Best way to maintain some remote control but not absolute?
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
But as far as the remote access goes - if they don't want you to have access except when they expressly permit it.. then they could change the password on the account you create in the remote control software themselves every time you are done, then give you the new password the next time they need server, then change, and give and change and give, etc.
This would require decentralized control, which adds a bit of complication compared to centralized control. But doable.
How is this decentralized? and if it is, then NTG has decentralized control in their SC setup since multiple people have access to the admin system (hopefully each with their own account) and can lock others out.
The assumption being that there is no account control or instead of locking out the password they would just disable access if the system was centralized but keep the end user's access controls. That's the beauty of centrally managed, you don't have all this overhead of changing passwords as a security mechanism.
-
No need to belabor the points. I think the legal question is pretty much settled. There is no way to avoid it if a company wants to go after you, and they wouldn't sign off on full release of liability either.
The convenience of unattended access should be recommended, as long as the business fully understands what that means and how it will be used. They could be given an envelope for the lock box with instructions about the system in case they ever want to change support or remove it, etc.
Support pricing should not change even if labor time decreases due to automation, remote tools and so forth. Cost of tools still passes on to customer.
I could use a dedicated jump box and open it to the web, or use ZeroTier and leave remote control open only once inside the network. Or I could use standard remote tools directly on the workstations/server that don't require changes to router such as ScreenConnect, TeamViewer, Deskroll, NoMachine, Remote Utilities, etc.
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
-
@guyinpv said in Best way to maintain some remote control but not absolute?:
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
Move them to XO and solve that issue. No need for workstation access or Windows licenses.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@guyinpv said in Best way to maintain some remote control but not absolute?:
Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.
Move them to XO and solve that issue. No need for workstation access or Windows licenses.
Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
That means I would need 2 more VMs on the server, one for jump and other for XO. -
@guyinpv said in Best way to maintain some remote control but not absolute?:
Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
That means I would need 2 more VMs on the server, one for jump and other for XO.One fewer, right? Either you need the Jump OR ZeroTier, but not both. But for access to a remote Windows machine you need ZeroTier + RDP or similar. Doesn't XO almost make it easier? And it lets you use a tiny Linux VM instead of a Windows machine that is either expensive or used for something else.
-
where would you install ZT? on the XO VM? I suppose that would work.
So his management would be something like :
SC to control Windows PCs and windows server VMs
ZT to manage XO to manage XSPersonally I wouldn't install ZT unless you're going to install it EVERYWHERE at that client.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
where would you install ZT? on the XO VM? I suppose that would work.
Definitely there.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
SC to control Windows PCs and windows server VMs
ZT to manage XO to manage XSIf you are using a VPN you presumably always have a dedicated machine for that client. So you just.... open a web browser. That's it. Nothing more to it. It's always there, always ready to go. No SC, no PC, no Windows, no hops.
-
Where did VPN come into the discussion?
-
Remote Utilities allows use up to 10 clients including business for free. Chances are good I'll hook that up to the server. From there I suppose I could RDP to workstations.
Doesn't take care of using XO though. Maybe I would hook up RU to one workstation as well just in case. Otherwise I could access XO from the server VM, assuming it isn't down. If it is down, then I could get to the workstation instead and try to access XO. If that doesn't work, something is up with the hardware or network. -
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
ZeroTier
-
So if you don't want to use ZT here's what I would do (and currently do when not using ZT). Set up a jump box and use dynamic tunnels for your access (or local tunnels but you need to know the ports ahead of time).
For the dynamic tunnels you can use:
ssh -D 1080 user@host
This turn your SSH client into a SOCKS proxy. You can tell your browser to use a SOCKS proxy on port 1080 (default port) and just browse to the normal addresses on the remote network.
If you want to use local tunneling then you need:
ssh -L <localport>:<remoteip>:<remoteport> user@host
Use as many -L arguments as you need. You can also do both together.
This will give you access to anything you need, fully encrypted. RDP is possible with Remmina or the Remote Desktop Viewer application, along with VNC, SPICE, NX, and others.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
I was answering your questions about the ZT VPN...
-
For a kind of the out of the box thinking setup, you could just make a Guacamole VM and add all the remote hosts to it. Then just:
ssh -L <localport>:<remoteIP>:80 user@guacamolehost
Then just open your browser to localhost:<localport> and have full access.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
Where did VPN come into the discussion?
I was answering your questions about the ZT VPN...
Aww gotcha. ZT is definitely cool tech, but the inherent DNS issues make it a challenge. And unless you install ZT on all devices, you don't really have VPN to their network, only to those devices.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Aww gotcha. ZT is definitely cool tech, but the inherent DNS issues make it a challenge. And unless you install ZT on all devices, you don't really have VPN to their network, only to those devices.
Just like any VPN.
-
Having a VPN from my workstation to a web server does not grant me access to the whole network like a traditional VPN does.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Having a VPN from my workstation to a web server does not grant me access to the whole network like a traditional VPN does.
What do you mean "traditional" VPN? A traditional VPN gives you access to what you set it to, point to point, point to multipoint, multipoint to multipoint. A traditional VPN does both. If you put PPTP, L2TP, SSL, OpenVPN or IPSec from your workstation to the web server, you do not get full network access, yet those are all as traditional as VPNs get. In fact, you use HTTPS every day, which is an SSL VPN that doens't give any extra access.
-
@scottalanmiller said in Best way to maintain some remote control but not absolute?:
@Dashrender said in Best way to maintain some remote control but not absolute?:
Having a VPN from my workstation to a web server does not grant me access to the whole network like a traditional VPN does.
What do you mean "traditional" VPN? A traditional VPN gives you access to what you set it to, point to point, point to multipoint, multipoint to multipoint. A traditional VPN does both. If you put PPTP, L2TP, SSL, OpenVPN or IPSec from your workstation to the web server, you do not get full network access, yet those are all as traditional as VPNs get. In fact, you use HTTPS every day, which is an SSL VPN that doens't give any extra access.
Sure, but I know almost no one that VPNs into a single resource like that. Now I know that you and NTG are using a ton of Jump boxes to do this type of thing, but most SMBs (is is mainly an SMB forum, right?) do point to point or user to point on network full type access. This is what I mean by traditional VPN.
-
@Dashrender said in Best way to maintain some remote control but not absolute?:
Sure, but I know almost no one that VPNs into a single resource like that.
But that doesn't mean that it's not traditional (that's how it was done the most long ago) and it's still how 99.99% of VPNs are used (HTTPS, SSH are both VPNs that are almost always point to point and make up essentially all VPN traffic).