal addresses on the remote network.
If you want to use local tunneling then you need:
ssh -L <localport>:<remoteip>:<remoteport> user@hostUse as many -L arguments as you need. You can also do both together.
This will give you access to anything you need, fully encrypted. RDP is possible with Remmina or the Remote Desktop Viewer application, along with VNC, SPICE, NX, and others.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
I was answering your questions about the ZT VPN...
-
For a kind of the out of the box thinking setup, you could just make a Guacamole VM and add all the remote hosts to it. Then just:
ssh -L <localport>:<remoteIP>:80 user@guacamolehostThen just open your browser to localhost:<localport> and have full access.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
I was answering your questions about the ZT VPN...
Aww gotcha. ZT is definitely cool tech, but the inherent DNS issues make it a challenge. And unless you install ZT on all devices, you don't really have VPN to their network, only to those devices.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Aww gotcha. ZT is definitely cool tech, but the inherent DNS issues make it a challenge. And unless you install ZT on all devices, you don't really have VPN to their network, only to those devices.
Just like any VPN.
-
Having a VPN from my workstation to a web server does not grant me access to the whole network like a traditional VPN does.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Having a VPN from my workstation to a web server does not grant me access to the whole network like a traditional VPN does.
What do you mean "traditional" VPN? A traditional VPN gives you access to what you set it to, point to point, point to multipoint, multipoint to multipoint. A traditional VPN does both. If you put PPTP, L2TP, SSL, OpenVPN or IPSec from your workstation to the web server, you do not get full network access, yet those are all as traditional as VPNs get. In fact, you use HTTPS every day, which is an SSL VPN that doens't give any extra access.
