I was on one of our client's networks the other day with VPN setup to a corporate office in Raleighwood. They had that shit done right, some type of VNC deployed to all PCs and after rattling off a unique identifier, they were on the box.

Currently I use LogMeIn Rescue, with the 6 digit pin codes or an emailed link and I'm brainstorming for the future. Does anyone have suggestions or experience deploying something streamlined like this (I forget the name of the program, but I think it had daemon in the name -- go figure) Eventually we're considering putting all locations on a company wide VPN, but currently their ISP is lolbizclass Embarq aka "residential DSL with the added cost" and I don't know how effective it would be.

Oh it looks like we have about 30 licenses for an installable client with NTRGlobal too. hrm.

[Edited on July 28, 2009 at 11:53 AM. Reason : .]

7/28/2009 11:27:15 AM

1) Are you looking for a VPN solution, a remote access to a box solution, or both?
2) What access control should each individual have with said solution? (e.g. Only administrators should be able to remotely access systems; all users should be able to utilize VPN though, etc.)
3) What type of infrastructure is your authentication / user management based off of? (e.g. Active Directory, RSA/RADIUS, etc.?)
4) Try contacting the client directly as a followup and casusally chatting about their VPN solution in place? (People like to brag about something that they did that works well).
5) More questions, but ultimately, What are your requirements for said solution?

7/28/2009 12:16:19 PM

you want a backdoor to every machine that you can call from the command prompt with some sort of public/private key pair authentication? the only versions I've seen of this use ssh and xforwarding with a common/insecure key across all the machines (so the known hosts file doesn't have to be initially populated N times by N-nodes read: by hand). I've implemented on a small scale for internal stuff. vnc however has far less security options. you'll end up just running winvnc or some other vnc daemon with a common password and then just a command line alias/script that takes a node name parameter. from an admin standpoint it'll work great, but since the passwords in vnc are so weak and the traffic isn't encrypted, once someone on lan figures the pass to their vnc server, they have the keys to the castle.

7/28/2009 12:45:29 PM

^Basically yes and I'm only somewhat concerned with the downside of that.

^^I will answer those when I have more time.

[Edited on July 28, 2009 at 12:47 PM. Reason : Thanks]

7/28/2009 12:47:16 PM

AD with RDP and VPN to get onto the network I think would do your solution fine. Have everymachine RDP access, with which AD will allow you personally or anyone else with proper credentials to log onto. Have the network secured properly, and VPN into it.

I can expand on this more, but you probably should answer Perliths questions first.

7/28/2009 4:10:20 PM

You can only have the RDC client accepting incoming connections on Windows Server software and not anything running like Vista or XP, right? I can VPN and RDC into all my servers at work, and I tried to set it up where users out of town could VPN and RDC into their desktop PCs, but iirc the workstations could only RDC out and couldn't accept incoming connections. But again this is with Windows' RDC, nothing 3rd party

7/28/2009 4:47:22 PM

could just do vnc that is on the ports that correspond with a phone extension or something easy like that. and only have them local so VPN is required to get to the local network first. probably not the most secure way in the world but i think that would do what you're wanting.

the software company that does our attendance software has a pretty cool setup where if i need help with something they give me a service number, i go to their website and type it in and it lets them have remote control of my computer.. i can click whether they have screen access, keyboard access, mouse access, etc. pretty cool. the interface looks a lot like ICQ to me..but no idea if it's related to that or anything

7/28/2009 4:55:55 PM

1) Definitely VPN in the future. Right now remote access.
2) It wouldn't bother me if I was the only one that would control the PCs.
3) There's a 2k3 server at the main location running AD, but only like half the people actually use the domain.
4) Yeah, I almost asked the guy right then while I was on the phone with him.
5) I want the most painless and effective way of remotely troubleshooting people's issues. I don't know if we're going to renew our logmein license, but even having to walk the user through opening a website, going to logmein123.com, entering the pin code, running the file, accepting the session, elevating the service, allowing permissions to connect gets a but redundant and obnoxious. If I could completely streamline this it would be most excellent. A couple locations have a DDWRT router, some have a pfSense box and I think there's a PIX still floating around that used to be at the main location. As it stands right now though, security for a lot of the places is somewhat lacking and I'm looking at throwing at least a pfsense box at every location.

^That sounds like it might work if I could go into script kiddie mode and write a deployable silent install. Your attendence software remote access sounds about like what I have now with logmein. NTRGlobal isn't horrible I guess if I took the time to set it up correctly, but most of these places still make the user download and run an executable which can sometimes be a pain.

Thanks for the advice so far.

^^RDP accepts connections on 3389 and there's a setting you tick on the remote tab of the system properties.

^^^I don't really want to use RDP.

7/28/2009 6:50:49 PM

TeamViewer

http://www.teamviewer.com

7/28/2009 7:30:53 PM

Yeah I saw a blurb about that on lifehacker earlier today. Did you just google or do you have real experience with it? Is it worth actually looking in to?

7/28/2009 7:36:40 PM

I've used TeamViewer quite a bit. It's solid.

7/28/2009 8:18:25 PM

Yeah we've been using it for months now. Really solid. Kinda pricey, but it was worth it to us compared to the piece of crap we were using before and paying almost as much.

[Edited on July 28, 2009 at 8:44 PM. Reason : *]

7/28/2009 8:39:41 PM

I wonder if a simple business license would work.

Prices in Germany / European Union plus VAT

sneaky fuckers

[Edited on July 28, 2009 at 8:44 PM. Reason : .]

7/28/2009 8:40:51 PM

There's a greater debate on whether or not your VPN credentials should tie-in to your LDAP credentials.

If tied to LDAP credentials:
+Security as if the user locks themselves out, is terminated, etc. all gets locked down.
-Usability as if the user locks themselves out, they need to wait on the helpdesk to unlock them. (SMART VPN solutions with the credentials tied to LDAP will not lock the LDAP account itself but have a separate application setting which will lock the VPN access first before allowing the LDAP account itself to lock).

Anyways, getting everybody as a part of the domain likely not going to happen with current processes in place. A remote access program isn't worth a crap if you can't access it behind a home router or when somebody is in a hotel / coffee shop. That being said, if you do purchase a given program remote box program, is there a guarantee that program can traverse routers / firewalls?

TeamViewer looks like it might do the trick, but I would get a technical rep to go into more detail about specifics. Too much marketing on that website, not enough technical info (not even in their support area).

[Edited on July 28, 2009 at 9:23 PM. Reason : .]

7/28/2009 9:22:26 PM

bump

10/22/2010 9:25:58 AM

Thanks Bobby,

In the next month or so I will be making the decision on either Teamviewer or LMI Rescue. It looks like Teamviewer is in the lead because of lifetime vs annual based subscriptions. I'm looking at about 100 computers and I'd like backdoors to them all. In you guys' experience, do you find the employees thinking you're big brother and watching their every move? Or is it overshadowed by the 'wow cool!' factor and quickness in which you can fix their minor issues?

From what I have read, there is no acceptable use policy on LMI free. So I could deploy to all 100 PCs and use LMI Central to manage them? Does LMI Rescue's unattended PC feature eliminate the need for deployment of the full fledged install?

How is Teamviewer's unattended access?

10/22/2010 10:22:56 AM

I didn't read this entire thread so I may misunderstand what you are looking for, but if you end up going with TeamViewer, check out http://ninite.com/ it can build a silent installer that you can deploy. Also, I haven't used TeamViewer but from what I understand about it, it requires the user to give you a password when you want to connect, meaning that you can't just jump on a machine without the user sitting there. Idk if that is an issue for you or not but that would bug me.

10/22/2010 11:02:08 AM

how do you protect the executable/service from being canned by the user(-spawned malware)? regardless of solution

10/22/2010 1:32:57 PM

^^I saw that on ninite, but I figured that I would just build my own silent install. I may actually subscribe to their "pro" model in the future if I can't find a replacement that lets you cache install files.

^pardon? I don't see what you're really getting at. Do you mean having an issue where some rogue user is constantly stopping the service and removing the package? Or malware doing it on their behalf? Either situation wouldn't be detrimental. All computers will be within a 40 mile radius, if I have to make a trip then so be it.

10/22/2010 2:42:38 PM

^^^ When you install the Teamviewer host on each machine, it's loaded as a service. YOU pick the password for it and the ID is generated at install, so yeah you would have the ability to hop on that machine at any time, assuming it's turned on and on the network.

^^ I have yet to meet any user who would know how to kill a service. I'm sure they're out there.
We restrict the user accounts from being able to do that (among many other things) on our domains though just in case.

Virus/spyware could be an issue. Haven't run into it yet though, aside from all those "Antispyware 2009" and it's variants. You'd have to be onsite to deal with them anyway, really.

[Edited on October 23, 2010 at 11:43 AM. Reason : *]

10/23/2010 11:40:04 AM

Does anyone have a valid 3% off Teamviewer coupon code? If so, would you mind PMing me?

11/16/2010 8:47:50 PM

we use a combo of Ultravnc and singleclick

11/16/2010 9:04:18 PM

Our users all work on terminal servers so its pretty easy to get on their term sessions via the standard tools. We also run VNC on all the connecting clients. I wrote a thing that grabs user lists from both the VPN concentrators and the terminal servers and then combines them by username. I spit it out into an XML file and slap it with a stylesheet that adds buttons for each user to either remote their RDP session or open a Java applet based vnc viewer.

So any time you want to help a user you go to the site, find their user name, and click the appropriate button.

[Edited on November 16, 2010 at 9:51 PM. Reason : .]

11/16/2010 9:50:54 PM

Looking forward to checking out TeamViewer. My sales pitch took about 30 seconds over the phone just now.

11/30/2010 1:55:33 PM