EV Reach Gateway Services - External Device Management

Last modified on 2023/10/03 10:21
Contents

Once the EV Reach Gateway service is enabled, you can access any machine over the internet either on-demand or unattended using the EV Reach operator console.

Enabling External Devices Management

For EV Reach to manage computers over the internet, you must implement a EV Reach Server within your organization, and enable the Gateway Service.

Once the EV Reach Gateway Services infrastructure is implemented, EV Reach operators can remotely manage computers over the internet in unattended, or on-demand modes.

Unattended Mode

The unattended mode allows privileged access and management of an endpoint without end-user interaction. The remote computer can also be managed if no user is logged-in to the machine.

For a computer to be manageable over the internet in unattended mode, it must be equipped with the with the EV Reach Client Agent as a service (see EV Reach Client Agent Deployment and Management.)

External Unattended Computers

Once an external endpoint is equipped with the EV Reach Client Agent, the system will register to the EV Reach Gateway under the organization ID provided. It will then be accessible via the External Devices area of the EV Reach operator console.

Pre-requisites for External Unattended Computers:

You must have the local admin credentials of the target system. You may enter them in the EV Reach Credential Manager to store them for later use.

Remote UAC must be disabled. You will need to add the following registry change to the remote system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

LocalAccountTokenFilterPolicy DWORD Value = 1

For more information on Remote UAC please see this MS Article:

User Account Control and remote restrictions - Windows Server | Microsoft Docs

On-Demand Mode

On-demand assistance allows an operator to temporarily assist any user over the internet. The operator sends an assistance request to the user, this one accepts it and grants temporary access to the computer. This mode is explained later in this article.

Accessing Unattended External Computers

An operator can gain access to an unattended external computer either by name or by browsing the External Devices section of the My Devices panel:

remote-control-external-devices.jpg

External computer nodes are organized by folders defined by the organization name assigned to the computer as well as by any Active Directory hierarchy of remote client sites.

The External Devices area can be browsed, searched and used to configure the alternate credentials to access machines.

Browsing the External Devices area

To browse the External Devices area, simply double click on any organization container to disclose the sub-containers or the computers it holds.

The folder hierarchy is defined by each node's organization name configured in the EV Reach Gateway services (or individually via the EV Reach Client Agent control panel applet), and the AD path of the computer if this one belongs to an active directory.

The active/offline status of a node is indicated via its computer icon. Offline nodes cannot be managed as they are either Powered OFF or may be back on the private network (in case of traveling corporate users).

Searching for External Devices

You can easily access an external computer by searching for it. External device searches can be executed whenever a computer name is prompted in EV Reach, or within the External Devices area.

Searching within the External Devices Area

Right-click the parent container to search and select the Search feature:

external-devices-search.jpg

Enter a partial node name including wildcard star before or after the search string to view all External Devices matching your search criteria within the selected container.

Searching during a Computer Name Prompt

Whenever EV Reach prompts for a computer name, you can execute a search against external devices by specifying the prefix REACH: followed by the node name or search string. The REACH: prefix indicates to EV Reach that the computer is outside of your private network, and the connection must go through the gateway services.

For instance, to open a remote control session to the external computer named SOME-OUTMAC-001, you can type:

image9-3.png

The connection string above assumes that SOME-OUTMAC-001 is registered at the root of the External Devices Area. However, most computers will use an organization name or their local Active Directory Domain information to register themselves.

If the exact path or name of a computer is not known, use the * wildcard character in the connect string.

For instance, enter REACH: SOME-OUTMAC-001* and a search for SOME-OUTMAC-001 will be initiated, irrespective of its location within the External Devices Area.

Other search examples:

REACH:*Returns the entire repository
REACH:CLIENT-ORG/*Returns all machines registered in the CLIENT-ORG container
REACH:Domain Controllers*Returns all machines registered in any Active Directory container titled Domain Controllers across all client sites.

Configuring External Devices Credentials

The access and management of an external computer in unattended mode requires proper authentication and authorization. By default, EV Reach uses the technician's credentials to authenticate against the remote endpoint. If this fails, alternate credentials are prompted.

The alternate credentials specified must hold local administrative privileges to initiate a remote control session or perform management tasks on a remote endpoint.

You can specify alternate credentials on a per-machine basis; however if a common local administrator's account is available on machines that belong to the same container, you can also pre-configure credentials at the container level.

Per-Machine Credentials

To configure per-machine credentials you can either:

  • Initiate a management action on the remote machine and wait for the EV Reach credentials prompt.
  • Configure the credentials the first time you connect to the machine:

image28-1.png

Once the credentials have been configured, they are reused for subsequent connections to the same machine. These credentials can be modified or removed via the Credentials Manager.

Per-Container Credentials

Credentials for a scope of machines can be configured on any of the parent containers. Right-click on an External Devices Area container and select Configure Credentials for this Realm:

external-devices-credentials.jpg

Specify the credentials to be used for all the nodes that belong to this realm. Make sure to indicate the proper authority in your credentials.

  • For a local account, use the machine name or '.' (for example:  .\Administrator)
  • For a domain account, use the domain name (for example XYZCORP\Administrator)

On-Demand Assistance

On-demand access provides instant remote management services of any computer over the internet.

Initiating an On-Demand assistance session is straight-forward:

  1. Send an On-Demand request to any remote user
  2. The remote user accepts the request and generates a session ID
  3. Enter the session ID in the EV Reach Operator Console and connect

An On-Demand request can also be used to generate an installer for an unattended installation.

Initiating an On-Demand Session

Operator Side > Starting an On-Demand Session

On-demand sessions are started using the On-Demand Assist side panel inside the EV Reach operator console (both main console and the remote control console):

rc-generate.png

Click on the Send a request to start the process.

A request can be sent in two formats:

  • Generate a client email - Automatically launches your default email client with a template that includes the web link that the remote user must click on to start the session.
  • Copy Web-link to clipboard - Copy the web link to your clipboard. This is useful if you are in a live chat with the remote user or want to generate a customized email request.

Enable Permanent Install Mode: Enable this option to generate a client support package that exposes the Authorize permanent access option to the remote user. Permanent installations will make the node available for both attended and unattended support session.

NOTE: The weblink generated by EV Reach automatically points to the default On-Demand Assistance client page provided by EV Reach. However, you can implement your own client page. See Branding End User Experience

End User Side > Accepting an On-Demand Session

Once the end user receives the assistance request and clicks on the provided web link, he/she will be instructed to download and start the EV Reach Client Assistance program.

Once this is opened, the user is prompted to start the support session:

image34-1.png

To provide unattended management access to the computer, the user should select the authorize permanent access option, then click on the Provide Unattended Access button.This option is only visible if Enable Permanent Install Modewas selected while generating the on-demand assistance request.

If the Reach Client is started without local administrative privileges, the user is presented with the provide administrative access option. Ask the user to enable this option if you wish to gain access to UAC prompts.

Once the user starts the support session, they are presented with a Session ID:

image35-1.png

Security Note

As a best practice, your EV Reach Gateway public facing address should be configured with a TLS identity certificate. Service identity validation is then confirmed to the end user. The user can click on the “Server identify verified” link to display certificate information. If your Gateway public facing address is not configured with an identity certificate, the Session ID window will turn red as follows:

image37-1.png

Operator Side > Connecting the Session

Once the session ID is received, the Operator enters it in the On-Demand Assist panel and clicks on the Connect button. This actively starts the remote assistance session.

The session ID then appears within the On-Demand Assist panel. Click on a connected session button to disclose the available management features:

on-demand-assist-operator.jpg

Tip: You can use the session ID in any of the EV Reach tools that prompt for a computer name using REACH:SESSION-ID as the computer name.

image38-1.png

Ending a Support Session

Upon first connection with the remote client, the user sees the following screen:

image39-1.png

To end a support session, the remote user must click on the End Support Session button.

It is important to understand that the remote computer is accessible as long as this window is opened. It doesn't stop when an operator closes a connection or finishes a task. The session ID can be used to reconnect to the remote computer by one or more operators simultaneously until the End Support Session button is clicked by the remote user.

Once the user terminates the session, the option to keep or remove the Reach Session Starter is presented:

image40-1.png

Selecting Yes generates a shortcut on the user’s desktop that can be used at any time to re-open a support session.

image41-1.png

Reviewing Operator Actions

During an On-Demand Assist session, all Operator actions are audited and logged. By default, these audits are recorded in the local machine's Application log of the Event Viewer. However, the user can choose to review these actions by selecting the Review support actions upon exit option. This option must be enabled before clicking on End Support Session.

image42-1.png

Tags:
Powered by XWiki © EasyVista 2022